HowTo: Use self-signed certificates during Windows Apps development (no code required)


TL;DR; My solution was to save my self signed certificate in DER format, sticking it on a local IIS site, loading the URL to the certificate in my mobile emulator, opening the file (when prompted) and installing the certificate.  Having done this, my mobile now trusts that certificate and I am free to play to my hearts content over HTTPS.

Continue reading

HowTo: Auto synchronise files upon network connection (Windows)

TestLab.grid-6x2There are times where we need to work away from the office network and the safety of backup infrastructure.  What would be nice is to automatically synchronise files on my laptop whenever I connect to the office network.

Working locally on laptops, it should go without saying, carries a danger of loosing data either through “Doh!” moments or through hardware failure (travelling can indeed be hard on the little grey rectangular friends of ours) so we need a solution that provides some safety to our data – preferably without us having to remember to do anything.  Holding back the urge to write something bespoke for once I looked at what I already have my dispersal –  GIT, RoboCopy and Task Scheduler to the rescue – Let’s start auto synchronising our files upon connecting to a given network

Continue reading

Designing with Animation

Presentation by Pasquale D’Silva

We’re in the future, and interfaces are falling behind the curve. Software should feel as responsive and human as the people interacting with it. Design should respond and react with vitality. Too much design is created with an old, static web mentality, and not pushing the new mediums we have to design for. What is it like building interfaces with an animated foundation? Why is it better? This will be an adventure into the magical cosmos of animation. Cartoons, Anvils, Jokes, Jokes people might not get, Dynamite, Stage Dives!

Referenced Article – Transitional Interfaces on Medium

How do I edit my GitHub Wiki locally and include relative images?

This post sets out to describe how to edit a GitHub wiki on your computer as an alternative to editing directly within the GitHub web UI.

Cloning the GitHub Wiki to your computer

The wiki content is unsurprisingly stored within a Git repository and GitHub give you direct access to this repository which can enable you to edit the content locally on your computer. First though we need to clone the git repository to our computer.

  • From your repository homepage on GitHub, click the Wiki link on the right hand side Wiki link example
  • If you already have content in your wiki, Click the Clone URL button.


  • If you have yet to create a page on your wiki you only see the green New Page button. Simply click New Page, set a page title (for example Home) and put some filler blurb content in the page body. Hit Save, and the Clone URL button should appear.

Hitting the Clone URL button will copy the git url for your wiki repository into your clipboard.

  • Now, go to your favourite git client and clone the repository to your computer.

Editing your wiki content efficiently (Windows)

GitHub wiki content can be written in a number of different markup languages. My preference is markdown.

For this I use an awesome editor (if I do say so myself) called MarkPad which was one of the projects we worked on as part of the Code52 effort.

MarkPad is available for windows desktop (download) as well as a windows store app (install from Windows Store) – the source is also available for all if you want to have a poke about.

Sidenote: MarkPad is open source and as such is open to contributions from anyone. We are very open to community contributions so if you use it and think of a way to make it even better then please do get in touch via GitHub issues.

Instructions on how to write Markdown is out of the scope of this article but anyone familiar with editors such as MSWord will pick up thinks pretty quickly.

Ok, so one of the best life-hacks (read: makes your life simple) offered by MarkPad is its handling of images. You can of course construct links to images on the web in markdown but what is extra handy is that MarkPad can also generate image files on the fly from your clipboard.

Simply take a screenshot using something like Shotty (copy to clipboard) or Cropper (set output to clipboard)  and Paste (<ctrl>+v) the contents of your clipboard. MarkPad will automatically generate an image file appropriately named for where you pasted within your document (in relation to the closest header) and link to it in markdown. Very cool, very easy.

Note: When linking to images in markdown that have paths relative to the wiki page be sure to use  “\” as the path separator and not “/”

Push your changes to GitHub

Commit your changes, making sure to include (add) any new content and/or images generated then just perform a GIT push to submit your changes to github. Your changes will be visible on the wiki immediately – go marvel in their splendour.

Glimpse for DotNetOpenAuth 1.3

Finally I got a chance tonight to update my DotNetOpenAuth extension for Glimpse. I’ve pushed the update out to Nuget so go ahead and update now.

Install-Package DCCreative.DNOA4Glimpse


What does it do?

This extension attaches to the internal logging of DotNetOpenAuth and provides you with a view directly within your browser.

Example of Glimpse for DotNetOpenAuth

The source code and test MVC4 web app have been published to GitHub here


The guys at Glimpse have put some really amazing work into Glimpse as of late. Check it out if you haven’t already


How simple is a OpenID Connect Basic client? (C#)

John Bradley has just posted a great entry demonstrating how simple life is going to be for a Relying Party when it comes to OpenID Connect. I highly recommend you go and read it.

