https://www.scottbrady.io Articles on Identity, Authentication, OAuth, and ASP.NET Core. Scott Brady (c) 2015 - 2026 Software Development en-us Fri, 13 Mar 2026 00:00:00 GMT https://www.rssboard.org/rss-specification https://www.scottbrady.io/img/logos/scottbrady91.png?v=2 https://www.scottbrady.io https://www.scottbrady.io/general/cto-craft-con-london-2026 https://www.scottbrady.io/general/cto-craft-con-london-2026 A review of the changes in 2025 and my plans for 2026. General Fri, 13 Mar 2026 00:00:00 GMT https://www.scottbrady.io/general/year-in-review-2024 https://www.scottbrady.io/general/year-in-review-2024 A review of the changes in 2024 and my plans for 2025. General Tue, 31 Dec 2024 00:00:00 GMT https://www.scottbrady.io/ws-federation/understanding-ws-federation https://www.scottbrady.io/ws-federation/understanding-ws-federation A modern overview of the WS-Federation protocol, focussing on the parts of the protocol that are still in use and somewhat useful to know. WS-Federation Tue, 09 Apr 2024 00:00:00 GMT https://www.scottbrady.io/general/year-in-review-2023 https://www.scottbrady.io/general/year-in-review-2023 A review of the changes in 2023 and my plans for 2024. General Sun, 31 Dec 2023 00:00:00 GMT https://www.scottbrady.io/leadership/book-notes-elegant-puzzle https://www.scottbrady.io/leadership/book-notes-elegant-puzzle An overview of the book “An Elegant Puzzle: Systems of Engineering Management” by Will Larson, including some of my key takeaways, how they relate to my own experience, and what I am trying to implement as a result. Leadership Sat, 16 Sep 2023 00:00:00 GMT https://www.scottbrady.io/c-sharp/rsa-key-loading-dotnet https://www.scottbrady.io/c-sharp/rsa-key-loading-dotnet How to create your own RSA key in .NET or load one from a JSON Web Key, a PEM file, or an X.509 certificate. C# Sun, 19 Mar 2023 00:00:00 GMT https://www.scottbrady.io/cryptopals/implementing-and-breaking-aes-ecb https://www.scottbrady.io/cryptopals/implementing-and-breaking-aes-ecb Implementing AES with ECB and CBC block cipher modes and brute-force decrypting your first encryption oracle. Cryptopals Sun, 05 Feb 2023 00:00:00 GMT https://www.scottbrady.io/general/year-in-review-2022 https://www.scottbrady.io/general/year-in-review-2022 A review of the changes in 2022 and my plans for 2023. General Sat, 31 Dec 2022 00:00:00 GMT https://www.scottbrady.io/leadership/book-notes-making-of-a-manager https://www.scottbrady.io/leadership/book-notes-making-of-a-manager An overview of the book “The Making of a Manager: What to Do When Everyone Looks to You” by Julie Zhou, including some of my key takeaways, how they relate to my own experience, and what I am trying to implement as a result. Leadership Thu, 24 Nov 2022 00:00:00 GMT https://www.scottbrady.io/oauth/client-authentication https://www.scottbrady.io/oauth/client-authentication Learn the pros and cons of each OAuth client authentication mechanism and take your OAuth security beyond client secrets. OAuth Mon, 10 Oct 2022 00:00:00 GMT https://www.scottbrady.io/leadership/book-notes-art-of-leadership https://www.scottbrady.io/leadership/book-notes-art-of-leadership An overview of the book 'The Art of Leadership' by Michael Lopp, including some of my key takeaways, how they relate to my own experience, and what I am trying to implement as a result. Leadership Sun, 02 Oct 2022 00:00:00 GMT https://www.scottbrady.io/python/authlib-python-jwt https://www.scottbrady.io/python/authlib-python-jwt Learn how to create and validate JSON Web Tokens (JWTs) in Python using the Authlib library, JWT security best practices, and claims validation. Python Thu, 25 Aug 2022 00:00:00 GMT https://www.scottbrady.io/jose/json-web-encryption https://www.scottbrady.io/jose/json-web-encryption Learn how JSON Web Encryption (JWE) works with a walkthrough of the token format, best practices, and the encryption algorithms available to you. JOSE Wed, 17 Aug 2022 00:00:00 GMT https://www.scottbrady.io/oauth/pluralsight-jwt-fundamentals https://www.scottbrady.io/oauth/pluralsight-jwt-fundamentals Learn how to use JWTs securely with my latest course on Pluralsight: JWT Fundamentals. OAuth Wed, 10 Aug 2022 00:00:00 GMT https://www.scottbrady.io/oauth/open-banking-uk https://www.scottbrady.io/oauth/open-banking-uk Learn how the UK's Open Banking makes use of OAuth and OpenID Connect. OAuth Tue, 08 Mar 2022 00:00:00 GMT https://www.scottbrady.io/oauth/step-up-authentication https://www.scottbrady.io/oauth/step-up-authentication Learn how to implement and trigger standards-based step-up authentication using OAuth, OpenID Connect, and SAML. OAuth Mon, 28 Feb 2022 00:00:00 GMT https://www.scottbrady.io/general/year-in-review-2021 https://www.scottbrady.io/general/year-in-review-2021 A review of the changes in 2021 and my plans for 2022. General Fri, 31 Dec 2021 00:00:00 GMT https://www.scottbrady.io/umbraco/frontend-members-sso-openid-connect https://www.scottbrady.io/umbraco/frontend-members-sso-openid-connect How to log into an Umbraco website as an end-user via an external SSO solution such as IdentityServer, Google, or