The Wrong Ways to Protect an API

06 July 2017 OAuth

OAuth 2.0

Knowing why we don’t use past methodologies can be just as useful as knowing why we use current ones. In this article, we are going to look at past methods for delegating access to an API (the problem that OAuth is the current solution for) and why we shouldn’t use them anymore. Examples in this article are based on systems I’ve seen in the wild or discussed on StackOverflow.


For a user to delegate access (or authorize, give permission) to a mail service to send emails on the user’s behalf. Only send permission must be allowed.

We’re going to use the OAuth terminology of...

Read more

IdentityServer 4 SharePoint Integration using WS-Federation

23 April 2017 Identity Server

Originally published 3 March 2017 on

SharePoint is a popular document collaboration platform from Microsoft, capable of running multiple web applications which in turn consist of multiple web sites. SharePoint also comes with of the box support with other Microsoft products such as Office 365 and Active Directory.

But what if you want to use SharePoint with non-Active Directory accounts? Or have SSO across all of your applications, even on mobile devices? Even Azure AD B2C struggles with this, due to it’s lack of support for SAML 1.1 tokens. This is where traditional identity providers start to struggle and IdentityServer steps in.

Read more

Cloudflare Origin Certificates and Azure App Services

18 April 2017 Azure

Cloudflare Logo

I recently made the move to Cloudflare and have been talking to anyone who will listen about how great it is, both for simplicity and nerdy security features. Yes, even after the media sensation that was #CloudBleed.

One of the things I wanted to do once I moved to Cloudflare was ensure that I had TLS across the entire pipeline. Whilst Cloudflare will ensure you have TLS between the browser and their servers, but they’re a bit more permissive when it comes to TLS between their servers and your origin server (in my case Azure App Service). You’ll see these kinds of images floating around explaining this...

Read more

ASP.NET Core and Docker Environment Variables

18 April 2017 Docker

Docker Logo

When working with ASP.NET Core and Docker, it can be easy to get confused when trying to figure out who is setting what configuration variable and how. Especially if you are using one of the Visual Studio templates with Docker support.

In this article, we’re going to take a look at how configuration settings are applied in both ASP.NET Core, and Docker, and how they interoperate...

Read more

ASP.NET Identity 2 Configurable Password Hasher

06 March 2017 ASP.NET Identity

Default Password Hasher

The default password hasher that comes out of the box with ASP.NET Identity 2 ticks all the right boxes:

  • It actually uses a hashing algorithm (for some reason this is still something we need to congratulate in 2017)
  • It generates a per user salt
  • It iteratively hashes a password (not just once like in vanilla ASP.NET Membership)
  • It uses a derived key

The above can pretty much be summed up with "it uses PBKDF2", but that that didn’t read as nice.

Great, so that’s pretty good for an out of the box password hasher from 2014. But for some reason the password hasher contains the following line of code:

Read more