OpenID Connect provides a lot of advanced facilities to fulfill many additional features requested by the member community. It is full of features that go beyond basic Authentication. However, that does not mean that it cannot be used for the simple case for “Just Authentication”.

The sample code in John’s post is in PHP so I thought I would quickly provide the same samples in C#. here we go.

Making an OpenID Connect request

In order for the client to make an OpenID Connect request, it needs to have the following information about the server:

  • client identifier – An unique identifier issued to the client (RP) to identify itself to the authorization server. (e.g. 3214244)
  • client secret – A shared secret established between the authorization server and client used for signing requests.
  • end-user authorization endpoint – The authorization server’s HTTP endpoint capable of authenticating the end-user and obtaining authorization. (e.g., )
  • token endpoint – The authorization server’s HTTP endpoint capable of issuing access tokens.

In the simplest cases, this information is obtained by the client developer, having read the server’s documentation and pre-registered their application. Then, for a bear bone authentication request you would put a link like this in the HTML page:

<a href="">Login with</a>

The user initiates login by clicking on the “Login with” link, and is taken to the server where she is asked username/password etc. if she is not logged into yet. Once she agrees to login to  the RP, the browser is redirected back to the call back URL at the RP by 302 redirect. The PHP Server side code may look like:


Note: state is the parameter that is used to protect against XSRF.  It binds the request to the browser session.  It is recommended but not required in OAuth and has been omitted to make the example static. That should be simple enough?

Calling the Token endpoint to get id_token

Now that the RP has the ‘code’, you need to get the id_token from the token endpoint. The id_token is the user login information assertion.  What do you do? Just GET it with HTTP Basic Auth using client_id, client_secret, and the code you got in the first step. Using C#, it would look like:

var code = Request.Form[”code”];
var client = new WebClient();
NetworkCredential credentials = new NetworkCredential("testuser", "testpass");
client.Credentials = credentials;
client.Headers.Add("Content-Type","application/json; charset=utf-8");
var responseJson = client.DownloadString(new Uri(""+code));

The result, responseJson, will contain a JSON like this (line wraps for display purposes only):

"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.

For simple authentication we will ignore “access_token”, “token_type” etc. What you only care about is the “id_token”. “id_token” is encoded in a format called  JSON Web Token (JWT). JWT is the concatenation of “header”, “body”, “signature” by periods (.). Since you are getting this directly through TLS protected channel that is verifying the identity of the server certificate, you do not need to check the signature for integrity, so you just take out the second portion of it and base64url_decode it to get the information out of the id_token. So in PHP you may do something like:

JObject o = JObject.Parse(response);
var token = o.id_token;
var id_array = token.split('.');
var id_body = Convert.FromBase64String(id_array[1]);

The resulting assertion, id_body in the above example,  about the user (after pretty formatting)  is:

"user_id": "248289761001",
"aud": "3214244",
"iat": 1311195570,
"exp": 1311281970

“iss” is showing the issuer of this token, in this case, the The issuer must match the expected issuer for the token endpoint, if it is different you must reject the token. the ‘iss” is the name space of the  user_id, which is unique within the issuer and never reassigned. When the client stores the user identifier, it MUST store the tuple of the  user_id and iss. “aud” stands for “audience” and it shows who is the audience of this token. In this case, it is the RP’s client_id. If it is different, you must reject the token. “iat” stands for the time the token was issued.  This can be ignored in this flow as the client is talking directly to the token endpoint. “exp” is the expiry time of the token. If the current time is after “exp”, e.g., in PHP, if  $exp < time();  the RP should reject the token as well. So, that is it. Now you know who is the user, i.e., you have authenticated the user. All of the above in the form of code would be:

private bool checkID(idBody, issuer, clientID){
    JObject o = JObject.Parse(idBody);
    if (o.iss != issuer)
        return false;
    if (o.aud != clientID)
        return false;
    if (o.exp < DateTime.UtcNow)
        return false;
    return true;

— Once again, be sure to go read John’s post (

Solved: Chrome v18, self signed certs and “signed using a weak signature algorithm”

So chrome has just updated itself automatically and you are now running v18 – great. Or is it…

If like me, you are someone that are running sites using a self-signed SSL Certificate (i.e. when running a site on a developer machine) you may come across the following lovely message;

WAT? Try explaining what a weak signature algorithm means to a non-tech!

Fear not, this is likely as a result of you following instructions you found on the apache openssl site which results in a self signed cert using the MD5 signature hashing algorithm.

