I am living in Switzerland interested in web development, application security, Microsoft Graph, M365, Azure and IAM, . My favourite technologies and standards are ASP.NET Core, OpenID Connect, OAuth, FIDO2, SQL, EF Core, Angular, Typescript.
Find Me Online
gitHub | ASP.NET | NuGet | twitter | Microsoft MVP | npm | linkedIn
Application Security Workshops
I talk in user groups and conferences around Switzerland and am open to doing talks anywhere in Europe.
ASP.NET Community Standup – Implementing Authentication and Security in ASP.NET Core
ASP.NET Community Standup – Securing ASP.NET Core APIs
Contributing to docs from outside Microsoft with MVP Damien Bowden
.NET C# Lowering, The State Of Azure & Swiss Community & State of .NET Auth & Cloud Security
Azure AD Token Deep dive with Damien Bowden
NuGet packages which I created or helped with:
have a twitter handle damien?
Hi, no, never got around to creating one, never had a need for it yet
created a twitter account
I am interested in your ” ANGULAR2 OPENID CONNECT IMPLICIT FLOW WITH IDENTITYSERVER4″ article and sample. I am in the process of building a typescript definition file for https://github.com/IdentityModel/oidc-client-js/tree/dev (from dev branch where oidc js library was rewritten in ES6) so it can be used in Angular 2 applications for better code complition. I didn’t create strongly typed structures, I use only “any” type. this is my first attempt:
I would like to use this library instead of your custom code that handles tokens because it offers a lots of useful functionality with UserManager adn Oidc
I am using https://github.com/ToddThomson/tsproject/wiki/Using-TsProject-with-Gulp project to help me build .d.ts for individual ES6 files (that I convert to .ts). I need a help in determining if my index.d.ts for oidc.js client written ES6 will properly function with Angular 2. Let me know. Regards,
Hi Rad, thanks
sounds good, I’ll try it out. At present, I’m busy updating to ASP.NET Core RC2, which will take about a week. Then I’ll have a go.
Thanks for the code.
You can see here a folder with files I added to https://github.com/IdentityModel/oidc-client-js/tree/dev to automate my converstion to .ts :
You need to run: npm install and then a series of gulp commands in this order:
this will create .d.ts, and .js (based on .ts transpilation to es5).
I then manually create ./index.d.ts in the root copying all the content from all the files and remove imports and add a namespace and exprort 2 important classes.
If we can come up with github based repository where we can automate retrieval of oidc js client (currently under dev branch) and merging it with my build system that would be great especially if we can automate producing ts definition file.
Here is a good video that demonstrates usage of UserManager and OidcClient:
you can send a reply to my email address. I can share my skype id so we can connect that way and do a shared sessions via teamviewer.
Hello Damien. Let me first thank you for you blog posts and source code examples. They have been extremely helpful up to this point. However, I’ve hit a bit of a wall. I’m try to use OpenID Connect to secure an API that is backed by several microservices. I’ve been successful in getting the API to authenticate using the access token JWT in the Bearer header. However, for some back-end microservices, I would like to pass the id_token to the services that need to know the end user. So a have a couple questions below:
1. Why are you using the UseJwtBearerAuthentication and not the UseIdentityServerAuthentication middleware?
2. Do either of these middleware allow for automatic retrieval of the id_token?
3. If not, would you create your own middleware to retrieve id_token?
4. Have you seen any examples a SPA, calling an API, which further calls back-end microservices?
Any help would be appreciated. If there is a better way to discuss this, let me know.
Hi John, sorry for the very slow slow answer. It’s hard to keep track and do a day job at the same time.
When I set this up, UseIdentityServerAuthentication didn’t work and all platforms, now it’s ok, so I could update it.
No, not that I know of.
Yes, some examples in the IdentityServer 4 samples which use a C# HTTP Client
Hopes this helps,
I enjoy reading most of your articles and wanted to thank you.
It would probably make your wonderful collection even more complete.
I just came across your site, loving it so far. Great stuff. Hopefully you can answer this for me. I have been doing Angular 1.x work for a while. I decided to exclude any Microsoft from my front end and just use WebAPI for the back end – NO MVC. So I use Visual Studio, have a pure HTML, CSS, Angular front end, and then WebAPI to the backend.
Now I am trying to migrate to Angular2, finding it hard to find examples of this. It seems the articles I can find have MVC baked in, ASP.NET Core or not.
