Category Archives: IdentityServer

Platforms where you can run IdentityServer4

Posted on January 15, 2017 by Dominick Baier

There is some confusion about where, and on which platform/OS you can run IdentityServer4 – or more generally speaking: ASP.NET Core. IdentityServer4 is ASP.NET Core middleware – and ASP.NET Core (despite its name) runs on the full .NET Framework 4.5.x … Continue reading →

Posted in .NET Security, ASP.NET, IdentityServer, OpenID Connect, WebAPI | 37 Comments

Trying IdentityServer4

Posted on January 6, 2017 by Dominick Baier

We have a number of options how you can experiment or get started with IdentityServer4. Starting point It all starts at https://identityserver.io – from here you can find all below links as well as our next workshop dates, consulting, production … Continue reading →

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 3 Comments

Identity vs Permissions

Posted on December 16, 2016 by Dominick Baier

We often see people misusing IdentityServer as an authorization/permission management system. This is troublesome – here’s why. IdentityServer (hence the name) is really good at providing a stable identity for your users across all applications in your system. And with … Continue reading →

Posted in .NET Security, IdentityServer, OAuth, OpenID Connect, WebAPI | 53 Comments

Optimizing Identity Tokens for size

Posted on December 14, 2016 by Dominick Baier

Generally speaking, you want to keep your (identity) tokens small. They often need to be transferred via length constrained transport mechanisms – especially the browser URL which might have limitations (e.g. 2 KB in IE). You also need to somehow store the … Continue reading →

Posted in .NET Security, IdentityServer, OpenID Connect, WebAPI | 5 Comments

New in IdentityServer4: Multiple allowed Grant Types

Posted on October 12, 2016 by Dominick Baier

In OAuth 2 some grant type combinations are insecure, that’s why we decided for IdentityServer3 that we’ll be defensive and allow only a single grant type per client. During the last two years of implementing OAuth 2, it turned out … Continue reading →

Posted in ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 2 Comments

IdentityServer4 RC2 released

Posted on October 9, 2016 by Dominick Baier

Yesterday we pushed IdentityServer4 RC2 to nuget. There are no big new features this time, but a lot of cleaning up, bug fixing and adding more tests. We might add one or two more bigger things before RTM – but … Continue reading →

Posted in .NET Security, ASP.NET, IdentityModel, IdentityServer, OAuth, OpenID Connect, WebAPI | 2 Comments

New in IdentityServer4: Resource Owner Password Validation

Posted on September 29, 2016 by Dominick Baier

Not completely new, but re-designed. In IdentityServer3, we used the user service for both interactive as well as non-interactive authentication. In IdentityServer4, the interactive authentication is done by the UI. OAuth 2 resource owner password validation is disabled by default … Continue reading →

Posted in ASP.NET, IdentityServer, OAuth, WebAPI | 5 Comments

New in IdentityServer4: Support for Extension Grants

Posted on September 20, 2016 by Dominick Baier

Well – this is not completely new, but we redesigned it a bit. Extension grants are used to add support for non-standard token issuance scenarios to the token endpoint, e.g. translating between token types, delegation, federation, custom input or output … Continue reading →

Posted in ASP.NET, IdentityServer, OAuth, WebAPI | Leave a comment

New in IdentityServer4: Default Scopes

Posted on September 14, 2016 by Dominick Baier

Another small thing people have been asking for. The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access. We relaxed this requirement … Continue reading →

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 5 Comments

Identity & Access Control for ASP.NET Core Deep Dive

Posted on September 13, 2016 by Dominick Baier

Once a year Brock and I do our three day version of the Identity & Access Control workshop in London. This year it will be all about .NET Core and ASP.NET Core – and a full day on the new IdentityModel2 & … Continue reading →

Posted in .NET Security, ASP.NET, IdentityModel, IdentityServer, OAuth, OpenID Connect, WebAPI | 3 Comments