Auth0. Umbraco Tue, 30 Nov 2021 00:00:00 GMT https://www.scottbrady.io/general/rock-solid-knowledge-to-10x-banking https://www.scottbrady.io/general/rock-solid-knowledge-to-10x-banking Why I have left Rock Solid Knowledge, what I’m doing in my new job at 10x Banking, and what, if anything, will change on this website. General Sun, 28 Nov 2021 00:00:00 GMT https://www.scottbrady.io/openid-connect/identity-tokens https://www.scottbrady.io/openid-connect/identity-tokens A deep dive into OpenID Connect’s ID token, looking at what identity tokens are, what they are not, where to use them, and how to validate them. OpenID Connect Thu, 25 Nov 2021 00:00:00 GMT https://www.scottbrady.io/umbraco/backoffice-sso-openid-connect https://www.scottbrady.io/umbraco/backoffice-sso-openid-connect How to log into the Umbraco backoffice using an external identity provider such as IdentityServer, Azure AD, or Auth0. Umbraco Thu, 11 Nov 2021 00:00:00 GMT https://www.scottbrady.io/soft-skills/polywork-vs-impostor-syndrome https://www.scottbrady.io/soft-skills/polywork-vs-impostor-syndrome Polywork is a new social media platform that I’ve been using to track my recent achievements, both big and small, and to tackle my ongoing impostor syndrome. Soft Skills Tue, 12 Oct 2021 00:00:00 GMT https://www.scottbrady.io/c-sharp/xml-signing-dotnet https://www.scottbrady.io/c-sharp/xml-signing-dotnet How to sign XML in .NET and .NET Core using an RSA key while avoiding common XML security pitfalls. C# Tue, 21 Sep 2021 00:00:00 GMT https://www.scottbrady.io/c-sharp/ecdsa-xml-dotnet https://www.scottbrady.io/c-sharp/ecdsa-xml-dotnet Drag your XML signing into the 2020's with modern cryptography by signing XML with ECDSA. C# Tue, 21 Sep 2021 00:00:00 GMT https://www.scottbrady.io/c-sharp/ecdsa-key-loading https://www.scottbrady.io/c-sharp/ecdsa-key-loading Four different ways of loading Elliptic Curve (EC) keys in .NET for use with Elliptic Curve Digital Signature Algorithms (ECDSA). C# Mon, 23 Aug 2021 00:00:00 GMT https://www.scottbrady.io/umbraco/mvp-2021 https://www.scottbrady.io/umbraco/mvp-2021 I’m an Umbraco MVP for 2021! This was awarded in recognition of my contributions to the Unicore project, where Rock Solid Knowledge helped Umbraco migrate their user store to ASP.NET Core Identity. Umbraco Thu, 10 Jun 2021 00:00:00 GMT https://www.scottbrady.io/oauth/client-authentication-vs-pkce https://www.scottbrady.io/oauth/client-authentication-vs-pkce Learn how OAuth Proof-Key for Code Exchange (PKCE) does not replace client authentication (e.g. secrets) and why you should use both where possible. OAuth Tue, 01 Jun 2021 00:00:00 GMT https://www.scottbrady.io/c-sharp/aes-gcm-dotnet https://www.scottbrady.io/c-sharp/aes-gcm-dotnet Learn how to use AES-GCM encryption in .NET for authenticated encryption, giving you the usual confidentiality and an additional integrity check. C# Thu, 20 May 2021 00:00:00 GMT https://www.scottbrady.io/authentication/beware-of-password-shucking https://www.scottbrady.io/authentication/beware-of-password-shucking Learn how password shucking attacks rehashed or pre-hashed passwords by stripping your password hashes of their strong outer password hashing algorithm. Authentication Tue, 13 Apr 2021 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/aspnet-identity-password-policies-with-password-managers https://www.scottbrady.io/aspnet-identity/aspnet-identity-password-policies-with-password-managers Learn how to automatically set HTML passwordrules based on your ASP.NET Identity password options, using the newpassword tag helper from ScottBrady.IdentityModel. ASP.NET Identity Mon, 15 Mar 2021 00:00:00 GMT https://www.scottbrady.io/authentication/perfecting-the-password-field-with-the-html-passwordrules-attribute https://www.scottbrady.io/authentication/perfecting-the-password-field-with-the-html-passwordrules-attribute Learn how to integrate sign up forms with password generators by using the autocomplete and passwordrules HTML attributes. Authentication Wed, 27 Jan 2021 00:00:00 GMT https://www.scottbrady.io/saml/new-pluralsight-course-getting-started-with-saml-20 https://www.scottbrady.io/saml/new-pluralsight-course-getting-started-with-saml-20 SAML is the protocol that no one wants to use. But if you must use it, at least you now have a modern, detailed introduction to SAML thanks to my new Pluralsight course. SAML Thu, 21 Jan 2021 00:00:00 GMT https://www.scottbrady.io/general/year-in-review-2020 https://www.scottbrady.io/general/year-in-review-2020 A review of what little I got up to in 2020 and my plans for 2021. General Tue, 29 Dec 2020 00:00:00 GMT https://www.scottbrady.io/oauth/oauth-is-not-user-authorization https://www.scottbrady.io/oauth/oauth-is-not-user-authorization Avoid a common OAuth pitfall by learning how OAuth consent and access tokens differ from user-level authorization policies. OAuth Mon, 30 Nov 2020 00:00:00 GMT https://www.scottbrady.io/c-sharp/xchacha20-poly1305-dotnet https://www.scottbrady.io/c-sharp/xchacha20-poly1305-dotnet Learn the introductory theory behind XChaCha20-Poly1305, a standby