NDC London 2018: IdentityServer Update

We are at NDC in London right now and are about to start our session “IdentityServer4 v2 on ASP.NET Core v2 – an Update”.

For those who can’t be here – you can find my slides on Speakerdeck. There will be also a video recording in a couple of weeks.

Here’s a quick summary.

New web site

Just in time before NDC we managed to release our new web site at https://identityserver.io. This also finally includes a selection of reference customers that we can publicly talk about.

The new ASP.NET Core v2 authentication system

This is the main part of our talk. For the last couple of year Microsoft had a hard time finding the right balance between flexibility and ease of use when it comes to authentication in ASP.NET. That’s why they had to re-write authentication from ASP.NET to Katana to ASP.NET Core v1 to ASP.NET Core v2.

It’s fair to say that that the current version is pretty good – still not exactly the way we like to have it – but it mostly gets the job done. This is also the starting point of our demo.

We gonna show how IdentityServer4 makes use of the new authentication handler system, the new authentication middleware and its DefaultXXX configuration. We show how to use a custom cookie handler instead of ours, how to add support for social logins like Google, how to add WS-Federation support (aka legacy ADFS support – because why else would you care about WS-Federation). We’ll show the brand new SAML authentication handler from Anders Abel and we’ll show how to utilize the new authentication system to add additional API endpoints to your IdentityServer host which are in turn protected by IdentityServer itself – inception!

Speaking of SAML2p – our partner Rock Solid Knowledge has a brand new plugin for IdentityServer4 v2 that adds SAML2p IdP capabilities and allows SSO over OpenID Connect, SAML and WS-Federation.

Logout is hard!

In the information age, data is the new pollution. And it is much harder to get rid of data than to accumulate it. That’s why OpenID Connect has three specs for logout. We always had support for JavaScript-based session management and front-channel notifications. We also added support for back-channel notifications which are generally speaking more reliable then the good old browser iframe “trick” (aka hack). We have a sample for that here.

Admin UI Community Edition

Rock Solid Knowledge created a community edition of their AdminUI product. This gives you a web-based UI to manage users, clients, claims, resources etc. The community edition is limited to 10 users and 2 clients, which is enough to get started.

Best thing is, the AdminUI is available via a dotnet new template. IOW – you’ll have a functional IdentityServer with user and configuration management up and running literally in a couple of seconds. See our templates repo here.

Supporting us

Running an open source project like IdentityServer takes time and effort. We could use your help!

To make that easier for you, we try to be better with up for grabs issues in the future. If you want to get started with contributing to IdentityServer – look for the help wanted label on our issue tracker, and start a conversation. We are happy to help out.

We also see quite some traffic on StackOverflow – if you want to help out other users (and earn some reputation while you go), that would be very appreciated.

And last but not least – if you are working for a company that uses IdentityServer4, you should encourage your boss to sponsor us. This will allow us to expand our efforts – and btw – we also have some interesting marketing options if you company wants to position itself as modern and thus OSS friendly/supporting. Go check out our Patreon page for more info.

Supporting you

Brock and I are still doing on-site/remote training and consulting. Let us know if we can help you with anything in the identity & access control space!

We also have an infrastructure to offer production support.

OK – that’s it for IdentityServer4. We have more exciting news here at NDC – stay tuned.

Posted in .NET Security, ASP.NET Core, IdentityServer, Uncategorized | Leave a comment

Sponsoring IdentityServer

Brock and I have been working on free identity & access control related libraries since 2009. This all started as a hobby project, and I can very well remember the day when I said to Brock that we can only really claim to understand the protocols if we implement them ourselves. That’s what we did.

We are now at a point where the IdentityServer OSS project reached both enough significance and complexity what we need to find a sustainable way to manage it. This includes dealing with issues, questions and bug reports as well as feature and pull requests.

That’s why we decided to set up a sponsorship page on Patreon. So if you like the project and want to support us – or even more important, if you work for a company that relies on IdentityServer, please consider supporting us. This will allow us to be able to maintain this level of commitment.

Thank you!

Posted in .NET Security, ASP.NET Core, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 1 Comment

Updated Templates for IdentityServer4

We finally found the time to put more work into our templates.

dotnet new is4empty

Creates a minimal IdentityServer4 project without a UI.

dotnet new is4ui

Adds the quickstart UI to the current project (can be e.g added on top of is4empty)

dotnet new is4inmem

Adds a basic IdentityServer with UI, test users and sample clients and resources. Shows both in-memory code and JSON configuration.

dotnet new is4aspid

Adds a basic IdentityServer that uses ASP.NET Identity for user management

dotnet new is4ef

Adds a basic IdentityServer that uses Entity Framework for configuration and state management


Install with:

dotnet new -i identityserver4.templates

If you need to set back your dotnet new list to “factory defaults”, use this command:

dotnet new --debug:reinit

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect, WebAPI | 8 Comments

Missing Claims in the ASP.NET Core 2 OpenID Connect Handler?

The new OpenID Connect handler in ASP.NET Core 2 has a different (aka breaking) behavior when it comes to mapping claims from an OIDC provider to the resulting ClaimsPrincipal.

This is especially confusing and hard to diagnose since there are a couple of moving parts that come together here. Let’s have a look.

You can use my sample OIDC client here to observe the same results.

Mapping of standard claim types to Microsoft proprietary ones
The first annoying thing is, that Microsoft still thinks they know what’s best for you by mapping the OIDC standard claims to their proprietary ones.

