Course
Skills
Securing ASP.NET Core with OAuth2 and OpenID Connect
In this course you’ll learn how to secure your ASP.NET Core web applications and APIs with today’s de facto standards: OAuth2 and OpenID Connect.
What you'll learn
You've built a web application, an API, or both with ASP.NET Core, but... something seems to be missing: almost all applications need to be secured these days.
In this course, Securing ASP.NET Core with OAuth2 and OpenID Connect, you'll learn how to use today's standards, OAuth2 and OpenID Connect, to secure ASP.NET Core web applications and APIs.
You’ll learn what these standards are and how to implement them. After that, you’ll learn about authorization and authorization policies, storing your users and integrating with other identity providers. Finally, you’ll learn how to get ready for production and deploy your identity provider.
After this course you'll know the ins and outs of securing ASP.NET Core web applications and APIs with OAuth2 and OpenID Connect.
Table of contents
Course Overview
1min
Getting Started with ASP.NET Core Security
35mins
Understanding Authentication with OpenID Connect
42mins
Securing Your User Authentication Processes
56mins
- Coming Up 1m
- The Authorization Code Flow 9m
- Demo - Configuring IdentityServer to Log in with The Authorization Code Flow 3m
- Demo - Logging in with the Authorization Code Flow 18m
- Authorization Code Injection Attack 2m
- The Authorization Code Flow with PKCE Protection 2m
- Demo - Logging out of Our Web Application 5m
- Logging out of the Identity Provider 2m
- Demo - Redirecting After Logging out 4m
- The UserInfo Endpoint 4m
- Demo - Returning Additional Claims From the UserInfo Endpoint 2m
- Inspecting an Identity Token 3m
- Summary 2m
Working with Claims in Your Web Application
23mins
- Coming Up 1m
- Demo - Claims Transformation: Keeping the Original Claim Types 3m
- Demo - Claims Transformation: Manipulating the Claims Collection 4m
- Role-based Access Control 2m
- Demo - Role-based Authorization: Ensuring the Role Is Included 6m
- Demo - Role-based Authorization: Using the Role in Your Views 3m
- Demo - Role-based Authorization: Using the Role in Your Controllers 2m
- Demo - Creating an Access Denied Page 3m
- Summary 1m
Understanding Authorization with OAuth2 and OpenID Connect
12mins
Securing Your API
36mins
- Coming Up 1m
- The Authorization Code Flow with PKCE Protection 3m
- Demo - Securing Access to Your API (Part 1) 2m
- API Scopes vs. API Resources 4m
- Demo - Securing Access to Your API (Part 2) 7m
- Demo - Passing an Access Token to Your API 6m
- Demo - Using Access Token Claims When Getting Resources 5m
- Including Identity Claims in an Access Token 1m
- Demo - Including Identity Claims in an Access Token 1m
- Demo - Protecting the API When Creating a Resource (with Roles) 4m
- Summary 2m
Authorization Policies and Access Control
43mins
- Coming Up 1m
- Role-based Access Control vs. Attribute-based Access Control 3m
- Demo - Creating an Authorization Policy 7m
- Demo - Using an Authorization Policy (Web Client) 3m
- Demo - Using an Authorization Policy (API) 4m
- Fine-grained Policies with Scopes 1m
- Demo - Fine-grained Policies with Scopes 6m
- Extending Authorization Policies with Requirements and Handlers 3m
- Demo - Creating Custom Requirements and Handlers 9m
- Using Custom Attributes for Authorization 1m
- Demo - Using Custom Attributes for Authorization 3m
- Summary 1m
Dealing with Token Expiration, Reference Tokens, Token Revocation, and Generating Tokens for Testing
50mins
- Coming Up 1m
- Token Lifetimes and Expiration 2m
- Demo - Token Lifetimes and Expiration 3m
- Gaining Long-Lived Access with Refresh Tokens 3m
- Demo - Gaining Long-lived Access 5m
- Working with Reference Tokens 2m
- Demo - Working with Reference Tokens 5m
- Token Revocation 1m
- Demo - Revoking Tokens 6m
- Generating Tokens for API Testing 3m
- Demo - Generating a Token with dotnet user-jwts 11m
- Token Validation 6m
- Summary 3m
Best Practices for Securing JavaScript-based Clients
34mins
Storing Users and Credentials in a Local Database