cipher for symmetric encryption, and how to use it in .NET with libsodium or implement it yourself by 'rolling your own crypto' on top of Bouncy Castle. C# Sun, 11 Oct 2020 00:00:00 GMT https://www.scottbrady.io/c-sharp/pem-loading-in-dotnet-core-and-dotnet https://www.scottbrady.io/c-sharp/pem-loading-in-dotnet-core-and-dotnet Learn how to load keys and certificates from PEM files in .NET. With code samples showing the new APIs added in .NET 5 and how to use PEM certificates with Kestrel. C# Mon, 21 Sep 2020 00:00:00 GMT https://www.scottbrady.io/fido/recording-lets-stop-blaming-our-users-for-getting-hacked-when-it-is-our-problem-to-solve https://www.scottbrady.io/fido/recording-lets-stop-blaming-our-users-for-getting-hacked-when-it-is-our-problem-to-solve My talk from NDC Oslo 2020. Learn how current user authentication isn't good enough and how you can solve the password problem with FIDO2 and WebAuthn. FIDO Thu, 20 Aug 2020 00:00:00 GMT https://www.scottbrady.io/jose/jwts-which-signing-algorithm-should-i-use https://www.scottbrady.io/jose/jwts-which-signing-algorithm-should-i-use Learn the difference between each JOSE algorithm (e.g. RS256, ES256, EdDSA) and how to choose the best one available to you. JOSE Tue, 18 Aug 2020 00:00:00 GMT https://www.scottbrady.io/openssl/creating-rsa-keys-using-openssl https://www.scottbrady.io/openssl/creating-rsa-keys-using-openssl An OpenSSL cheat sheet for creating RSA private keys, public keys, and certificates for use with RSASSA-PKCS1-v1_5 and RSASSA-PSS. OpenSSL Wed, 05 Aug 2020 00:00:00 GMT https://www.scottbrady.io/oauth/oauth-security-workshop-2020 https://www.scottbrady.io/oauth/oauth-security-workshop-2020 My experience and highlights from the OAuth Security Workshop 2020. Including new OAuth topics such as online_access, app2app, FAPI, OAuch, and Web ID. OAuth Thu, 30 Jul 2020 00:00:00 GMT https://www.scottbrady.io/identity-server/using-ecdsa-in-identityserver4 https://www.scottbrady.io/identity-server/using-ecdsa-in-identityserver4 How to use ES256 to sign JWTs in IdentityServer4 while still supporting RS256 for backward compatibility. Identity Server Wed, 22 Jul 2020 00:00:00 GMT https://www.scottbrady.io/openssl/creating-elliptical-curve-keys-using-openssl https://www.scottbrady.io/openssl/creating-elliptical-curve-keys-using-openssl An OpenSSL cheat sheet for creating EC private keys, public keys, and certificates for use with ECDSA. OpenSSL Mon, 20 Jul 2020 00:00:00 GMT https://www.scottbrady.io/general/adding-tailwind-utility-classes-to-your-bootstrap-website https://www.scottbrady.io/general/adding-tailwind-utility-classes-to-your-bootstrap-website How to use Tailwind CSS and Bootstrap 4 side-by-side. General Fri, 10 Jul 2020 00:00:00 GMT https://www.scottbrady.io/fido/using-biometrics-in-aspnet-core https://www.scottbrady.io/fido/using-biometrics-in-aspnet-core Physical biometrics, such as fingerprint or facial recognition, are super useful when logging into mobile apps. So why can't you use biometrics in the browser? FIDO Mon, 06 Jul 2020 00:00:00 GMT https://www.scottbrady.io/c-sharp/eddsa-for-jwt-signing-in-dotnet-core https://www.scottbrady.io/c-sharp/eddsa-for-jwt-signing-in-dotnet-core A primer on EdDSA and how to use it for JWT signing in .NET Core using Bouncy Castle and ScottBrady.IdentityModel. C# Mon, 01 Jun 2020 00:00:00 GMT https://www.scottbrady.io/c-sharp/replacing-jwts-with-branca-and-paseto-in-dotnet-core https://www.scottbrady.io/c-sharp/replacing-jwts-with-branca-and-paseto-in-dotnet-core Branca, PASETO, XChaCha20-Poly1305, and Base62 support in .NET Core using ScottBrady.IdentityModel. C# Tue, 12 May 2020 00:00:00 GMT https://www.scottbrady.io/jose/alternatives-to-jwts https://www.scottbrady.io/jose/alternatives-to-jwts JWTs get a lot of hate from the crypto community, but what are the alternatives? In this article, I look at implementations such as Branca and PASETO to see how they compare to JWTs. JOSE Tue, 28 Apr 2020 00:00:00 GMT https://www.scottbrady.io/identity-server/outsourcing-identityserver4-token-signing-to-azure-key-vault https://www.scottbrady.io/identity-server/outsourcing-identityserver4-token-signing-to-azure-key-vault How to outsource IdentityServer4 JWT signing to Azure Key Vault. No private keys were downloaded in the making of this article. Identity Server Mon, 30 Mar 2020 00:00:00 GMT https://www.scottbrady.io/fido/building-a-fido-authenticator-with-opensk https://www.scottbrady.io/fido/building-a-fido-authenticator-with-opensk My experience with OpenSK, an open-source FIDO2 authenticator implementation, using a VirtualBox VM and FIDO2 for ASP.NET. FIDO Mon, 10 Feb 2020 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/identitymanager2-2020-update https://www.scottbrady.io/aspnet-identity/identitymanager2-2020-update New features in IdentityManager2 with ASP.NET Core 3.1 and SameSite cookie support. ASP.NET Identity Mon, 27 Jan 2020 00:00:00 GMT https://www.scottbrady.io/fido/defeating-phishing-with-fido2-for-aspnet-core https://www.scottbrady.io/fido/defeating-phishing-with-fido2-for-aspnet-core Learn how Evilginx