Anders Abel
Anders Abel
The `__Host` prefix enforces security rules on the cookie. Consider renaming both the main Identityserver session cookie `idsrv` and the temp external cookie to add the `__Host` prefix. The `__Host`...
With server side sessions on IdentityServer the refresh token flow not only provides new access tokens, but it also ensure that the session on IdentityServer is kept alive. Consider adding...
Added a help section on how to enter an own thumbprint when running the demo and put that section on all pages that uses thumbprints. Closes #1.
The demo code isn't possible to run, because the certificates are not available. Please put the certificates (including the private keys) in the repository to make it possible to import...
Log (info level) if OIDC state data formatter is enabled with in memory distributed cache. I've had a few cases in support where the Oidc state data formatter has been...
The external cookies are sometimes very large and if the upstream Idp cannot be changed it's hard to do anything about the number of claims and token sizes. The claims...
The `TokenValidator` uses the default `ClockSkew` of 5 minutes when validating JWTs. Having a generous clock skew is meant to be forgiving to clients that have their system clock out...
With serverside sessions and session coordination enabled there are four ways that a session can end: 1. Deliberate call to Logout on IdentityServer (could be due to /endsession called from...