You've got your good thing, and you've got mine
Tl:dr https://blog.duendesoftware.com/posts/20201001_helloduende/ Brock Allen and I have been working on the IdentityServer code-base for more than 10 years. In 2020 we will be making some important changes to it. Here’s why we are doing this. Our HistoryThe very first version of IdentityServer, which was called StarterSTS, was a collection of 7 aspx...
Oct 2020
When maintaining keys used for cryptographic operations (such as when running a token server that maintains keys used to sign tokens), a good security practice is to periodically rotate your keys. This is the process of retiring one key and onboarding another. Within IdentityServer, the way you indicate your primary signing key is with the AddSigningCredential...
Aug 2019
Very often I see developers that are confused about the relationship of scopes and claims in IdentityServer. Hopefully this blog post will help. In OpenID Connect and OAuth 2.0 the definition of a scope is a resource that a client application is trying to get access to. This concept of a resource is deliberately vague and the confusion is exacerbated...
Feb 2019
I am sometimes asked what OIDC/OAuth2 protocol flow a Blazor application would use. Since a Blazor application is just a browser-based client-side application, then the answer is the same as if you were asking for a JavaScript browser-based client-side application (or SPA). And more specifically, I’d expect most Blazor applications to be some-domain....
Jan 2019
Recently Safari on iOS made changes to their same-site cookie implementation to be more stringent with lax mode (which is purportedly more in-line with the spec). In my testing, I noticed that using strict mode same-site cookies had the same behavior on both Chrome and FireFox running on Windows. This behavior affected ASP.NET Core’s handling of external...
Jan 2019
This blog post is a summary of my interpretation and perspective of what’s been going on recently with the implicit flow in OAuth2, mainly spurred on by the recent draft of the OAuth 2.0 for Browser-Based Apps (which I will refer to here as OBBA) and the updated OAuth 2.0 Security Best Current Practice (which I will refer to as the BCP) documents from...
Jan 2019
In ASP.NET Core 2.1 one of the security changes was related to how authorization filters work. In essence the filters are now combined, whereas previously they were not. This change in behavior is controlled via the AllowCombiningAuthorizeFilters on the MvcOptions, and also set with the new SetCompatabilityVersion API that you frequently see in the...
Jul 2018
In 2014 I developed and released the first version of IdentityManager. The intent was to provide a simple, self-contained administrative tool for managing users in your ASP.NET Identity or MembershipReboot identity databases. It targeted the Katana framework, and it served its purpose. But now that we’re in the era of ASP.NET Core and ASP.NET Identity...
Jul 2018
Since the release of our IdentityModel.OidcClient client library we have had iOS and Android samples for using the system browser to allow a user to authenticate with the token server. Receiving the results from the system browser is interesting since the native client application is in a different process than the system browser. Fortunately those...
Jan 2018
leastprivilege.com Brock and I have been working on free identity & access control related libraries since 2009. This all started as a hobby project, and I can very well remember the day when I said to Brock that we can only really claim to understand the protocols if we implement them ourselves. That’s what we did. We are now at a point where...
Dec 2017
Follow RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters! Get unfiltered news feeds or filter them to your liking.
Get Inoreader