can phish common multi-factor authentication implementations, and how you can defeat it using FIDO2. FIDO Thu, 23 Jan 2020 00:00:00 GMT https://www.scottbrady.io/aspnet/refreshing-your-legacy-aspnet-identityserver-client-applications https://www.scottbrady.io/aspnet/refreshing-your-legacy-aspnet-identityserver-client-applications Give your ASP.NET 4.x apps a refresh with the latest OWIN updates and Proof Key for Code Exchange ASP.NET Thu, 16 Jan 2020 00:00:00 GMT https://www.scottbrady.io/general/year-in-review-2019 https://www.scottbrady.io/general/year-in-review-2019 A nostalgic review of what I got up to in 2019 and plans for 2020. General Sat, 28 Dec 2019 00:00:00 GMT https://www.scottbrady.io/c-sharp/supporting-custom-jwt-signing-algorithms-in-dotnet-core https://www.scottbrady.io/c-sharp/supporting-custom-jwt-signing-algorithms-in-dotnet-core How to implement custom signing algorithms for JWT validation in .NET Core, with examples using ES256K and Bouncy Castle. C# Mon, 16 Dec 2019 00:00:00 GMT https://www.scottbrady.io/kotlin/creating-signed-jwts-using-nimbus-jose-jwt https://www.scottbrady.io/kotlin/creating-signed-jwts-using-nimbus-jose-jwt Cheat sheet for using Nimbus JOSE + JWT to create signing keys, generate signed JWTs, and verify JWT signatures. Examples use ES256K and EdDSA (Ed25519) Kotlin Sat, 30 Nov 2019 00:00:00 GMT https://www.scottbrady.io/aspnet/using-mkcert-for-aspnet-core-development https://www.scottbrady.io/aspnet/using-mkcert-for-aspnet-core-development Getting started with mkcert for IIS TLS certificates and ASP.NET Core client certificate authentication ASP.NET Mon, 21 Oct 2019 00:00:00 GMT https://www.scottbrady.io/authentication/new-pluralsight-course-aspnet-authentication-the-big-picture https://www.scottbrady.io/authentication/new-pluralsight-course-aspnet-authentication-the-big-picture New Pluralsight course on all things user authentication and how to implement them in ASP.NET Core Authentication Mon, 09 Sep 2019 00:00:00 GMT https://www.scottbrady.io/c-sharp/jwt-signing-using-rsassa-pss-in-dotnet-core https://www.scottbrady.io/c-sharp/jwt-signing-using-rsassa-pss-in-dotnet-core A look at the new RSASSA-PSS support in .NET Core and what benefits it has over RSASSA-PKCS1-v1_5 C# Mon, 29 Jul 2019 00:00:00 GMT https://www.scottbrady.io/openid-connect/implementing-sign-in-with-apple-in-aspnet-core https://www.scottbrady.io/openid-connect/implementing-sign-in-with-apple-in-aspnet-core A primer on Sign in with Apple, including an example integration in ASP.NET Core. OpenID Connect Sat, 08 Jun 2019 00:00:00 GMT https://www.scottbrady.io/saml/dangers-of-idp-initiated-sso https://www.scottbrady.io/saml/dangers-of-idp-initiated-sso Why you should use SAML's SP-initiated SSO rather than Idp-initiated SSO and unsolicited SAML responses. SAML Thu, 06 Jun 2019 00:00:00 GMT https://www.scottbrady.io/pake/srp-in-csharp-and-dotnet-core https://www.scottbrady.io/pake/srp-in-csharp-and-dotnet-core How to roll your own SRP client and server using C# and .NET Core PAKE Fri, 31 May 2019 00:00:00 GMT https://www.scottbrady.io/identity-server/encrypting-identity-tokens-in-identityserver4 https://www.scottbrady.io/identity-server/encrypting-identity-tokens-in-identityserver4 How to encrypt identity tokens in IdentityServer4 and decrypt them in ASP.NET Core. Identity Server Wed, 10 Apr 2019 00:00:00 GMT https://www.scottbrady.io/dart/generating-a-crypto-random-string-in-dart https://www.scottbrady.io/dart/generating-a-crypto-random-string-in-dart How to generate a cryptographically random string in Dart, suitable for OAuth and OpenID Connect usage Dart Sun, 31 Mar 2019 00:00:00 GMT https://www.scottbrady.io/cryptopals/solving-the-cryptopals-crypto-challenges-in-c-sharp https://www.scottbrady.io/cryptopals/solving-the-cryptopals-crypto-challenges-in-c-sharp My solutions to the Cryptopals Crypto (Cryptography) Challenges using C# and .NET. Cryptopals Mon, 11 Feb 2019 00:00:00 GMT https://www.scottbrady.io/cryptopals/base64-encoding https://www.scottbrady.io/cryptopals/base64-encoding Implementing your own Base64 encoder, dealing with hex strings, bit handling, and sextets. Cryptopals Mon, 11 Feb 2019 00:00:00 GMT https://www.scottbrady.io/cryptopals/caesar-and-vigenere-ciphers https://www.scottbrady.io/cryptopals/caesar-and-vigenere-ciphers Implementing and breaking XOR-based versions of the Caesar and Vigenère Ciphers in C# and .NET. Cryptopals Mon, 11 Feb 2019 00:00:00 GMT https://www.scottbrady.io/kotlin/ktor-using-oauth-2-and-identityserver4 https://www.scottbrady.io/kotlin/ktor-using-oauth-2-and-identityserver4 Implementing OAuth support in Ktor & Kotlin to get access tokens from IdentityServer4 Kotlin Fri, 01 Feb 2019 00:00:00 GMT https://www.scottbrady.io/oauth/why-developers-do-care-about-oauth-and-openid-connect https://www.scottbrady.io/oauth/why-developers-do-care-about-oauth-and-openid-connect A rebuttal to Okta's 'Nobody Cares About OAuth or OpenID Connect', advocating the education and involvement of developers with OAuth and OpenID Connect. OAuth Sun, 27 Jan 2019 00:00:00 GMT