Category Archives: IdentityServer

Extending IdentityServer4 with WS-Federation Support

When we designed IdentityServer4, we wanted to make it easier to extend the core token service with custom protocol endpoints. So one thing that comes up every now and then is using IdentityServer4 as an identity provider for SharePoint and … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer | 2 Comments

NDC London 2017

As always – NDC was a very good conference. Brock and I did a workshop, two talks and an interview. Here are the relevant links: Building JavaScript and mobile/native Clients for Token-based Architectures IdentityServer4: New & Improved for ASP.NET Core … Continue reading

Posted in .NET Security, ASP.NET, IdentityModel, IdentityServer, OAuth, OpenID Connect, WebAPI | 3 Comments

Platforms where you can run IdentityServer4

There is some confusion about where, and on which platform/OS you can run IdentityServer4 – or more generally speaking: ASP.NET Core. IdentityServer4 is ASP.NET Core middleware – and ASP.NET Core (despite its name) runs on the full .NET Framework 4.5.x … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OpenID Connect, WebAPI | 4 Comments

Trying IdentityServer4

We have a number of options how you can experiment or get started with IdentityServer4. Starting point It all starts at https://identityserver.io – from here you can find all below links as well as our next workshop dates, consulting, production … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 3 Comments

Identity vs Permissions

We often see people misusing IdentityServer as an authorization/permission management system. This is troublesome – here’s why. IdentityServer (hence the name) is really good at providing a stable identity for your users across all applications in your system. And with … Continue reading

Posted in .NET Security, IdentityServer, OAuth, OpenID Connect, WebAPI | 23 Comments

Optimizing Identity Tokens for size

Generally speaking, you want to keep your (identity) tokens small. They often need to be transferred via length constrained transport mechanisms – especially the browser URL which might have limitations (e.g. 2 KB in IE). You also need to somehow store the … Continue reading

Posted in .NET Security, IdentityServer, OpenID Connect, WebAPI | Leave a comment

New in IdentityServer4: Multiple allowed Grant Types

In OAuth 2 some grant type combinations are insecure, that’s why we decided for IdentityServer3 that we’ll be defensive and allow only a single grant type per client. During the last two years of implementing OAuth 2, it turned out … Continue reading

Posted in ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | Leave a comment