Category Archives: .NET Security

Identity vs Permissions

Posted on December 16, 2016 by Dominick Baier

We often see people misusing IdentityServer as an authorization/permission management system. This is troublesome – here’s why. IdentityServer (hence the name) is really good at providing a stable identity for your users across all applications in your system. And with … Continue reading →

Posted in .NET Security, IdentityServer, OAuth, OpenID Connect, WebAPI | 53 Comments

Optimizing Identity Tokens for size

Posted on December 14, 2016 by Dominick Baier

Generally speaking, you want to keep your (identity) tokens small. They often need to be transferred via length constrained transport mechanisms – especially the browser URL which might have limitations (e.g. 2 KB in IE). You also need to somehow store the … Continue reading →

Posted in .NET Security, IdentityServer, OpenID Connect, WebAPI | 5 Comments

New in IdentityServer4: Resource-based Configuration

Posted on December 1, 2016 by Dominick Baier

For RC4 we decided to re-design our configuration object model for resources (formerly known as scopes). I know, I know – we are not supposed to make fundamental breaking changes once reaching the RC status – but hey – we … Continue reading →

Posted in .NET Security, ASP.NET, OAuth, Uncategorized, WebAPI | 44 Comments

IdentityServer4 RC2 released

Posted on October 9, 2016 by Dominick Baier

Yesterday we pushed IdentityServer4 RC2 to nuget. There are no big new features this time, but a lot of cleaning up, bug fixing and adding more tests. We might add one or two more bigger things before RTM – but … Continue reading →

Posted in .NET Security, ASP.NET, IdentityModel, IdentityServer, OAuth, OpenID Connect, WebAPI | 2 Comments

IdentityModel v2 released

Posted on October 9, 2016 by Dominick Baier

IdentityModel is our protocol client library for various OpenID Connect and OAuth 2 endpoints like discovery, userinfo, token, introspection and token revocation. In addition it has some general purpose helpers like generating random numbers, base64 URL encoding, time-constant string comparison … Continue reading →

Posted in .NET Security, IdentityModel, OAuth, OpenID Connect, WebAPI | 1 Comment

New in IdentityServer4: Default Scopes

Posted on September 14, 2016 by Dominick Baier

Another small thing people have been asking for. The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access. We relaxed this requirement … Continue reading →

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 5 Comments

Identity & Access Control for ASP.NET Core Deep Dive

Posted on September 13, 2016 by Dominick Baier

Once a year Brock and I do our three day version of the Identity & Access Control workshop in London. This year it will be all about .NET Core and ASP.NET Core – and a full day on the new IdentityModel2 & … Continue reading →

Posted in .NET Security, ASP.NET, IdentityModel, IdentityServer, OAuth, OpenID Connect, WebAPI | 3 Comments

IdentityServer4 RC1

Posted on September 6, 2016 by Dominick Baier

Wow – we’re done! Brock and I spent the last two weeks 14h/day refactoring, polishing, testing and refining IdentityServer for ASP.NET Core…and I must say it’s the best STS we’ve written so far… We kept the same approach as before, … Continue reading →

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 19 Comments

Why does my Authorize Attribute not work?

Posted on August 21, 2016 by Dominick Baier

Sad title, isn’t it? The alternative would have been “The complicated relationship between claim types, ClaimsPrincipal, the JWT security token handler and the Authorize attribute role checks” – but that wasn’t very catchy. But the reality is, that many people are struggling … Continue reading →

Posted in .NET Security, OAuth, OpenID Connect, WebAPI | 11 Comments

Identity Videos, Podcasts and Slides from Conference Season 2016/1

Posted on June 27, 2016 by Dominick Baier

My plan was to cut down on conferences and travelling in general – this didn’t work out ;) I did more conferences in the first 6 months of 2016 than I did in total last year. weird. Here are some … Continue reading →

Posted in .NET Security, ASP.NET, Conferences & Training, IdentityModel, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | Leave a comment