https://www.scottbrady.io/openid-connect/aspnet-core-using-proof-key-for-code-exchange-pkce https://www.scottbrady.io/openid-connect/aspnet-core-using-proof-key-for-code-exchange-pkce How to add support for PKCE to your ASP.NET Core OpenID Connect client application. OpenID Connect Tue, 22 Jan 2019 00:00:00 GMT https://www.scottbrady.io/oauth/cheat-sheet-oauth-for-browser-based-applications https://www.scottbrady.io/oauth/cheat-sheet-oauth-for-browser-based-applications A cheat sheet for choosing the right way to securely access an API when using a browser-based application such as a JavaScript SPA. OAuth Tue, 22 Jan 2019 00:00:00 GMT https://www.scottbrady.io/c-sharp/json-web-encryption-jwe-in-dotnet-core https://www.scottbrady.io/c-sharp/json-web-encryption-jwe-in-dotnet-core Learn how to encrypt JSON Web Tokens with JSON Web Encryption in C#, .NET, and ASP.NET Core. C# Mon, 14 Jan 2019 00:00:00 GMT https://www.scottbrady.io/angular/migrating-oidc-client-js-to-use-the-openid-connect-authorization-code-flow-and-pkce https://www.scottbrady.io/angular/migrating-oidc-client-js-to-use-the-openid-connect-authorization-code-flow-and-pkce Migrating your oidc-client-js SPA from the OpenID Connect implicit flow to authorization code flow with PKCE. Angular Fri, 11 Jan 2019 00:00:00 GMT https://www.scottbrady.io/authentication/software-tokens-wont-save-you https://www.scottbrady.io/authentication/software-tokens-wont-save-you A look at the advantages and disadvantages of using software tokens as an authentication factor, focussing on TOTP. Authentication Wed, 09 Jan 2019 00:00:00 GMT https://www.scottbrady.io/general/year-in-review-2018-catch-up https://www.scottbrady.io/general/year-in-review-2018-catch-up A brief review of what I've been up to since 2016, including plans for 2019. General Tue, 01 Jan 2019 00:00:00 GMT https://www.scottbrady.io/identity-server/creating-your-own-identityserver4-storage-library https://www.scottbrady.io/identity-server/creating-your-own-identityserver4-storage-library How to keep your DBA happy by implementing your own IdentityServer4 data store. Identity Server Tue, 11 Dec 2018 00:00:00 GMT https://www.scottbrady.io/oauth/removing-shared-secrets-for-oauth-client-authentication https://www.scottbrady.io/oauth/removing-shared-secrets-for-oauth-client-authentication Removing application passwords from OAuth by using JWT Bearer Tokens, including ASP.NET Core and IdentityServer4 usage. OAuth Tue, 02 Oct 2018 00:00:00 GMT https://www.scottbrady.io/oauth/delegation-patterns-for-oauth-20 https://www.scottbrady.io/oauth/delegation-patterns-for-oauth-20 How to handle delegation scenarios using OAuth Token Exchange, for use with microservices and API gateways. OAuth Thu, 27 Sep 2018 00:00:00 GMT https://www.scottbrady.io/openid-connect/help-im-stuck-in-a-redirect-loop https://www.scottbrady.io/openid-connect/help-im-stuck-in-a-redirect-loop It's not the identity provider, it's you. Methods for debugging redirect loops when using OpenID Providers such as IdentityServer4. OpenID Connect Wed, 26 Sep 2018 00:00:00 GMT https://www.scottbrady.io/oauth/new-pluralsight-course-getting-started-with-oauth-20 https://www.scottbrady.io/oauth/new-pluralsight-course-getting-started-with-oauth-20 Announcing my new Pluralsight course, in which we take a look at OAuth 2.0, the gold standard for API authorization. OAuth Sun, 16 Sep 2018 00:00:00 GMT https://www.scottbrady.io/angular/spa-identity-and-access-control-with-openid-connect-and-identityserver4 https://www.scottbrady.io/angular/spa-identity-and-access-control-with-openid-connect-and-identityserver4 Recording from .NET South West looking at how to protect an Angular application using OpenID Connect Angular Thu, 26 Jul 2018 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/getting-started-with-identitymanager2 https://www.scottbrady.io/aspnet-identity/getting-started-with-identitymanager2 An introduction to IdentityManager2, including ASP.NET Core Identity, and IdentityServer4 integration. ASP.NET Identity Mon, 09 Jul 2018 00:00:00 GMT https://www.scottbrady.io/fido/a-fido2-primer-and-proof-of-concept-using-aspnet-core https://www.scottbrady.io/fido/a-fido2-primer-and-proof-of-concept-using-aspnet-core Getting to grips with FIDO2 and WebAuthn, including a basic implementation in ASP.NET Core FIDO Thu, 05 Jul 2018 00:00:00 GMT https://www.scottbrady.io/identity-server/aspnet-core-swagger-ui-authorization-using-identityserver4 https://www.scottbrady.io/identity-server/aspnet-core-swagger-ui-authorization-using-identityserver4 How to keep your Swagger UI test tool working after protecting your API using IdentityServer 4 (OAuth). Identity Server Wed, 13 Jun 2018 00:00:00 GMT https://www.scottbrady.io/blockchain-identity/lessons-learned-from-integrating-with-blockchain-identity-providers https://www.scottbrady.io/blockchain-identity/lessons-learned-from-integrating-with-blockchain-identity-providers A cautionary tale of reinventing the wheel and history repeating itself in the name of blockchain Blockchain Identity Tue, 12 Jun 2018 00:00:00 GMT https://www.scottbrady.io/oauth/oauth-is-not-authentication