Using OpenSSL

The simple fix is to generate a new certificate specifying to use the SHA512 signature hashing algorithm, like so;

openssl req -new -x509 -sha512 -nodes -out server.crt -keyout server.key


Now, you should be able to confirm the signature algorithm used is sha512 by looking at the details tab of certificate

Confirming the signature algorithm


  • If you change your certificate, be sure to reapply any private key permissions you require – such as allowing access to the application pool user.

DotNetOpenAuth: Debugging and Tracing OpenID and OAuth on ASP.NET (or MVC) using Glimpse

Synopsis: Understanding exactly what is happening under the hood when it comes to working with OpenID and OAuth can be challenging even for the seasoned IDM developer. What I have found to help, is being able to see the communications between all the parties involved. Fortunately the DotNetOpenAuth library can be told to expose a plethora of information to the developer via integrated logging. In this post I will talk about a project called Glimpse that exposes a whole host of information to you, the developer, directly within the browser and then I will introduce a Glimpse plugin I have written that exposes all that lovely juicy information directly from DotNetOpenAuth.

In Short

  1. Get DNOA4Glimpse:
    NuGet Command: PM> Install-Package DCCreative.DNOA4Glimpse

What is Glimpse?

WhatIsGlimpseGlimpse is a very cool set of utilities that provide developers with a massive array of how requests go about being served, as well as a host of other information about the server itself.

At its core, Glimpse allows you to debug your web site or web service right in the browser. Glimpse allows you to “Glimpse” into what’s going on in your web server. In other words what Firebug is to debugging your client side code, Glimpse is to debugging your server within the client.

Glimpse is available via NuGet at

Exposing DotNetOpenAuth to Glimpse


Writing a plugin for Glimpse is childsplay. Glimpse exposes a friendly Plugin interface

public interface IGlimpsePlugin
	string Name { get; }
	object GetData(HttpContextBase context);
	void SetupInit();

Simply inherit from IGlimpsePlugin then implement the members in your plugin.

public class DotNetOpenAuthPlugin : IGlimpsePlugin {
	public void SetupInit() {
	public string Name {
		get { return "DotNetOpenAuth"; }

After adding a reference to the assembly containing your plugin, Glimpse will automatically pick up your plugin (thanks to the wonderful powers of MEF).


I quickly threw together a sample application to test the plugin.

  1. Create a new ASP.NET MVC site based on the DNOA MVC relying party sample.
  2. Add the DNOA4Glimpse package (Install-Package DCCreative.DNOA4Glimpse)
  3. Done (Get the source here)


Glimpse has been turned on (by visiting // which results in a panel being displayed at the bottom of your screen. As you can see, there is a DotNetOpenAuth tab. Awesome!

Right, now – let’s do an OpenID Authentication


What’s really cool is the Glimpse’s handling of complex objects.


The presentation of complex objects such as the YADIS services detailed above will improve in a version I am currently working on, thanks for some new presentation features coming to Glimpse soon. Watch this space.

So the plugin is still in beta but hopefully you will find it useful.

DNOA4Glimpse and Demo Source is available at

An afternoon with Glenn Block – Leith, Edinburgh 12th March 2011


Exciting news.

I am proud to announce that Glenn Block from Microsoft will be coming all the way from Seattle to Scotland on the 12th March to talk to you!. Glenn is a PM on the WCF team working on Microsoft’s future HTTP and REST stack and has been involved in some pretty exciting and ground-breaking Microsoft development mind-shifts in recent times.

Don’t miss the chance to hear him speak and ask him questions. The day will be split into two parts.

Favourite subjects from The Block
The first couple of hours will see Glenn focus on talking about his current work basket – expect to see him talking about Windows Communication Foundation, web APIs, HTTP, REST, MEF, Patterns & Practices and his experiences at the recent mvcConf 2 event!

Block unblocked chalk talk – your chance to ask Glenn anything he can answer
The second half of the afternoon will be “yours” – a chalk’n’talk if you prefer. It will be your chance to have an open and frank conversation with Glenn, to ask him questions, to challenge him and to get answers to those questions that you’ve been saving for such a celebrity!

Book your for ticket here (Tickets are Free!)

Brief history of Glenn

Glenn is a PM on the WCF team working on Microsoft’s future HTTP and REST stack. Prior to WCF he was a PM on the new Managed Extensibility Framework in .NET 4.0. He has experience both inside and outside Microsoft developing software solutions for ISVs and the enterprise. He has also been active in involving folks from the community in the development of software at Microsoft. This has included shipping products under open source licenses, as well as assisting other teams looking to do so.

Glenn is a featured blogger over at CodeBetter, read what he’s writing about here:

His official Microsoft blog can be found here:

Glenn Block on the web

Sponsored by

Storm ID is an award winning full service digital agency in Edinburgh