So my questions. Can replicate my dev envorinment with Angular2? I really do not want to embark on a new backend using ASP.NET Core – A) I have all my C# code working already and B) my brain can’t handle all that at once.
I currently have a grunt process transpiles all my TS to JS so I can use it. Would I be doing the same with A2 but using webpack instead?
I was doing a bit of R&D and using the A2 cli, I can get a project and run it but the ‘compile’ step seem to talk very long. Not sure if that is just the way it is, seems that people would accept that so not sure if that was me, or again, just the way webpack it. I see that AOT is where it is, everyone is moving away from JIT.
In short, I want to compile all my code in VS. So C# and A2. Then run it in IE for debugging or Chrome.
First off – Angular2WebpackVisualStudio VERY nice and what I had been looking for. But a few newbie questions.
• In the Task Runner Explorer there are tasks defined ( like build-dev, etc) from the package.json and I see them define in the json file. But where do the tasks in the webpage.config.js come from? Like hot, cold, etc.
• What is the difference between all these options.
• If I run ‘hot’, it runs webpack-server-dev and love that I can make my changes in ts and see them automatically in the browser but the webapi doesn’t work. I need to run this from dotnet with dotnet run, the webservice works but now I do not get the auto loading. Is there a way to get both?
Again, awesome work, this helped me a ton.
When I create a production deployment and deploy it in a subfolder so the URL would be http://www.sitename.com/products/main for example, the site fails. I realize there are changes need to the prod weback site and I have made progess but I do not have it all figured out. I changed output.publicPath and added plugin to change my base in the index.html. That fixes some of the issues but not all and the biggest, looks like the routing is messed up. I can navigate to pages but not type them in and go to them directly, like if you saved it in a bookmark.
Awesome code.. Very helpful.
Hi Damien, I was looking for an article on how to log into SQL Server, via NLog, in ASP.NET Core 2.0? Do you know how to do this?
Nice blog Damien. You should create a LinkedIn account as well.
Hi damienbod, did you find solution for below url issue?. If you found can you please share with me.
Hi Damien – How can I get in touch with you?
Can’t find email/LinkedIn…
Hi Damien, great blog, you have been really helpful with our ID4 solution.
do you by any chance have any experience with this?
Hope you are doing great !!
I have been using the angular-auth-oidc-client library to integrate oidc in my Angular 7 project.
I would like to pass the “acr-values: idp:AdAzure” in the auth url parameter. I cannot find any property as such (alike “custome_param:” used in angular-oauth2-oidc library).
Could you please let me know is there any update on this library or documented anywhere ?
My purpose is to: use the acr_values – to get auto redirect to external login page from Identity server 4. This can be only achieved if i pass the IDP value in client url.
This is used to bypass home realm discovery(HRD). This is provided via the “idp:” prefix to the acr parameter on the authorize request.
I need your pointers on this sooner, Appreciate your help !
you can add custom parameters to the request with this in it
Here’s an example
My name is Anghel Valentin and I am a young programmer. Me and another colleague (Barbu Leonard) started a website to generate random things (https://randommer.io) : number, text, social security numbers, names, phone numbers, hash generator, etc.
We read your article (https://damienbod.com/2019/05/10/handling-access-tokens-for-private-apis-in-asp-net-core/) and helped us a lot for our website, because we use ASP.NET core Web apis. Also, this link from article is broken http://docs.identityserver.io/en/release/quickstarts/5_hybrid_and_api_access.html
Can you add our link on your blog under tools sections ? This will help us a lot.
thanks for the info, nice tools thanks, added it, and will tweet, Greetings Damien
I need your help with HttpClient working. I am confused about creating certificates. If you could help me, I would pay you for the help provided. Thank you.
We are currently doing a refactoring of our webapi’s and we need support to make them secure. Could you please contact me. Thanks in forehand
I need help in wixtoolset code i stuck at one point please help me
Hi , I have not used WIX in years, would need to relearn this 🙂
Dude, you are amazing with all your created code, etc. Thanks for all you do, its helps us alot.
Like you, I am a Microsoft Advocate and have noticed that Auth0 and Fine Grain Authorization is getting attention. Please give your opinion on FGA.
My opinion, its very detailed, (obviously) and is only needed when you have 2K+ users accessing many devices / objects. So normal RBAC will be around along time.
Hi Michael, Thanks! I am not sure what to think about FGA because it offers a lot of really cool features, but I like to keep authz as simple as possible