https://www.scottbrady.io/oauth/oauth-is-not-authentication The reasons why OAuth is not an authentication protocol, and why without using open standards such as OpenID Connect, should not be hacked to become one. OAuth Tue, 24 Apr 2018 00:00:00 GMT https://www.scottbrady.io/oauth/an-introduction-to-the-oauth-device-flow https://www.scottbrady.io/oauth/an-introduction-to-the-oauth-device-flow One of the few legitimate uses for the ROPC grant type is for browserless devices. Luckily, the OAuth working group now has a solution for that. OAuth Tue, 27 Mar 2018 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/implementing-mediums-passwordless-authentication-using-aspnet-core-identity https://www.scottbrady.io/aspnet-identity/implementing-mediums-passwordless-authentication-using-aspnet-core-identity How to use passwordless authentication via one-time, user specific login links sent via email. Just like Medium! ASP.NET Identity Tue, 06 Mar 2018 00:00:00 GMT https://www.scottbrady.io/blockchain-identity/technical-review-of-civics-secure-identity-platform https://www.scottbrady.io/blockchain-identity/technical-review-of-civics-secure-identity-platform A technical review of the Civic SIP, from the perspective of an identity and authentication professional Blockchain Identity Mon, 05 Feb 2018 00:00:00 GMT https://www.scottbrady.io/blockchain-identity/integrating-with-civic-sip-using-aspnet-core https://www.scottbrady.io/blockchain-identity/integrating-with-civic-sip-using-aspnet-core Integrating with Civic SIP using an ASP.NET Core web application Blockchain Identity Mon, 05 Feb 2018 00:00:00 GMT https://www.scottbrady.io/c-sharp/jwt-signing-using-ecdsa-in-dotnet-core https://www.scottbrady.io/c-sharp/jwt-signing-using-ecdsa-in-dotnet-core How to sign and verify a JSON Web Token (JWT) using Elliptic Curve Digital Signature Algorithms (ECDSA) in .NET Core C# Fri, 02 Feb 2018 00:00:00 GMT https://www.scottbrady.io/kotlin/json-web-token-verification-in-ktor-using-kotlin-and-java-jwt https://www.scottbrady.io/kotlin/json-web-token-verification-in-ktor-using-kotlin-and-java-jwt Verifying JSON Web Tokens usng the Java-JWT library and protecting access to a Ktor API Kotlin Mon, 20 Nov 2017 00:00:00 GMT https://www.scottbrady.io/kotlin/experimenting-with-kotlin-and-oauth https://www.scottbrady.io/kotlin/experimenting-with-kotlin-and-oauth Getting to grips with Kotlin using OAuth client credentials and API requests Kotlin Wed, 15 Nov 2017 00:00:00 GMT https://www.scottbrady.io/openid-connect/silent-refresh-refreshing-access-tokens-when-using-the-implicit-flow https://www.scottbrady.io/openid-connect/silent-refresh-refreshing-access-tokens-when-using-the-implicit-flow Understanding silent refresh and how to implement it using Angular CLI and oidc-client OpenID Connect Wed, 01 Nov 2017 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/improving-the-aspnet-core-identity-password-hasher https://www.scottbrady.io/aspnet-identity/improving-the-aspnet-core-identity-password-hasher Learn how password hashing works in ASP.NET Core Identity and how to secure the default implementation or improve it using bcrypt or Argon2 with a secure migration. ASP.NET Identity Mon, 30 Oct 2017 00:00:00 GMT https://www.scottbrady.io/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications https://www.scottbrady.io/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications Learn why you should not use OAuth's Resource Owner Password Credentials (ROPC) grant. OAuth Tue, 29 Aug 2017 00:00:00 GMT https://www.scottbrady.io/angular/spa-authentiction-using-openid-connect-angular-cli-and-oidc-client https://www.scottbrady.io/angular/spa-authentiction-using-openid-connect-angular-cli-and-oidc-client How to add authentication to an Angular SPA using the oidc-client OpenID Connect client library Angular Thu, 03 Aug 2017 00:00:00 GMT https://www.scottbrady.io/openid-connect/getting-started-with-oidc-provider https://www.scottbrady.io/openid-connect/getting-started-with-oidc-provider Tutorial for getting the node oidc-provider library up and running. OpenID Connect Mon, 24 Jul 2017 00:00:00 GMT https://www.scottbrady.io/oauth/the-wrong-ways-to-protect-an-api https://www.scottbrady.io/oauth/the-wrong-ways-to-protect-an-api The previous alternatives to OAuth and authorizing access to an API and why we no longer use them. OAuth Thu, 06 Jul 2017 00:00:00 GMT https://www.scottbrady.io/identity-server/identityserver-4-sharepoint-integration-using-ws-federation https://www.scottbrady.io/identity-server/identityserver-4-sharepoint-integration-using-ws-federation How to use IdentityServer with WS-Federation as a Trusted Identity Provider in SharePoint 2013. Identity Server Sun, 23 Apr 2017 00:00:00 GMT https://www.scottbrady.io/azure/cloudflare-origin-certificates-and-azure-app-services https://www.scottbrady.io/azure/cloudflare-origin-certificates-and-azure-app-services Using Cloudflare Origin Certificates within Azure App Services using a pfx via openssl Azure Tue, 18 Apr 2017 00:00:00 GMT https://www.scottbrady.io/docker/aspnet-core-and-docker-environment-variables