Category Archives: IdentityServer

Security Advisory for IdentityServer3

One of our users reported an XSS vulnerability in one of our views, which can be potentially used for information disclosure. We confirmed this bug and fixed it. Here’s the official CVE entry. We encourage you to upgrade if possible. … Continue reading

Posted in IdentityServer, Uncategorized | Leave a comment

Authorization is hard! Slides and Video from NDC Oslo 2017

A while ago I wrote a controversial article about the problems that can arise when mixing authentication and authorization systems – especially when using identity/access tokens to transmit authorization data – you can read it here. In the meanwhile Brock … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, WebAPI | 14 Comments

Techorama 2017

Again Techorama was an awesome conference – kudos to the organizers! Seth and Channel9 recorded my talk and also did an interview – so if you couldn’t be there in person, there are some updates about IdentityServer4 and identity in general.

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, WebAPI | 2 Comments

Financial APIs and IdentityServer

Right now there is quite some movement in the financial sector towards APIs and “collaboration” scenarios. The OpenID Foundation started a dedicated working group on securing Financial APIs (FAPIs) and the upcoming Revised Payment Service EU Directive (PSD2 – official … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | Leave a comment

IdentityServer & Heidelberg on Channel9

Seth and the Channel9 crew visited me in my office in Heidelberg to learn about IdentityServer and German culture. We had a nice day in Heidelberg involving identity, a whiteboard, code, beers & bratwurst ;) enjoy. Part 1 (interview and … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized | Leave a comment

dotnet new Templates for IdentityServer4

The dotnet CLI includes a templating engine that makes it pretty straightforward to create your own project templates (see this blog post for a good intro). This new repo is the home for all IdentityServer4 templates to come – right … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, WebAPI | Leave a comment

New in IdentityServer4: Events

Well – not really new – but redesigned. IdentityServer4 has two diagnostics facilities – logging and events. While logging is more like low level “printf” style – events represent higher level information about certain logical operations in IdentityServer (think Windows security … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 3 Comments