Author Archives: Dominick Baier

Major Update to IdentityModel.OidcClient

I just pushed Preview 3 of the 4.0 version of IdentityModel.OidcClient – this includes some major updates (that you might or might not have asked for): Removal of OpenID Connect Hybrid Flow. The codebase does Authorization Code Flow + PKCE … Continue reading

Posted in IdentityModel, OAuth, OpenID Connect | 2 Comments

SPAs are dead!?

clickbait isn’t it? But this was Brock’s immediate reaction when we saw (and I recommend you read this first): Full Third-Party Cookie Blocking and More What this basically means is, that browser are getting more and more strict with how … Continue reading

Posted in OAuth, OpenID Connect | 27 Comments

Online Workshops in 2020

For obvious reasons, all in-person workshops have been cancelled for the time being. This is frustrating on one hand, but converting them to an online format, will allow people to attend who otherwise wouldn’t make it. The other upside is, … Continue reading

Posted in Uncategorized | Leave a comment

Mutual TLS and Proof-of-Possession Tokens: Summary

This is the last part of my PoP and Mutual TLS post series. Part 1 covered some history and motivation, and part 2 looked at various server setups. Part 3 was supposed to be a walk-through guide on how to … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 4 Comments

Mutual TLS and Proof-of-Possession Access Tokens – Part 1: Setup

2020 is the year where I want proof-of-possession tokens to become reality. Mutual TLS seems to be the only feasible way to do that today. So here’s another post about it…. This is a two-part post. In this post we … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 8 Comments

Hardening OpenID Connect/OAuth Authorize Requests (and Responses)

One of the biggest strengths of OIDC and OAuth is the usage of the browser front-channel. The browser can show a UI and follow redirects, this makes it very powerful and flexible. Guess what – the biggest weakness of OIDC … Continue reading

Posted in IdentityServer, OAuth, OpenID Connect | Leave a comment

Hardening Refresh Tokens

Refresh tokens provide a UX friendly way to give a client long-lived access to resources without having to involve the user after the initial authentication & token request. This makes them also a high-value target for attackers, because they typically … Continue reading

Posted in IdentityServer, OAuth, Uncategorized | Leave a comment

2020: IdentityServer4 Roadmap

It’s the time of the year – we are working on IdentityServer and lock down the features we want to implement for the next version(s). Initially we planned to make our 3.0 release the big one – but then .NET … Continue reading

Posted in IdentityServer, Uncategorized | 2 Comments

New in IdentityServer4 v4: Multiple signing Keys

So far IdentityServer4 only supported a single signing key at a time. There are historic reasons for that. When we started with .NET Core, the only x-plat algorithm that really worked (without #ifdef hell) was RSA with SHA-256 (RS256) so … Continue reading

Posted in IdentityServer, Uncategorized | 3 Comments

OAuth 2.0: The long Road to Proof-of-Possession Access Tokens

I did a lot of WS-Security in my (distant) past – and whenever we started looking into migrating to OAuth 2.0, there was this one thing on the security check-list that was missing in the OAuth world: proof of possession … Continue reading

Posted in IdentityServer, OAuth | 1 Comment