Skip to content

Walk through videos for IdentityManager

April 20, 2015

I’ve recorded a couple of videos for getting started with IdentityManager. Enjoy!

Demos — Boston Code Camp 23, March 2015

March 22, 2015

Here are the slides and demos from my session at Boston CodeCamp 23 on securing modern JavaScript apps:

Thanks for attending!



Boston Code Camp 23, March 2015

March 19, 2015

I’ll be speaking at Boston Code Camp 23 this weekend in Cambridge, MA. I’ll be speaking about securing single-page style JavaScript applications with OpenID Connect and OAuth2.

Here’s the link to my session.

Hope to see you there.


IdentityServer3 1.0.0

January 26, 2015


After a lot of work, Dominick and I have released IdentityServer3. His post sums it up perfectly. And thanks to all of the feedback we’ve received.

Originally posted on

Today is a big day for us! Brock and I started working on the next generation of IdentityServer over 14 months ago. In fact – I remember exactly how I created the very first file (constants.cs) somewhere in the Swiss Alps and was hunting for internet connection to do a check-in (much to the dislike of my family).

1690 commits later it is time to recap what we did, why we did it – and where we are now.

Having spent a considerable amount of time in the WS*/SAML world, it became more and more apparent that these technologies are not a good match for the modern types of applications that we (and our customers) like to build. These types of applications are pretty much a combination of web and native UIs combined with web APIs. Security protocols need to be API, HTTP and mobile friendly, and we need authentication…

View original 706 more words

Demos — NDC London, 2014

December 5, 2014

Here are the slides and demos from my sessions at NDC London:

Also here are the various links that I mentioned:

And the videos are now posted:

Thanks to all who attended!

Demos — Boston Code Camp 22, November 2014

November 22, 2014

The code for my session at Boston Code Camp on OpenID Connect are posted on github:

Thinktecture IdentityServer v3

Sample applications

Thanks for coming!


Sliding and absolute expiration with cookie authentication middleware

November 18, 2014

The Katana cookie authentication middleware supports either a sliding or an absolute expiration, but not both. Recently a client was interested in having both, so I decided to figure out how this could be done.

It’s quite easy since the cookie authentication middleware allows for a Provider property where you can handle events for interesting activity in the middleware. The two events that I used were the OnResponseSignIn which is raised right before the outgoing cookie is issued, and OnValidateIdentity which is raised when the incoming cookie is being validated.

In OnResponseSignIn I add the absolute expiration to the issued cookie. I did not do this as a claim, but rather in the Properties of the cookie (which contains a dictionary for arbitrary values). Then in the OnValidateIdentity I simply read the value back from the dictionary in the Properties to check the expiration. To then cause the cookie to be ignored the RejectIdentity API is used. Since the cookie is dead, you can then optionally call SignOut to have the cookie revoked.

Here’s the code:

public void Configuration(IAppBuilder app)
    app.UseCookieAuthentication(new CookieAuthenticationOptions
        AuthenticationType = "Cookie",
        ExpireTimeSpan = TimeSpan.FromHours(1),
        SlidingExpiration = true,
        Provider = new CookieAuthenticationProvider{
            OnResponseSignIn = ctx => {
                var ticks = ctx.Options.SystemClock.UtcNow.AddHours(10).UtcTicks;
                ctx.Properties.Dictionary.Add("absolute", ticks.ToString());
            OnValidateIdentity = ctx =>
                bool reject = true;
                string value;
                if (ctx.Properties.Dictionary.TryGetValue("absolute", out value))
                    long ticks;
                    if (Int64.TryParse(value, out ticks))
                        reject = ctx.Options.SystemClock.UtcNow.UtcTicks > ticks;

                if (reject)
                    // optionally clear cookie

                return Task.FromResult(0);