New Blog

Published: 11 Feb 2019 | Reading time: 1 min

Welcome To My New Blog You will notice that a lot of my older articles have been scraped off the face of this planet. And that is because I used to host my blog off a really dodgy (but cheap) wordpress host. Well.. long story short, they…

Testing Authorization Handlers in ASPNETCore

Published: 20 May 2017 | Reading time: 4 min

In one of my previous blog post around this area. I spoke about how you can assert authorization based on the calling user context upon a particular resource. There are many different kinds of ways to do Authorization in ASP.NET Core,. The…

A Primer On HTTP/2

Published: 08 Mar 2017 | Reading time: 3 min

Lets start off with a little bit of a history lesson. Rewind back to 1991, we had HTTP 0.9 . And it was designed around the notion of doing text based document exchanging. 0.9 was designed around the notion of GET s and GET -ting…

How does Proof Key for Code Exchange (PKCE) by OAuth Work?

Published: 05 Dec 2016 | Reading time: 3 min

Introduction PKCE or "pixy" is a safeguard that was required after it was discovered that the authorization code grant was susceptible to an attack known as the authorization code interception attack. Which is an attack where an adversary…

A High Level View At The Proposed Proof Of Posession Architecture for OAuth 2.0

Published: 23 Nov 2016 | Reading time: 4 min

Introduction In OAuth 2 and OpenIDConnect, an authorization server would typically be tasked with issuing bearer tokens to access protected resources. On the web today, the modern web token format of choice comes in the form of JWTs (JSON…

The Resource Owner Password Grant Is An Anti-Pattern In The Face Of OAuth & OpenIDConnect

Published: 25 Oct 2016 | Reading time: 3 min

OAuth and OpenIDConnect both aim to move the web into a standard of having a password-less web for authentication. For the most part, The most trusted identity providers still, at the core, rely on using a set of user credentials (username…

General pointers on getting your IdentityServer 4 project production ready

Published: 08 Oct 2016 | Reading time: 4 min

Disclaimer: As of the writing this post, IdentityServer 4 is not production ready, it is in release candidate, close to RTM. And as such IdentityServer 4 is not officially production ready. Deploying your first IdentityServer 4 web…