Skip to content

IdentityServer3 1.0.0

January 26, 2015


After a lot of work, Dominick and I have released IdentityServer3. His post sums it up perfectly. And thanks to all of the feedback we’ve received.

Originally posted on

Today is a big day for us! Brock and I started working on the next generation of IdentityServer over 14 months ago. In fact – I remember exactly how I created the very first file (constants.cs) somewhere in the Swiss Alps and was hunting for internet connection to do a check-in (much to the dislike of my family).

1690 commits later it is time to recap what we did, why we did it – and where we are now.

Having spent a considerable amount of time in the WS*/SAML world, it became more and more apparent that these technologies are not a good match for the modern types of applications that we (and our customers) like to build. These types of applications are pretty much a combination of web and native UIs combined with web APIs. Security protocols need to be API, HTTP and mobile friendly, and we need authentication…

View original 706 more words

Demos — NDC London, 2014

December 5, 2014

Here are the slides and demos from my sessions at NDC London:

Also here are the various links that I mentioned:

And the videos are now posted:

Thanks to all who attended!

Demos — Boston Code Camp 22, November 2014

November 22, 2014

The code for my session at Boston Code Camp on OpenID Connect are posted on github:

Thinktecture IdentityServer v3

Sample applications

Thanks for coming!


Sliding and absolute expiration with cookie authentication middleware

November 18, 2014

The Katana cookie authentication middleware supports either a sliding or an absolute expiration, but not both. Recently a client was interested in having both, so I decided to figure out how this could be done.

It’s quite easy since the cookie authentication middleware allows for a Provider property where you can handle events for interesting activity in the middleware. The two events that I used were the OnResponseSignIn which is raised right before the outgoing cookie is issued, and OnValidateIdentity which is raised when the incoming cookie is being validated.

In OnResponseSignIn I add the absolute expiration to the issued cookie. I did not do this as a claim, but rather in the Properties of the cookie (which contains a dictionary for arbitrary values). Then in the OnValidateIdentity I simply read the value back from the dictionary in the Properties to check the expiration. To then cause the cookie to be ignored the RejectIdentity API is used. Since the cookie is dead, you can then optionally call SignOut to have the cookie revoked.

Here’s the code:

public void Configuration(IAppBuilder app)
    app.UseCookieAuthentication(new CookieAuthenticationOptions
        AuthenticationType = "Cookie",
        ExpireTimeSpan = TimeSpan.FromHours(1),
        SlidingExpiration = true,
        Provider = new CookieAuthenticationProvider{
            OnResponseSignIn = ctx => {
                var ticks = ctx.Options.SystemClock.UtcNow.AddHours(10).UtcTicks;
                ctx.Properties.Dictionary.Add("absolute", ticks.ToString());
            OnValidateIdentity = ctx =>
                bool reject = true;
                string value;
                if (ctx.Properties.Dictionary.TryGetValue("absolute", out value))
                    long ticks;
                    if (Int64.TryParse(value, out ticks))
                        reject = ctx.Options.SystemClock.UtcNow.UtcTicks > ticks;

                if (reject)
                    // optionally clear cookie

                return Task.FromResult(0);


NDC London, 2014

November 13, 2014

I’ll be speaking at NDC London this December, 2014. I have two sessions on Thursday on ASP.NET Identity and a 2-day precon workshop with Dominick on identity, single sign-on, federation, authorization, web apis and all the usual acronyms. :)

Hope to see you there.

Boston Code Camp 22, November 2014

November 9, 2014

I’ll be speaking at Boston Code Camp 22 this November 22nd, 2014 in Cambridge, MA. I’ll be speaking about Single Sign-on with OpenID Connect and API authorization using OAuth2. And of course, I’ll be showing off IdentityServer v3 in the process :)

Here’s the link to my session.

Hope to see you there.


base64url encoding

October 17, 2014

It’s often more convenient to manage data in text format rather than binary data (for example a string column in a database, or a string rendered into a HTTP response). Common examples in security are digital signatures and encryption. Signing and encrypting typically produce bytes of data and in a web application sometimes it’s just easier to manage that data as text.

Base64 is a useful tool for doing this encoding. The only problem is that base64 encoding uses characters that do not work well in URLs and sometimes HTTP headers (e.g. the +, / and = characters are either reserved or have special meaning in URLs). URL encoding is designed to address that problem, but it’s sometimes error prone (e.g. double encoding) or the tooling just doesn’t do the right thing (IIS decodes %2F into a / before it arrives into the application and thus confuses the ASP.NET routing framework). It is very useful to put these sorts of values in a URL, but it’s also frustrating that it’s problematic and that we have to work around these issues again and again.

While reading the JWT specs they faced the same problem and they addressed it by using base64url encoding (which is almost the same, yet different than base64 encoding). Base64url encoding is basically base64 encoding except they use non-reserved URL characters (e.g. – is used instead of + and _ is used instead of /) and they omit the padding characters. I’ve been using this for some time now and am quite happy with it as a replacement for base64 encoding.

Unfortunately there’s no implementation (that I know of) in the .NET framework for this, so we’ve built our own in our Thinktecture.IdentityModel security helper library. You can use our helpers by using the NuGet, or you can grab the code from here, or you can just copy from the snippet below.

public static class Base64Url
    public static string Encode(byte[] arg)
        string s = Convert.ToBase64String(arg); // Standard base64 encoder
        s = s.Split('=')[0]; // Remove any trailing '='s
        s = s.Replace('+', '-'); // 62nd char of encoding
        s = s.Replace('/', '_'); // 63rd char of encoding
        return s;

    public static byte[] Decode(string arg)
        string s = arg;
        s = s.Replace('-', '+'); // 62nd char of encoding
        s = s.Replace('_', '/'); // 63rd char of encoding
        switch (s.Length % 4) // Pad with trailing '='s
            case 0: break; // No pad chars in this case
            case 2: s += "=="; break; // Two pad chars
            case 3: s += "="; break; // One pad char
            default: throw new Exception("Illegal base64url string!");
        return Convert.FromBase64String(s); // Standard base64 decoder

Edit: Turns out there are two places in .NET where this sort of functionality is available: 1) ASP.NET’s HttpServerUtility.UrlTokenEncode, and 2) Katana’s Microsoft.Owin.Security assembly with the Base64UrlTextEncoder class.