Category Archives: IdentityServer

Refresh Tokens in IdentityServer4 v4

I already wrote about the hardening of refresh tokens in this post. I would recommend reading this first. The upcoming OAuth 2.1 spec is pretty clear about refresh token handling: If the client is confidential, the refresh token must be … Continue reading

Posted in IdentityServer, OAuth | Leave a comment

Announcing IdentityServer4 v4.0

OK – it’s finally done. I published v4 to Nuget earlier today. You can find the complete set of changes/bug fixes/breaking changes here. We had to cut some features which were originally on our roadmap – we’ll revisit them for … Continue reading

Posted in IdentityServer | 2 Comments

Resource Access in IdentityServer4 v4 and going forward

In my last post I alluded to the tension between real-world token-based security architectures, the OAuth 2.0 scope model, JWT access tokens and the audience claim. We went through a couple of iterations in IdentityServer how we deal with those … Continue reading

Posted in IdentityServer, OAuth | 4 Comments

The JWT Profile for OAuth 2.0 Access Tokens (and IdentityServer)

As part of creating our new Advanced OAuth training, I created a whole lecture on the evolution of access tokens and resource access. It’s fascinating – since the original OAuth 2.0 spec does not have any information about the token … Continue reading

Posted in IdentityServer, OAuth, OpenID Connect | Leave a comment

Automatic Token Management for ASP.NET Core and Worker Services 1.0

After a pretty long preview period, I am happy to announce that IdentityModel.AspNetCore 1.0 is now on Nuget. This library solves a problem that we have with every single OIDC/OAuth client we are creating: token management. Requesting and using a … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 1 Comment

Mutual TLS and Proof-of-Possession Tokens: Summary

This is the last part of my PoP and Mutual TLS post series. Part 1 covered some history and motivation, and part 2 looked at various server setups. Part 3 was supposed to be a walk-through guide on how to … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 4 Comments

Mutual TLS and Proof-of-Possession Access Tokens – Part 1: Setup

2020 is the year where I want proof-of-possession tokens to become reality. Mutual TLS seems to be the only feasible way to do that today. So here’s another post about it…. This is a two-part post. In this post we … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 5 Comments

Hardening OpenID Connect/OAuth Authorize Requests (and Responses)

One of the biggest strengths of OIDC and OAuth is the usage of the browser front-channel. The browser can show a UI and follow redirects, this makes it very powerful and flexible. Guess what – the biggest weakness of OIDC … Continue reading

Posted in IdentityServer, OAuth, OpenID Connect | Leave a comment

Hardening Refresh Tokens

Refresh tokens provide a UX friendly way to give a client long-lived access to resources without having to involve the user after the initial authentication & token request. This makes them also a high-value target for attackers, because they typically … Continue reading

Posted in IdentityServer, OAuth, Uncategorized | Leave a comment

2020: IdentityServer4 Roadmap

It’s the time of the year – we are working on IdentityServer and lock down the features we want to implement for the next version(s). Initially we planned to make our 3.0 release the big one – but then .NET … Continue reading

Posted in IdentityServer, Uncategorized | 2 Comments