Category Archives: IdentityServer

New in IdentityServer4 v4: Multiple signing Keys

So far IdentityServer4 only supported a single signing key at a time. There are historic reasons for that. When we started with .NET Core, the only x-plat algorithm that really worked (without #ifdef hell) was RSA with SHA-256 (RS256) so … Continue reading

Posted in IdentityServer, Uncategorized | 3 Comments

OAuth 2.0: The long Road to Proof-of-Possession Access Tokens

I did a lot of WS-Security in my (distant) past – and whenever we started looking into migrating to OAuth 2.0, there was this one thing on the security check-list that was missing in the OAuth world: proof of possession … Continue reading

Posted in IdentityServer, OAuth | 1 Comment

IdentityServer3 and upcoming SameSite Cookie changes in Browsers

You have probably heard that starting with Chrome 80 in February, the behavior of cookies will change. This is a breaking change and effects every single web application on the internet. Microsoft has patched their supported platforms (ASP.NET, Katana 4 … Continue reading

Posted in IdentityServer, Uncategorized | 9 Comments

Use explicit typing for your JWTs

JWTs are being used in many places these days – identity tokens, access tokens, security events, logout tokens… You actually have to be careful when validating a JWT that you don’t mistakenly confuse it with a JWT that was issued … Continue reading

Posted in IdentityServer, OAuth | 2 Comments

Two is the magic Number

..and not 3. To build authentication systems for modern applications, all you need to understand are two OpenID Connect / OAuth 2.0 flow. That’s it. Client Credentials Flow This is probably the simplest flow and it is designed for server … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | Leave a comment

IdentityServer for ASP.NET Core 3

In short: is released (along with the introspection and access control validation handler). As part of the longer version, you might ask yourself how we can do that before ASP.NET Core 3 itself is released. Well – it’s a slightly complicated … Continue reading

Posted in ASP.NET Core, IdentityServer, Uncategorized | 4 Comments

End of IdentityServer3 free Support

Back in 2017 we announced the end of IdentityServer3 maintenance. This excluded security bug fixes. As of the 1st of July 2019 Microsoft officially ended support for Katana 3. This means that the platform we originally built-against is now unsupported … Continue reading

Posted in IdentityServer, Katana, Uncategorized | 1 Comment

IdentityServer4 Roadmap

We didn’t have a lot of time recently to work on IdentityServer4 – and yes, I know there are a lot of open “backlog” issues right now. But fortunately everything is pretty stable and from the open issues, nothing seems … Continue reading

Posted in IdentityServer, Uncategorized | Leave a comment

Try Device Flow with IdentityServer4

The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification. Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices. Things like TVs, gaming consoles, printers, cash registers, audio appliances etc. … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth | Leave a comment

What happened in 2018?

2018 has been really busy. We worked on a lot of different things, and I just realized that I only wrote eight blog posts in total. I decided to block December to catch up on many work and non-work related … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityModel, IdentityServer, PolicyServer, Uncategorized | Leave a comment