The Future of IdentityServer

Tl:dr https://blog.duendesoftware.com/posts/20201001_helloduende/ Brock Allen and I have been working on the IdentityServer code-base for more than 10 years. In 2020 we will be making some important changes to it. Here’s why we are doing this. Our HistoryThe very first version of IdentityServer, which was called StarterSTS, was a collection of 7 aspx...

Oct 2020

IdentityServer and Signing Key Rotation

When maintaining keys used for cryptographic operations (such as when running a token server that maintains keys used to sign tokens), a good security practice is to periodically rotate your keys. This is the process of retiring one key and onboarding another. Within IdentityServer, the way you indicate your primary signing key is with the AddSigningCredential...

Aug 2019

Scope and claims design in IdentityServer

Very often I see developers that are confused about the relationship of scopes and claims in IdentityServer. Hopefully this blog post will help. In OpenID Connect and OAuth 2.0 the definition of a scope is a resource that a client application is trying to get access to. This concept of a resource is deliberately vague and the confusion is exacerbated...

Feb 2019

Using OAuth and OIDC with Blazor

I am sometimes asked what OIDC/OAuth2 protocol flow a Blazor application would use. Since a Blazor application is just a browser-based client-side application, then the answer is the same as if you were asking for a JavaScript browser-based client-side application (or SPA). And more specifically, I’d expect most Blazor applications to be some-domain....

Jan 2019

Same-site cookies, ASP.NET Core, and external authentication providers

Recently Safari on iOS made changes to their same-site cookie implementation to be more stringent with lax mode (which is purportedly more in-line with the spec). In my testing, I noticed that using strict mode same-site cookies had the same behavior on both Chrome and FireFox running on Windows. This behavior affected ASP.NET Core’s handling of external...

Jan 2019

The State of the Implicit Flow in OAuth2

This blog post is a summary of my interpretation and perspective of what’s been going on recently with the implicit flow in OAuth2, mainly spurred on by the recent draft of the OAuth 2.0 for Browser-Based Apps (which I will refer to here as OBBA) and the updated OAuth 2.0 Security Best Current Practice (which I will refer to as the BCP) documents from...

Jan 2019

Beware the combined authorize filter mechanics in ASP.NET Core 2.1

In ASP.NET Core 2.1 one of the security changes was related to how authorization filters work. In essence the filters are now combined, whereas previously they were not. This change in behavior is controlled via the AllowCombiningAuthorizeFilters on the MvcOptions, and also set with the new SetCompatabilityVersion API that you frequently see in the...

Jul 2018

IdentityManager2

In 2014 I developed and released the first version of IdentityManager. The intent was to provide a simple, self-contained administrative tool for managing users in your ASP.NET Identity or MembershipReboot identity databases. It targeted the Katana  framework, and it served its purpose. But now that we’re in the era of ASP.NET Core and ASP.NET Identity...

Jul 2018

Native OIDC client sample for Windows that uses custom URI scheme handler

Since the release of our IdentityModel.OidcClient client library we have had iOS and Android samples for using the system browser to allow a user to authenticate with the token server. Receiving the results from the system browser is interesting since the native client application is in a different process than the system browser. Fortunately those...

Jan 2018

Sponsoring IdentityServer

leastprivilege.com Brock and I have been working on free identity & access control related libraries since 2009. This all started as a hobby project, and I can very well remember the day when I said to Brock that we can only really claim to understand the protocols if we implement them ourselves. That’s what we did. We are now at a point where...

Dec 2017