43mins
- Coming Up 1m
- How Credentials Fit in OpenID Connect 2m
- Means of Authentication and Approaches 5m
- Implementation Approaches: Custom, ASP.NET Core Identity and the Microsoft Identity Framework 6m
- Inspecting the User Database Schema 2m
- Demo - Creating a User Database 6m
- Interacting with IdentityServer 2m
- Demo - Inspecting UI Interaction with IdentityServer 7m
- Demo - Inspecting the User Service 1m
- Demo - Integrating IdentityServer with a Custom User Database 4m
- Building Your Identity with a Profile Service 2m
- Demo - Building Your Identity with a Profile Service 4m
- Summary 2m
Best Practices for User Management
51mins
- Coming Up 1m
- Where Should User Management Screens Live? 3m
- Demo - Implementing a User Registration Screen 13m
- Safely Storing Passwords 8m
- Demo - Safely Storing Passwords 5m
- Activating an Account 2m
- Demo - Activating an Account 12m
- Additional User Management Related Best Practices 4m
- Password Policy Best Practices 2m
- Summary 1m
Integrating with Active Directory, Microsoft Entra ID, and Social Logins
64mins
- Coming Up 1m
- Handling Integration with Third-party Providers 4m
- Use Cases for Windows Authentication 1m
- Windows Authentication Beneath the Covers 3m
- Demo - Enabling Windows Authentication on IIS Express 4m
- Demo - Integrating Windows Authentication with IdentityServer 10m
- Federation with Third-party Identity Providers 4m
- Demo - Inspecting Support for Federating with a Third-party Identity Provider 6m
- Integrating with Microsoft Entra ID (Azure Active Directory) 1m
- Demo - Registering an Application on Azure AD 6m
- Demo - Integrating with Azure AD 6m
- Demo - Registering an Application on Facebook 4m
- Demo - Integrating with Facebook 4m
- Challenges When Integrating with Third-party Identity Providers 3m
- Integrating with Other Third-party Identity Providers 2m
- Summary 3m
User Provisioning, Federation, and Federated Identity
33mins
- Coming Up 1m
- Integrating Local Users with External Users 2m
- Federated Authentication and Federated Identity 4m
- Demo - Enhancing the Database Schema for Federated Identity 4m
- Demo - Provisioning a New User with a Federated Identity (Part 1) 7m
- Transforming Claims 1m
- Demo - Provisioning a New User with a Federated Identity (Part 2) 3m
- Provisioning a New User with a Federated Identity – Flow Variations 2m
- Demo - Linking a Provider to an Existing User 7m
- Additional Federated Identity Use Cases 2m
- Summary 2m
Supporting Multi-factor Authentication
33mins
- Coming Up 1m
- Introducing Multi-factor Authentication 3m
- Supporting MFA with a One-Time Password Through Email 2m
- Supporting MFA with an Authenticator Application 5m
- Demo - Supporting MFA with an Authenticator Application (Enhancing the Database Schema) 2m
- Supporting MFA with an Authenticator Application (Registration) 13m
- Supporting MFA with an Authenticator Application - Authentication 3m
- Demo - Supporting MFA with an Authenticator Application (Authentication) 4m
- Summary 2m
Integrating with ASP.NET Core Identity
17mins
Getting Ready for Production and Deploying Your Identity Provider
59mins
- Coming Up 1m
- Deploying IdentityServer to Azure 8m
- Demo - Persisting Configuration Data 10m
- Demo - Persisting Operational Data 3m
- Demo - Moving From SQLite to SQL Azure 6m
- Demo - Configuring Data Protection 10m
- Demo - Storing Key Material in Azure KeyVault 7m
- Demo - Configuring and Using the Forwarded Headers Middleware 3m
- Demo - Applying a License 2m
- Demo - The Final Deployment 7m
- Summary 3m
About the author
Kevin Dockx is a freelance solution architect, author & consultant, living in Antwerp (Belgium). He's mainly focused on solution/application architectures & security for web-based (API) applications built with .NET, but he also keeps an eye out for new developments concerning other products from the .NET stack. He's a Microsoft MVP and board member of the RD MS Community. He's also a regular speaker at various (inter)national conferences & user group events, and works on various open source pro... more