Category Archives: Uncategorized

Security Advisory for IdentityServer3

One of our users reported an XSS vulnerability in one of our views, which can be potentially used for information disclosure. We confirmed this bug and fixed it. Here’s the official CVE entry. We encourage you to upgrade if possible. … Continue reading

Posted in IdentityServer, Uncategorized | Leave a comment

Financial APIs and IdentityServer

Right now there is quite some movement in the financial sector towards APIs and “collaboration” scenarios. The OpenID Foundation started a dedicated working group on securing Financial APIs (FAPIs) and the upcoming Revised Payment Service EU Directive (PSD2 – official … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | Leave a comment

IdentityServer & Heidelberg on Channel9

Seth and the Channel9 crew visited me in my office in Heidelberg to learn about IdentityServer and German culture. We had a nice day in Heidelberg involving identity, a whiteboard, code, beers & bratwurst ;) enjoy. Part 1 (interview and … Continue reading

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized | Leave a comment

New in IdentityServer4: Events

Well – not really new – but redesigned. IdentityServer4 has two diagnostics facilities – logging and events. While logging is more like low level “printf” style – events represent higher level information about certain logical operations in IdentityServer (think Windows security … Continue reading

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 3 Comments

OpenID Connect Client Library for JavaScript/SPA-style Applications

In addition to our native library – Brock successfully certified his JavaScript library with the OpenID Foundation. oidc-client-js is by far the most easy and elegant way I have seen so far for integrating OpenID Connect and OAuth 2 client … Continue reading

Posted in IdentityModel, OAuth, OpenID Connect, Uncategorized | 5 Comments

New in IdentityServer4: Resource-based Configuration

For RC4 we decided to re-design our configuration object model for resources (formerly known as scopes). I know, I know – we are not supposed to make fundamental breaking changes once reaching the RC status – but hey – we … Continue reading

Posted in .NET Security, ASP.NET, OAuth, Uncategorized, WebAPI | 41 Comments

Trying IdentityServer

We have a demo instance of IdentityServer3 on I already used this for various samples (e.g. the OpenID Connect native clients) – and it makes it easy to try IdentityServer with your clients without having to deploy and configure … Continue reading

Posted in ASP.NET, IdentityServer, OpenID Connect, OWIN, Uncategorized, WebAPI | 2 Comments