This can be fixed elegantly by clearing the inbound claim type map on the Microsoft JWT token handler:


A basic OpenID Connect authentication request
Next – let’s start with a barebones scenario where the client requests the openid scope only.

First confusing thing is that Microsoft pre-populates the Scope collection on the OpenIdConnectOptions with the openid and the profile scope (don’t get me started). This means if you only want to request openid, you first need to clear the Scope collection and then add openid manually.

services.AddAuthentication(options =>
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
    .AddCookie("Cookies", options =>
        options.AccessDeniedPath = "/account/denied";
    .AddOpenIdConnect("oidc", options =>
        options.Authority = "https://demo.identityserver.io";
        options.ClientId = "server.hybrid";
        options.ClientSecret = "secret";
        options.ResponseType = "code id_token";
        options.SaveTokens = true;
        options.TokenValidationParameters = new TokenValidationParameters
            NameClaimType = "name", 
            RoleClaimType = "role"

With the ASP.NET Core v1 handler, this would have returned the following claims: nbf, exp, iss, aud, nonce, iat, c_hash, sid, sub, auth_time, idp, amr.

In V2 we only get sid, sub and idp. What happened?

Microsoft added a new concept to their OpenID Connect handler called ClaimActions. Claim actions allow modifying how claims from an external provider are mapped (or not) to a claim in your ClaimsPrincipal. Looking at the ctor of the OpenIdConnectOptions, you can see that the handler will now skip the following claims by default:


If you want to “un-skip” a claim, you need to delete a specific claim action when setting up the handler. The following is the very intuitive syntax to get the amr claim back:


If you want to see the raw claims from the token in the principal, you need to clear the whole claims action collection.

Requesting more claims from the OIDC provider
When you are requesting more scopes, e.g. profile or custom scopes that result in more claims, there is another confusing detail to be aware of.

Depending on the response_type in the OIDC protocol, some claims are transferred via the id_token and some via the userinfo endpoint. I wrote about the details here.

So first of all, you need to enable support for the userinfo endpoint in the handler:

options.GetClaimsFromUserInfoEndpoint = true;

If the claims are being returned by userinfo, ClaimsActions are used again to map the claims from the returned JSON document to the principal. The following default settings are used here:


IOW – if you are sending a claim to your client that is not part of the above list, it simply gets ignored, and you need to do an explicit mapping. Let’s say your client application receives the website claim via userinfo (one of the standard OIDC claims, but unfortunately not mapped by Microsoft) – you need to add the mapping yourself:


The same would apply for any other claims you return via userinfo.

I hope this helps. In short – you want to be explicit about your mappings, because I am sure that those default mappings will change at some point in the future which will lead to unexpected behavior in your client applications.

Posted in ASP.NET Core, IdentityServer, OpenID Connect, WebAPI | 6 Comments

End of IdentityServer3 Maintenance

Yesterday we made the decision to stop development and maintenance of IdentityServer3. This has a couple of reasons:

  • IdentityServer4 is the better OpenID Connect and OAuth 2 implementation in every aspect
  • ASP.NET Core 2 is now a mature platform
  • There is only that much time you can spend on OSS development and issue tracker support, so we decided to focus on current projects which are IdentityServer4, IdentityModel2 and oidc-client.js

This also applies to answering questions on the issue tracker – we recommend you either use StackOverflow for free support, or use our commercial support options.

Security vulnerabilities will be fixed ASAP of course. Please disclose them responsibly.

PS. If you are a customer or have an existing support contract, we will of course continue supporting you. If you want to start a new support contract for your IdentityServer3 deployment, please let us know.

Posted in IdentityServer, Uncategorized | 15 Comments

Using iOS11 SFAuthenticationSession with IdentityModel.OidcClient

Starting with iOS 11, there’s a special system service for browser-based authentication called SFAuthenticationSession. This is the recommended approach for OpenID Connect and OAuth 2 native iOS clients (see RFC8252).

If you are using our OidcClient library – this is how you would wrap that in an IBrowser:

using Foundation;
using System.Threading.Tasks;
using IdentityModel.OidcClient.Browser;
using SafariServices;
namespace iOS11Client
    public class SystemBrowser : IBrowser
        SFAuthenticationSession _sf;
        public Task InvokeAsync(BrowserOptions options)
            var wait = new TaskCompletionSource();
            _sf = new SFAuthenticationSession(
                new NSUrl(options.StartUrl),
                (callbackUrl, error) =>
                    if (error != null)
                        var errorResult = new BrowserResult
                            ResultType = BrowserResultType.UserCancel,
                            Error = error.ToString()
                        var result = new BrowserResult
                            ResultType = BrowserResultType.Success,
                            Response = callbackUrl.AbsoluteString
            return wait.Task;
Posted in .NET Security, IdentityModel, OAuth, OpenID Connect, Uncategorized, WebAPI | Leave a comment

Templates for IdentityServer4 v2

I finally found the time to update the templates for IdentityServer4 to version 2. You can find the source code and instructions here.

To be honest, I didn’t have time to research more advanced features like post-actions (wanted to do automatic restore, but didn’t work for me) and VSIX for Visual Studio integration. If anyone has experience in this area, feel free to contact me on github.

Also – more advanced templates are coming soon (e.g. ASP.NET Identity, EF etc…)

IS4 templates.gif

Posted in IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | Leave a comment