Skip to content


Brock is an independent consultant with the self-appointed title “application security architect”. He specializes in .NET, web development, and web-based security with over 25 years of industry experience. Brock is the co-author of many security-related open source frameworks including IdentityServer, IdentityModel, and oidc-client-js. He also is a MVP for ASP.NET/IIS, and a contributor to the ASP.NET platform.

Brock lives in Barrington, RI and can be reached at

16 Comments leave one →
  1. January 30, 2013 6:38 pm

    You’ve got several good posts on Membership. Thanks for taking the time to write this.

  2. Balvvant Bist permalink
    March 31, 2014 8:14 am

    I am new to web API. In my application I am using web api which holds my full business logic. These api’s are consumed by AngularJS SPA client. I would like to extend the user by adding couple of more properties to it. Do you have any sample, or can you guide me how to achieve using indentityreboot. How I can authenticate the user. What all the steps I need to take to extend the user with new properties using code first approach. What all files and place i need to make changes.


  3. david m chinn permalink
    August 19, 2015 4:18 pm

    We have a legacy application which uses the Windows Identity Framework, written around 2010-2011. Users authenticate by logging into a client portal, which then sends a saml 1.1 token to our application.

    We are updating the application to a services model, using webAPI 2.0/Owin/Identity 2.0 for security. Looks like bearer tokens are similar in concept to SAML, but not the same.

    The client is very sensitive about changing his portal. Is there any way to consume SAML in a webAPI application?

    thanks in advance

    • October 1, 2015 5:00 pm

      Bearer tokens are for Web APIs. SAML tokens are for SSO/authentication/web apps.

  4. August 25, 2015 11:12 pm

    Excellent Articles – Thank You!

  5. Bobby permalink
    September 21, 2016 1:33 pm

    Hello Allen, great job and really appreciate your effort. Question, how can client act as both Client and Server, I mean, I have three applications, server, (client/server) , and third party application, third party application redirects to my page, and my page checks for the token, if not, redirects to IdentityServer for authentication and returns back to my app, my app then creates a new token and sends back to the third party, which uses SAML. any help would be really appreciated.

    • October 14, 2016 7:51 pm

      Use the gateway pattern — IdentityServer can help with this pattern.

  6. Kim Jex Lim permalink
    February 8, 2017 5:38 am

    Hello Brock Allen, is Thinktecture IdentityServer v2 and v3 free for commercial use and not just for practice development? I am actually doing some POCs using v2 and would like to propose this solution over other products that are expensive.
    Hope to hear from you

    Thank you very much

  7. Eddie Webb permalink
    August 16, 2017 4:16 am

    Hi Brock,

    Firstly I wanted to say what a great product Identity Server is! We have recently implemented it where I work and I wanted to find out a little bit more about the configuration. I have read through the documentation and it appears there is support for ORM’s when setting up a configuration data base. At the moment, it appears that only Entity Framework is considered.

    My question is.. Is there provision for a more lightweight ORM like say Dapper, when it comes to the Identity server configuration data layer?

    I guess i just find the concept of an internal migration process (entity framework) quite heavy and certainly difficult to do when promoting a development through environments. Dev -> Test -> UAT ->Prod

    I would love to have some of your knowledgeable insight on this matter.

    Thanks for your time

    • September 1, 2017 11:12 am

      Yes, we have extensibility points (via interfaces) that you can implement to provide any DB you want.

  8. John Kim permalink
    December 14, 2017 11:05 am

    I would like to attend your 2 day workshops in 2018, I see you are registered for Dev Intersection and VisualStudio live in Las Vegas. By chance are you scheduled to present in Austin, TX?


  1. ASP.NET Web API: CORS support and Attribute Based Routing Improvements | DailyICT.Com
  2. ASP.NET Web API: CORS支持和基于属性的路由改进 - ScottGu中文博客 - Site Home - MSDN Blogs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: