Tag Archives: access token

Using encrypted access tokens in Azure with Microsoft.Identity.Web and Azure App registrations

October 22, 2020 · by · in .NET Core, ASP.NET Core, Azure, Azure Key Vault · 1 Comment

This post shows how to use encrypted access tokens with Azure AD App registrations using Microsoft.Identity.Web. By using encrypted access tokens, only applications with access to the private key can decrypt the tokens. When using encrypted tokens, you can prevent access tokens data being used or read by such tools as https://jwt.ms or https://jwt.io and […]

Securing a Web API using multiple token servers

October 25, 2019 · by · in .NET, .NET Core, ASP.NET Core, MVC, OAuth2, Security, Web · 1 Comment

This article shows how a single secure Web API could be used together with multiple secure token servers. The API uses JWT Bearer token authentication, but because the access token come from different token servers, the tokens validation need to be changed. Code: https://github.com/damienbod/ApiJwtWithTwoSts Using multiple Authorities with shared certitficate The first way this can […]

Handling Access Tokens for private APIs in ASP.NET Core

May 10, 2019 · by · in .NET Core, ASP.NET Core, MVC, OAuth2, Security · 5 Comments

This article shows how to persist access tokens for a trusted ASP.NET Core application which needs to access secure APIs. These tokens which are persisted are not meant for public clients, but are used for the service to service communication. Code: https://github.com/damienbod/AspNetCoreHybridFlowWithApi Posts in this series: Securing an ASP.NET Core MVC application which uses a […]

Securing an Angular SignalR client using JWT tokens with ASP.NET Core and Duende IdentityServer

October 16, 2017 · by · in .NET, .NET Core, angular, ASP.NET Core, Entity Framework, OAuth2, Security, SignalR · 18 Comments

This post shows how an Angular SignalR client can send secure messages using JWT bearer tokens with an API and an STS server. The STS server is implemented using Duende IdentityServer and the API is implemented using ASP.NET Core. Code: https://github.com/damienbod/AspNetCoreAngularSignalRSecurity Posts in this series History 2023-01-08 Updated Angular 15, .NET 72021-01-25 Updated Angular 11.1.0 […]

Full Server logout with IdentityServer4 and OpenID Connect Implicit Flow

September 16, 2016 · by · in .NET, angular, AngularJS, ASP.NET Core, ASPNET5, dotnet, OAuth2, Security, Typescript · 3 Comments

The article shows how to fully logout from IdentityServer4 using an OpenID Connect Implicit Flow. Per design when using an access token to use protected data from a resource server, even if the client has logged out from the server, the access token can be used so long it is valid (AccessTokenLifetime) as it is […]

Angular secure file download without using an access token in URL or cookies

April 2, 2016 · by · in .NET, angular, AngularJS, ASP.NET Core, ASPNET5, MVC, TopHeaderMenu, Web · 9 Comments

This article shows how an Angular SPA client can download files using an access token without passing it to the resource server in the URL. The access token is only used in the HTTP Header. If the access token is sent in the URL, this will be saved in server logs, routing logs, browser history, […]

Secure file download using IdentityServer4, Angular2 and ASP.NET Core

March 14, 2016 · by · in angular, AngularJS, ASP.NET Core, ASPNET5, javascript, MVC, OAuth2, Security, TopHeaderMenu, Typescript, Web · 12 Comments

This article shows how a secure file download can be implemented using Angular 2 with an OpenID Connect Implicit Flow using IdentityServer4. The resource server needs to process the access token in the query string and the NuGet package IdentityServer4.AccessTokenValidation makes it very easy to support this. The default security implementation jwtBearerHandler reads the token […]

Angular OpenID Connect Implicit Flow with IdentityServer4

March 2, 2016 · by · in .NET, angular, AngularJS, ASP.NET Core, ASPNET5, javascript, MVC, OAuth2, Security, TopHeaderMenu, Typescript, Web · 141 Comments

This article shows how to implement an OpenID Connect Implicit Flow client in Angular. The Angular client is implemented in Typescript and uses IdentityServer4 and an ASP.NET core 2.0 resource server. The OpenID Connect specification for Implicit Flow can be found here. Code: https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow History: 2019-09-20: Updated ASP.NET Core 3.0, Angular 8.2.6 2018-12-05: Updated to […]