About
Brock is an independent consultant with the self-appointed title “application security architect”. He specializes in .NET, web development, and web-based security with over 25 years of industry experience. Brock is the co-author of many security-related open source frameworks including IdentityServer, IdentityModel, and oidc-client-js. He also is a MVP for ASP.NET/IIS, and a contributor to the ASP.NET platform.
Brock lives in Barrington, RI and can be reached at brockallen@gmail.com.
16 Comments
leave one →
brockallen 
You’ve got several good posts on Membership. Thanks for taking the time to write this.
Hi,
I am new to web API. In my application I am using web api which holds my full business logic. These api’s are consumed by AngularJS SPA client. I would like to extend the user by adding couple of more properties to it. Do you have any sample, or can you guide me how to achieve using indentityreboot. How I can authenticate the user. What all the steps I need to take to extend the user with new properties using code first approach. What all files and place i need to make changes.
Thanks.
Hello, Maybe this is bit late but I’ve blogged about using Token Based Authentication with AngularJS, check this out here: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
We have a legacy application which uses the Windows Identity Framework, written around 2010-2011. Users authenticate by logging into a client portal, which then sends a saml 1.1 token to our application.
We are updating the application to a services model, using webAPI 2.0/Owin/Identity 2.0 for security. Looks like bearer tokens are similar in concept to SAML, but not the same.
The client is very sensitive about changing his portal. Is there any way to consume SAML in a webAPI application?
thanks in advance
Bearer tokens are for Web APIs. SAML tokens are for SSO/authentication/web apps.
Excellent Articles – Thank You!
Hello Allen, great job and really appreciate your effort. Question, how can client act as both Client and Server, I mean, I have three applications, server, (client/server) , and third party application, third party application redirects to my page, and my page checks for the token, if not, redirects to IdentityServer for authentication and returns back to my app, my app then creates a new token and sends back to the third party, which uses SAML. any help would be really appreciated.
Use the gateway pattern — IdentityServer can help with this pattern.
Hello Brock Allen, is Thinktecture IdentityServer v2 and v3 free for commercial use and not just for practice development? I am actually doing some POCs using v2 and would like to propose this solution over other products that are expensive.
Hope to hear from you
Thank you very much
Yes, the licenses are Apace 2, which means they’re free to use.
Hi Brock,
Firstly I wanted to say what a great product Identity Server is! We have recently implemented it where I work and I wanted to find out a little bit more about the configuration. I have read through the documentation and it appears there is support for ORM’s when setting up a configuration data base. At the moment, it appears that only Entity Framework is considered.
My question is.. Is there provision for a more lightweight ORM like say Dapper, when it comes to the Identity server configuration data layer?
I guess i just find the concept of an internal migration process (entity framework) quite heavy and certainly difficult to do when promoting a development through environments. Dev -> Test -> UAT ->Prod
I would love to have some of your knowledgeable insight on this matter.
Thanks for your time
Yes, we have extensibility points (via interfaces) that you can implement to provide any DB you want.
I would like to attend your 2 day workshops in 2018, I see you are registered for Dev Intersection and VisualStudio live in Las Vegas. By chance are you scheduled to present in Austin, TX?
Unfortunately, I won’t be in Austin.