Silent Refresh - Refreshing Access Tokens when using the Implicit Flow

01 November 2017 OpenID Connect

When using the implicit authentication flow refresh tokens cannot be requested or used, since the client application cannot be explicitly or securely authenticated and therefore cannot be trusted with such a sensitive token. This also applies to any flow on a public client incapable of keeping a secret or making secure back channel requests. If a refresh token intended for a such a client was stolen, the thief could use it to request access tokens for that user, without their knowledge or consent.

When using a client application running in the browser, which the OpenID Connect implicit flow was designed for, we expect the user to be present at the client application. They might be currently in a different tab or even on a different application than the browser, but the session is still active. This means that if their access token expires, they should still be around to authorize another to be issued. We’re not expecting the client application to be performing any sort of background tasks or long-running processing.

But what if, for instance, the user was filling out a form in the application and their access token expired?

Read more

Improving the ASP.NET Core Identity Password Hasher

30 October 2017 ASP.NET Identity

The default password hasher for ASP.NET Core Identity uses PBKDF2 for password hashing. Whilst this is a decent enough implementation, there are certainly more desirable password hashing algorithms out there. So that’s exactly what I’ve addressed, with three new password hasher implementations for ASP.NET Core Identity using bcrypt, scrypt, and Argon2.

Default (PBKDF2) Password Hasher

To be precise, the ASP.NET Core Identity uses PBKDF2 with HMAC-SHA256, a 128-bit salt, a 256-bit subkey, and (by default) 10,000 iterations. Luckily this iteration count is now configurable (unlike ASP.NET Identity 2), and realistically you’ll be looking at adding another zero to that iteration count. 10,000 iterations is so 2012.

PBKDF2 is generally considered “good-enough”, assuming...

Read more

Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications

29 August 2017 OAuth

OAuth 2.0

When you ask a consultant if you should use the Resource Owner Password Credentials (ROPC) grant type, the standard response is: “It depends”. Whilst this is true, I’m going to take a stand and say no. Unfortunately, a lot of people see the username & password fields and say “ah! That’s the one for me!”, and I spend way too much of my time trying to convince them it’s a bad idea after they’ve already spent a lot of time implementing it.

So, let’s take a look at the ROPC grant type, why it’s so tempting, and what we can do to convince other developers and stake holders that it is a bad idea.

Read more

SPA Authentiction using OpenID Connect, Angular CLI and oidc-client

03 August 2017 Angular


OpenID Connect is the go to protocol for modern authentication, especially when using Single Page Applications, or client-side applications in general. A library I often recommend to clients is oidc-client, a plain JavaScript library that is part of the IdentityModel OSS project. This handles all of the necessary protocol interactions with an OpenID Connect Provider, including token validation (which strangely some libraries neglect), and is a certified OpenID Connect Relying Party conforming to the implicit RP and config RP profiles.

In this article, we are going to walk through a basic authentication scenario using the Angular CLI and the oidc-client library, during which we will authenticate a user, and then use an access token to access an OAuth protected API. This will use the implicit flow, where all tokens pass via the browser (something to always remember when dealing with code executing on the client, because the application cannot be trusted with features such as long lived tokens, refresh tokens or client secrets)...

Read more

Getting Started with oidc-provider

24 July 2017 OpenID Connect

OpenID Connect

oidc-provider is an OpenID Connect provider for node.js, providing us with a secure authentication mechanism for our applications, and protection for our APIs. In this article, we’re going to walk through setting up oidc-provider and interacting with it using a couple of different ways.

Why oidc-provider?

It’s a Certified OpenID Provider Library and it’s a framework, unlike some providers which you can only mount and then modify select areas. Whilst this can be good for ensuring expected behaviour (you may be less likely to create security flaws or break functionality), it can be infuriating if you need custom logic or even grant types. The library is certified for all 5 OpenID Provider conformance profiles.

Project Setup

If, like me, you are a complete newbie to node.js and express.js, then the below commands are how we setup a new app...

Read more