Category Archives: .NET Security

New in IdentityServer4: Resource-based Configuration

For RC4 we decided to re-design our configuration object model for resources (formerly known as scopes). I know, I know – we are not supposed to make fundamental breaking changes once reaching the RC status – but hey – we … Continue reading

Posted in .NET Security, ASP.NET, OAuth, Uncategorized, WebAPI | 15 Comments

IdentityServer4 RC2 released

Yesterday we pushed IdentityServer4 RC2 to nuget. There are no big new features this time, but a lot of cleaning up, bug fixing and adding more tests. We might add one or two more bigger things before RTM – but … Continue reading

Posted in .NET Security, ASP.NET, IdentityModel, IdentityServer, OAuth, OpenID Connect, WebAPI | Leave a comment

IdentityModel v2 released

IdentityModel is our protocol client library for various OpenID Connect and OAuth 2 endpoints like discovery, userinfo, token, introspection and token revocation. In addition it has some general purpose helpers like generating random numbers, base64 URL encoding, time-constant string comparison … Continue reading

Posted in .NET Security, IdentityModel, OAuth, OpenID Connect, WebAPI | Leave a comment

New in IdentityServer4: Default Scopes

Another small thing people have been asking for. The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access. We relaxed this requirement … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 1 Comment

Identity & Access Control for ASP.NET Core Deep Dive

Once a year Brock and I do our three day version of the Identity & Access Control workshop in London. This year it will be all about .NET Core and ASP.NET Core – and a full day on the new IdentityModel2 & … Continue reading

Posted in .NET Security, ASP.NET, IdentityModel, IdentityServer, OAuth, OpenID Connect, WebAPI | 3 Comments

IdentityServer4 RC1

Wow – we’re done! Brock and I spent the last two weeks 14h/day refactoring, polishing, testing and refining IdentityServer for ASP.NET Core…and I must say it’s the best STS we’ve written so far… We kept the same approach as before, … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 19 Comments

Why does my Authorize Attribute not work?

Sad title, isn’t it? The alternative would have been “The complicated relationship between claim types, ClaimsPrincipal, the JWT security token handler and the Authorize attribute role checks” – but that wasn’t very catchy. But the reality is, that many people are struggling … Continue reading

Posted in .NET Security, OAuth, OpenID Connect, WebAPI | 8 Comments