https://www.scottbrady.io/docker/aspnet-core-and-docker-environment-variables Configuring ASP.NET Core application settings when running within Docker containers Docker Tue, 18 Apr 2017 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/aspnet-identity-2-configurable-password-hasher https://www.scottbrady.io/aspnet-identity/aspnet-identity-2-configurable-password-hasher A method of improving the existing ASP.NET Identity 2 Password Hasher by updating the iteration count to be configurable instead of hardcoded. ASP.NET Identity Mon, 06 Mar 2017 00:00:00 GMT https://www.scottbrady.io/windows/yet-another-makecert-tutorial https://www.scottbrady.io/windows/yet-another-makecert-tutorial Yet another tutorial on using MakeCert, this time framed around creating IdentityServer token signing certificates. Windows Sun, 05 Mar 2017 00:00:00 GMT https://www.scottbrady.io/general/software-design-and-development-conference-2017 https://www.scottbrady.io/general/software-design-and-development-conference-2017 Software Design and Development Conference (SDDConf) 2017 speaking announcement. General Wed, 01 Feb 2017 00:00:00 GMT https://www.scottbrady.io/oauth/consuming-external-oauth-services-using-identitymodel https://www.scottbrady.io/oauth/consuming-external-oauth-services-using-identitymodel Pluralsight audition demonstrating the use of the IdentityModel library to consume OAuth protected resources OAuth Tue, 15 Nov 2016 00:00:00 GMT https://www.scottbrady.io/entity-framework/entity-framework-core-in-memory-testing https://www.scottbrady.io/entity-framework/entity-framework-core-in-memory-testing Entity Framework Core testing of relational and non-releational databases using in-memory database providers Entity Framework Thu, 29 Sep 2016 00:00:00 GMT https://www.scottbrady.io/identity-server/getting-started-with-identityserver-4 https://www.scottbrady.io/identity-server/getting-started-with-identityserver-4 A beginners guide to IdentityServer and OpenID Connect, starting with an empty project and ending with a near production ready environment. Identity Server Thu, 22 Sep 2016 00:00:00 GMT https://www.scottbrady.io/azure/getting-started-with-the-azure-documentdb-dotnet-sdk https://www.scottbrady.io/azure/getting-started-with-the-azure-documentdb-dotnet-sdk A guide to creating your first repository using the Azure DocumentDB .NET SDK Azure Wed, 06 Jul 2016 00:00:00 GMT https://www.scottbrady.io/general/ndc-oslo-2016 https://www.scottbrady.io/general/ndc-oslo-2016 A review of NDC Oslo 2016 General Fri, 10 Jun 2016 00:00:00 GMT https://www.scottbrady.io/katana/owin-basic-authentication https://www.scottbrady.io/katana/owin-basic-authentication Basic Authentication, why you shouldn't be using it and how to integrate it into your OWIN pipeline using IdentityModel.Owin.BasicAuthentication Katana Fri, 20 May 2016 00:00:00 GMT https://www.scottbrady.io/katana/ws-federation-token-encryption-using-microsoft-katana https://www.scottbrady.io/katana/ws-federation-token-encryption-using-microsoft-katana How to implement SAML token decryption using the latest WS-Federation Katana components. Katana Sun, 08 May 2016 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/identity-manager-using-aspnet-identity https://www.scottbrady.io/aspnet-identity/identity-manager-using-aspnet-identity How and when to use Identity Manager with an ASP.NET Identity database, including how to secure the UI using OpenID Connect via Identity Server. ASP.NET Identity Fri, 08 Apr 2016 00:00:00 GMT https://www.scottbrady.io/windows/iis-the-process-cannot-access-the-file-because-it-is-being-used-by-another-process https://www.scottbrady.io/windows/iis-the-process-cannot-access-the-file-because-it-is-being-used-by-another-process How to fix a IIS website that refuses to start due to ports being used by another process. Windows Wed, 06 Apr 2016 00:00:00 GMT https://www.scottbrady.io/general/how-i-prepared-for-my-first-technical-presentation https://www.scottbrady.io/general/how-i-prepared-for-my-first-technical-presentation My experience of how to successfully prepare and deliver your first ever technical presentation. General Tue, 29 Mar 2016 00:00:00 GMT https://www.scottbrady.io/general/ten-steps-to-learn-anything-quickly-review https://www.scottbrady.io/general/ten-steps-to-learn-anything-quickly-review 10 Steps to Learn Anything Quickly is an online course created by John Sonmez, the man behind Simple Programmer and Soft Skills: The software developer's life manual. General Sat, 30 Jan 2016 00:00:00 GMT https://www.scottbrady.io/identity-server/identity-server-3-using-ws-federation https://www.scottbrady.io/identity-server/identity-server-3-using-ws-federation Identity Server 3 is by design an OpenID Connect Provider, however it does also give various features to enable developers to use the WS-Federation protocol. Identity Server Sat, 30 Jan 2016 00:00:00 GMT https://www.scottbrady.io/email-verification/python-email-verification-script https://www.scottbrady.io/email-verification/python-email-verification-script Email verification is no secret. All it