Category Archives: OpenID Connect

I don’t like Identity Tokens

…or rather the name ;) I bet that if you wake up most “identity professionals” in the middle of the night and ask them what an identity token is, the answer would be “a token about the identity of the … Continue reading

Posted in OpenID Connect | Leave a comment

The JWT Profile for OAuth 2.0 Access Tokens (and IdentityServer)

As part of creating our new Advanced OAuth training, I created a whole lecture on the evolution of access tokens and resource access. It’s fascinating – since the original OAuth 2.0 spec does not have any information about the token … Continue reading

Posted in IdentityServer, OAuth, OpenID Connect | Leave a comment

Updates on our Workshops

I am pleased to announce that we are now offering two workshops. I was mentioning that on Twitter already, and got a lot of questions. So I thought it would make sense to summarise them all in one place. You … Continue reading

Posted in OAuth, OpenID Connect | Leave a comment

Automatic Token Management for ASP.NET Core and Worker Services 1.0

After a pretty long preview period, I am happy to announce that IdentityModel.AspNetCore 1.0 is now on Nuget. This library solves a problem that we have with every single OIDC/OAuth client we are creating: token management. Requesting and using a … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 1 Comment

Major Update to IdentityModel.OidcClient

I just pushed Preview 3 of the 4.0 version of IdentityModel.OidcClient – this includes some major updates (that you might or might not have asked for): Removal of OpenID Connect Hybrid Flow. The codebase does Authorization Code Flow + PKCE … Continue reading

Posted in IdentityModel, OAuth, OpenID Connect | 2 Comments

SPAs are dead!?

clickbait isn’t it? But this was Brock’s immediate reaction when we saw (and I recommend you read this first): Full Third-Party Cookie Blocking and More What this basically means is, that browser are getting more and more strict with how … Continue reading

Posted in OAuth, OpenID Connect | 21 Comments

Mutual TLS and Proof-of-Possession Tokens: Summary

This is the last part of my PoP and Mutual TLS post series. Part 1 covered some history and motivation, and part 2 looked at various server setups. Part 3 was supposed to be a walk-through guide on how to … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 4 Comments

Mutual TLS and Proof-of-Possession Access Tokens – Part 1: Setup

2020 is the year where I want proof-of-possession tokens to become reality. Mutual TLS seems to be the only feasible way to do that today. So here’s another post about it…. This is a two-part post. In this post we … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 5 Comments

Hardening OpenID Connect/OAuth Authorize Requests (and Responses)

One of the biggest strengths of OIDC and OAuth is the usage of the browser front-channel. The browser can show a UI and follow redirects, this makes it very powerful and flexible. Guess what – the biggest weakness of OIDC … Continue reading

Posted in IdentityServer, OAuth, OpenID Connect | Leave a comment

Two is the magic Number

..and not 3. To build authentication systems for modern applications, all you need to understand are two OpenID Connect / OAuth 2.0 flow. That’s it. Client Credentials Flow This is probably the simplest flow and it is designed for server … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | Leave a comment