"passwordrules" is a new attribute on an HTML input tag that allows you to programmatically describe your password policy to password generators. For example, that the minimum length is 20, and it requires a digit and an uppercase character.

While password complexity requirements aren’t the best defense, they are commonplace across many organizations and even enabled by default in some authentication libraries. By making password generators aware of your password policy, you can at least improve the user experience.

In this article, I’m going to show you how to use the passwordrules attribute and a few other attributes that can help make the "perfect" new password field. This includes an on-page example so that you can see if your password manager/generator of choice supports the attribute.

SAML is the protocol that no one wants to use. But if you must use it, at least you now have a modern, detailed introduction to SAML thanks to my new Pluralsight course: Getting Started with SAML.

You’ll hear the common phrase that "SAML is dead", but we have been saying this for almost a decade, and it hasn’t gone anywhere. SAML continues to be one of the most used single sign-on protocols around, especially within large enterprises and government institutions.

This course is entirely programming free and is suitable for software developers of any language or stack. That being said, if you’re looking to get started with SAML in ASP.NET Core, I highly recommend this course as your first step.

I know I said I wanted to travel less…

While this year was chaotic in many different ways, writing this review has helped me recognize the positives and put my achievements into perspective.

If you are interested in writing your own review or just privately taking stock of your year, I recommend checking out the ultimate annual review.

In the same way that OAuth is not authentication, it also does not tell us what the user is allowed to do or represent that the user can access a protected resource (an API).

Understanding what OAuth is not is just as important as knowing what it is, in order to use it effectively. In this article, I’m going to discuss how OAuth does not include user authorization and why user authorization rules should not live within your OAuth authorization server.

TL;DR: OAuth is not suitable for user authorization. The fact that you have an access token that allows you to act on the user’s behalf does not mean that the user can perform an action.

As part of my work with ScottBrady.IdentityModel, I’ve had the chance to play with XChaCha20-Poly1305. Despite sounding a bit silly and being a pain to type, XChaCha20-Poly1305 is a useful symmetric encryption algorithm that offers an alternative to the AES we know and love.

In this article, I am going to give a high-level overview of ChaCha20, Poly1305, and XChaCha20-Poly1305. This will include some code samples using a libsodium implementation in .NET, and a silly “rolling your own” implementation to help demonstrate the differences between ChaCha20-Poly1305 and XChaCha20-Poly1305.

PEM is a file format that typically contains a certificate or private/public keys. PEM files have had patchy support in Windows and .NET but are the norm for other platforms. However, starting with .NET 5, .NET now has out of the box support for parsing certificates and keys from PEM files.

This article will show you how to manually load a PEM file in .NET Core 3.1 (the old way) and how to do the same using the new .NET 5 APIs.You’ll also see how to use PEM certificates for Kestrel TLS.

This year, I had the pleasure of (virtually) speaking at NDC Oslo. While it would have been great to present at the Oslo Spectrum, I still got the chance to talk about my recent work with FIDO2 and WebAuthn, which resulted in the creation of FIDO2 for ASP.NET.

If you want to learn more about how user authentication works on the web and how I think FIDO2 is going to be the solution to many of our issues, then check out my talk below.

JSON Web Tokens (JWTs) can be signed using many different algorithms: RS256, PS512, ES384, HS1; you can see why some developers scratch their heads when asked which one they would like to use.

In my experience, many of the mainstream identity providers have historically only offered RS256 or at least defaulted to it. However, thanks to initiatives such as Open Banking, these identity providers are now expanding their support to cover more signing algorithms, which means you will need to start understanding which ones to use.

Creating a private key for token signing doesn’t need to be a mystery. Recently, I wrote about using OpenSSL to create keys suitable for Elliptical Curve Cryptography (ECC), and in this article, I am going to show you how to do the same for RSA private and public keys, suitable for signature generation with RSASSA-PKCS1-v1_5 and RSASSA-PSS.

Last week, I attended the 5th OAuth Security Workshop (OSW), a workshop where people working with OAuth can meet up and talk about anything related to OAuth security for 3-4 days.

This was my first time attending the OSW, so I thought I would share a few of my highlights and help raise awareness of the event.