Category Archives: OAuth

Use explicit typing for your JWTs

JWTs are being used in many places these days – identity tokens, access tokens, security events, logout tokens… You actually have to be careful when validating a JWT that you don’t mistakenly confuse it with a JWT that was issued … Continue reading

Posted in IdentityServer, OAuth | Leave a comment

Two is the magic Number

..and not 3. To build authentication systems for modern applications, all you need to understand are two OpenID Connect / OAuth 2.0 flow. That’s it. Client Credentials Flow This is probably the simplest flow and it is designed for server … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | Leave a comment

Another Take on Access Token Management in ASP.NET Core (…and announcing IdentityModel.AspNetCore)

I spent a lot of time on the client side recently – as part of our PolicyServer client libraries work, customer work, our updated guidance for our workshops as well as the various talks Brock and I gave on building … Continue reading

Posted in ASP.NET Core, IdentityModel, OAuth, OpenID Connect, Uncategorized | Leave a comment

Try Device Flow with IdentityServer4

The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification. Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices. Things like TVs, gaming consoles, printers, cash registers, audio appliances etc. … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth | Leave a comment

An alternative way to secure SPAs (with ASP.NET Core, OpenID Connect, OAuth 2.0 and ProxyKit)

You might have noticed the recent public discussions around how to securely build SPAs – and especially about the “weak security properties” of the OAuth 2.0 Implicit Flow. Brock has written up a good summary here. The whole implicit vs … Continue reading

Posted in ASP.NET Core, OAuth, OpenID Connect, WebAPI | 12 Comments

Sponsoring IdentityServer

Brock and I have been working on free identity & access control related libraries since 2009. This all started as a hobby project, and I can very well remember the day when I said to Brock that we can only … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 1 Comment

Updated Templates for IdentityServer4

We finally found the time to put more work into our templates. dotnet new is4empty Creates a minimal IdentityServer4 project without a UI. dotnet new is4ui Adds the quickstart UI to the current project (can be e.g added on top … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect, WebAPI | 8 Comments