Category Archives: .NET Security

Identity Videos, Podcasts and Slides from Conference Season 2016/1

My plan was to cut down on conferences and travelling in general – this didn’t work out ;) I did more conferences in the first 6 months of 2016 than I did in total last year. weird. Here are some … Continue reading

Posted in .NET Security, ASP.NET, Conferences & Training, IdentityModel, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | Leave a comment

NDC London 2016 Wrap-up

NDC has been fantastic again! Good fun, good talks and good company! Brock and I did the usual 2-day version of our Identity & Access Control workshop at the pre-con. This was (probably) the last time we ran the 2-day … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 9 Comments

Which OpenID Connect/OAuth 2.0 Flow is the right One?

That is probably the most common question we get – and the answer is of course: it depends! Machine to Machine Communication This one is easy – since there is no human directly involved, client credentials are used to request … Continue reading

Posted in .NET Security, IdentityServer, OAuth, OpenID Connect, WebAPI | 19 Comments

Reference Tokens and Introspection

Access tokens can come in two shapes: self-contained and reference. Self-contained tokens are using a protected, time-limited data structure that contains metadata and claims to communicate the identity of the user or client over the wire. A popular format would … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OWIN, Uncategorized, WebAPI | 19 Comments

IdentityServer3 v2.2

Yesterday we published v2.2 to nuget and github. You can see the release notes here. Besides a couple of bug fixes and refinements – the big features are support for the introspection specification (rfc 7662) and the OpenID Connect HTTP-based … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OpenID Connect, OWIN, Uncategorized, WebAPI | 5 Comments

IdentityServer3 Logging & Monitoring using Serilog and Seq

IdentityServer has two fundamental “monitoring” facilities : development-time logging and production-time eventing. The original docs are here. Logging is for developers – in fact – when I start a new IdentityServer3 project, that’s the first thing I configure. For security reasons (and … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, OWIN, WebAPI | 5 Comments

The State of Security in ASP.NET 5 and MVC 6: Authorization

The hardest part in designing an application is authorization. The requirements are always so app-specific that for 10 applications you often see 12 different implementations. To make things worse, ASP.NET and MVC traditionally had not much more built-in to offer than … Continue reading

Posted in .NET Security, ASP.NET, WebAPI | 35 Comments