Skip to content


Currently Brock is an independent consultant specializing in .NET, web development, and web-based security with 20 years of industry experience. Brock is the co-author of many security-related open source frameworks including IdentityServer, IdentityManager, and MembershipReboot. He also frequently posts to the ASP.NET forums, is a MVP for ASP.NET/IIS, a member of ASPInsiders and a contributor to the ASP.NET platform.

Brock lives in Barrington, RI and can be reached at

12 Comments leave one →
  1. January 30, 2013 6:38 pm

    You’ve got several good posts on Membership. Thanks for taking the time to write this.

  2. Balvvant Bist permalink
    March 31, 2014 8:14 am

    I am new to web API. In my application I am using web api which holds my full business logic. These api’s are consumed by AngularJS SPA client. I would like to extend the user by adding couple of more properties to it. Do you have any sample, or can you guide me how to achieve using indentityreboot. How I can authenticate the user. What all the steps I need to take to extend the user with new properties using code first approach. What all files and place i need to make changes.


  3. david m chinn permalink
    August 19, 2015 4:18 pm

    We have a legacy application which uses the Windows Identity Framework, written around 2010-2011. Users authenticate by logging into a client portal, which then sends a saml 1.1 token to our application.

    We are updating the application to a services model, using webAPI 2.0/Owin/Identity 2.0 for security. Looks like bearer tokens are similar in concept to SAML, but not the same.

    The client is very sensitive about changing his portal. Is there any way to consume SAML in a webAPI application?

    thanks in advance

    • October 1, 2015 5:00 pm

      Bearer tokens are for Web APIs. SAML tokens are for SSO/authentication/web apps.

  4. August 25, 2015 11:12 pm

    Excellent Articles – Thank You!

  5. Bobby permalink
    September 21, 2016 1:33 pm

    Hello Allen, great job and really appreciate your effort. Question, how can client act as both Client and Server, I mean, I have three applications, server, (client/server) , and third party application, third party application redirects to my page, and my page checks for the token, if not, redirects to IdentityServer for authentication and returns back to my app, my app then creates a new token and sends back to the third party, which uses SAML. any help would be really appreciated.

    • October 14, 2016 7:51 pm

      Use the gateway pattern — IdentityServer can help with this pattern.

  6. Kim Jex Lim permalink
    February 8, 2017 5:38 am

    Hello Brock Allen, is Thinktecture IdentityServer v2 and v3 free for commercial use and not just for practice development? I am actually doing some POCs using v2 and would like to propose this solution over other products that are expensive.
    Hope to hear from you

    Thank you very much


  1. ASP.NET Web API: CORS support and Attribute Based Routing Improvements | DailyICT.Com
  2. ASP.NET Web API: CORS支持和基于属性的路由改进 - ScottGu中文博客 - Site Home - MSDN Blogs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s