requires is a little knowledge of the SMTP protocol and your programming language of choice. Email Verification Tue, 24 Nov 2015 00:00:00 GMT https://www.scottbrady.io/katana/creating-owin-middleware-using-microsoft-katana https://www.scottbrady.io/katana/creating-owin-middleware-using-microsoft-katana Step by step walkthrough for creating OWIN/Katana middleware using the OwinMiddleware abstraction, covering response header and body manipulation and some of the most common issues and gotchas. Katana Sun, 30 Aug 2015 00:00:00 GMT https://www.scottbrady.io/identity-server/identity-server-3-using-aspnet-identity https://www.scottbrady.io/identity-server/identity-server-3-using-aspnet-identity Configuring Identity Server 3 to use an ASP.NET Identity user store. Covering various registration options, default behaviour and extensibility scenarios. Identity Server Sun, 16 Aug 2015 00:00:00 GMT https://www.scottbrady.io/aspnet-identity/quick-and-easy-aspnet-identity-multitenancy https://www.scottbrady.io/aspnet-identity/quick-and-easy-aspnet-identity-multitenancy The simplest way of making ASP.NET Identity support multitenancy by extending the default Entity Framework implementation. ASP.NET Identity Sat, 08 Aug 2015 00:00:00 GMT https://www.scottbrady.io/c-sharp/deserializing-a-json-enumerated-string-to-a-different-c-sharp-enumerated-type https://www.scottbrady.io/c-sharp/deserializing-a-json-enumerated-string-to-a-different-c-sharp-enumerated-type Solution for converting a JSON enumerated string to a completely different C# enumerated type during deserialization. C# Mon, 22 Jun 2015 00:00:00 GMT https://www.scottbrady.io/katana/owin-katana-introduction https://www.scottbrady.io/katana/owin-katana-introduction A high level introduction to the OWIN specification and Microsoft's Katana implementation. Katana Mon, 25 May 2015 00:00:00 GMT https://www.scottbrady.io/general/software-design-and-development-conference-2015 https://www.scottbrady.io/general/software-design-and-development-conference-2015 My experiences at the Software Design and Development Conference 2015. General Fri, 15 May 2015 00:00:00 GMT https://www.scottbrady.io/identity-server/identity-server-3-standalone-implementation-part-3 https://www.scottbrady.io/identity-server/identity-server-3-standalone-implementation-part-3 A basic stand alone implementation of Thinktecture's Identity Server 3. Part 3 of this guide details the implementation of an OWIN/Katana client, using a Hybrid flow, to interact with the Identity Server implementation covered in part 1 and look into some of the features of the Katana OpenID Connect middleware. Identity Server Sun, 03 May 2015 00:00:00 GMT https://www.scottbrady.io/identity-server/identity-server-3-standalone-implementation-part-2 https://www.scottbrady.io/identity-server/identity-server-3-standalone-implementation-part-2 A basic stand alone implementation of Thinktecture's Identity Server 3. Part 2 of this guide details the implementation of a form post client to explicitly interact with the Identity Server implementation covered in part 1 and dig into some of OpenID Connect's core concepts. Identity Server Sat, 11 Apr 2015 00:00:00 GMT https://www.scottbrady.io/identity-server/identity-server-3-standalone-implementation-part-1 https://www.scottbrady.io/identity-server/identity-server-3-standalone-implementation-part-1 A basic stand alone implementation of Thinktecture's Identity Server 3. Part 1 of this guide details the Identity Server implementation itself using the default implicit flow and the necessary configuration to do this. Identity Server Wed, 01 Apr 2015 00:00:00 GMT https://www.scottbrady.io/identity-server/thinktecture-identity-server-3 https://www.scottbrady.io/identity-server/thinktecture-identity-server-3 The IdentityServer project is no longer associated with Thinktecture. For up-to-date details, check out IdentityServer4 or Duende IdentityServer. Otherwise read on for a snapshot of the IdentityServer project from 2015. Identity Server Sat, 07 Feb 2015 00:00:00 GMT https://www.scottbrady.io/openid-connect/openid-connect-flows https://www.scottbrady.io/openid-connect/openid-connect-flows Learn about OpenID Connect's authorization code, implicit, and hybrid flows. See how each flow works, when to use it, and how to secure it. OpenID Connect Tue, 20 Jan 2015 00:00:00 GMT https://www.scottbrady.io/openid-connect/openid-connect-endpoints https://www.scottbrady.io/openid-connect/openid-connect-endpoints An explanation of the various OpenID Connect endpoints and what they can be used for. OpenID Connect Sun, 18 Jan 2015 00:00:00 GMT https://www.scottbrady.io/openid-connect/openid-connect-overview https://www.scottbrady.io/openid-connect/openid-connect-overview Learn how OpenID Connect (OIDC) extends OAuth 2 by adding a layer of identity, solving user authentication and Single Sign-On (SSO). OpenID Connect Thu, 15 Jan 2015 00:00:00 GMT https://www.scottbrady.io/general/why-blog https://www.scottbrady.io/general/why-blog An introductory article on blogging and my reasons for doing so. General Tue, 13 Jan 2015 00:00:00 GMT