OAuth is Not Authentication

24 April 2018 OAuth

OAuth 2.0

OAuth is not authentication. It’s an authorization protocol, or, better yet, a delegation protocol. It’s for this reason that authentication protocols such as OpenID Connect exist and legacy protocols such as SAML use extension grants to link authentication and delegation.

There are articles on this subject already, but I still regularly see some confusion as to the reasons why on the internet and with new clients. So in this article, I’m going to discuss the key reasons why OAuth on its own does not provide client applications (relying parties) with user authentication.

Read more

Technical Review of Civic's Secure Identity Platform

05 February 2018 Blockchain Identity

Recently I’ve been looking into blockchain for decentralised identity and authentication. I’m not sure how I feel about blockchain for authentication yet, but I can definitely see the befits of having some sort of decentralised identity system. It turns out there are a lot of identity blockchain projects out there already, some even have released products (and yes, others already gone bust).


I like learning by doing, and from my initial research I’ve found Civic to be one of the more popular platforms. So, what I’m going to do is dig into the technical aspects of the Civic platform and, in a separate article, integrate with it using ASP.NET Core.

Read more

Integrating with Civic SIP using ASP.NET Core

05 February 2018 Blockchain Identity

This article pairs with another article: “Technical Review of Civic’s Secure Identity Platform”. The verdict is that the current implementation has some very strange design decisions that do not add anything to the overall security. Instead, a standardised approach should have been taken using OAuth or OpenID Connect, as opposed to the current self-rolled authentication protocol.


To get started with civic, I’m going to use it as an authentication method in an ASP.NET Core application. This will use the ASP.NET Core MVC Visual Studio template, with no authentication. Authentication is going to be triggered manually using a login button in the sites header.

You can find the completed proof of concept on GitHub.

Read more

JWT Signing using ECDSA in .NET Core

02 February 2018 C#

Recently, as part of messing around with an identity provider, I was given the following private/public key pair and told to sign a JSON Web Token (JWT) with them using ES256:

Private: c711e5080f2b58260fe19741a7913e8301c1128ec8e80b8009406e5047e6e1ef
Public: 04e33993f0210a4973a94c26667007d1b56fe886e8b3c2afdd66aa9e4937478ad20acfbdc666e3cec3510ce85d40365fc2045e5adb7e675198cf57c6638efa1bdb

Okay, sounds simple enough. 5 days and a lot of swearing later, I finally got it working. Now I’m going to write it down so that I don’t have to go through it again.

.NET Core

In .NET Core, to sign a JWT using an Elliptic Curve Digital Signature Algorithm (ECDSA) we need to get ourselves an instance of ECDsaSecurityKey. The constructor for this takes in an instance of ECDsa, which in turn we have to pass in an instance of ECParameters if we want to load in our own key and not have it generate one for us. So, let’s make a start!

Read more