Category Archives: ASP.NET Core

Try Device Flow with IdentityServer4

The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification. Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices. Things like TVs, gaming consoles, printers, cash registers, audio appliances etc. … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth | Leave a comment

An alternative way to secure SPAs (with ASP.NET Core, OpenID Connect, OAuth 2.0 and ProxyKit)

You might have noticed the recent public discussions around how to securely build SPAs – and especially about the “weak security properties” of the OAuth 2.0 Implicit Flow. Brock has written up a good summary here. The whole implicit vs … Continue reading

Posted in ASP.NET Core, OAuth, OpenID Connect, WebAPI | 2 Comments

Automatic OAuth 2.0 Token Management in ASP.NET Core

As part of the recent discussions around how to build clients for OpenID Connect and OAuth 2.0 based systems (see e.g. Brock’s post here), we substantially updated our workshop and supporting libraries. The updated material (both workshop and break-out sessions) will … Continue reading

Posted in ASP.NET Core, Uncategorized | 8 Comments

What happened in 2018?

2018 has been really busy. We worked on a lot of different things, and I just realized that I only wrote eight blog posts in total. I decided to block December to catch up on many work and non-work related … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityModel, IdentityServer, PolicyServer, Uncategorized | Leave a comment

Making the IdentityModel Client Libraries HttpClientFactory friendly

IdentityModel has a number of protocol client libraries, e.g. for requesting, refreshing, revoking and introspecting OAuth 2 tokens as well as a client and cache for the OpenID Connect discovery endpoint. While they work fine, the style around libraries that … Continue reading

Posted in ASP.NET Core, IdentityModel, Uncategorized, WebAPI | 4 Comments

Mixing UI and API Endpoints in ASP.NET Core 2.1 (aka Dynamic Scheme Selection)

Some people like to co-locate UI and API endpoints in the same application. I generally prefer to keep them separate, but I acknowledge that certain architecture styles make this conscious decision. Server-side UIs typically use cookies for authentication (or a … Continue reading

Posted in ASP.NET Core, OpenID Connect, Uncategorized, WebAPI | 14 Comments

Improvements in Claim Mapping in the ASP.NET Core 2.1 OpenID Connect Handler

Here I described the various layers of claim mappings going on when doing OpenID Connect with ASP.NET Core. Based on our feedback, the ASP.NET team added another mapping option to reduce the amount of “magic” going on, and thus makes … Continue reading

Posted in ASP.NET Core, OpenID Connect, Uncategorized | 2 Comments