Securing ASP.NET Core 3 with OAuth2 and OpenID Connect
When you're building an ASP.NET Core 3 MVC web app or API, you'll want to secure it sooner than later. In this course, you'll learn how to utilize OAuth2 and OpenID Connect, today's widely-used standards, to help you achieve your goals efficiently.
What you'll learn
Knowing how to secure applications is important, but knowing why we make certain decisions is, arguably, even more important. In this course, Securing ASP.NET Core 3 with OAuth2 and OpenID Connect, you'll learn the ins and outs of OAuth2 and OpenID Connect (OIDC), being today's widely-used standards.
First, you'll explore what these standards entail, and how you can integrate their implementations in ASP.NET Core with IdentityServer4.
Next, you'll discover how to secure both a web app and an API.
Finally, you'll learn how to use authorization policies, deal with expired access, and what to think about before going to production.
By the end of this course, you'll have the necessary knowledge to efficiently secure your ASP.NET Core 3 applications.
Table of contents
- Coming Up 1m
- How OpenID Connect Works 2m
- Public and Confidential Clients 2m
- OpenID Connect Flows and Endpoints 7m
- OpenID Connect Flow for ASP.NET Core 3m
- Introducing IdentityServer4 1m
- Demo - Setting up IdentityServer4 8m
- Demo - Adding a User Interface for IdentityServer4 3m
- Demo - Adding Users to Test With 3m
- Summary 2m
- Coming Up 1m
- The Authorization Code Flow 8m
- Demo - Configuring IdentityServer to Log In with the Authorization Code Flow 2m
- Demo - Logging In with the Authorization Code Flow 13m
- Authorization Code Injection Attack and PKCE 2m
- The Authorization Code Flow with PKCE 1m
- Demo - Enabling PKCE Protection 1m
- Demo - Logging Out of Our Web Application 3m
- Demo - Logging Out of the Identity Provider 2m
- Demo - Redirecting After Logging Out 4m
- The UserInfo Endpoint 3m
- The Authorization Code Flow with PKCE and the UserInfo Endpoint 2m
- Demo - Returning Additional Claims From the UserInfo Endpoint 3m
- Inspecting an Identity Token 5m
- Summary 2m
- Coming Up 1m
- Demo - Claims Transformation: Keeping the Original Claim Types 2m
- Demo - Claims Transformation: Manipulating the Claims Collection 4m
- Getting Additional Information Through the UserInfo Endpoint 1m
- Demo - Getting Ready for Calling the UserInfo Endpoint 5m
- Demo - Manually Calling the UserInfo Endpoint to Get More Claims 6m
- Role-based Authorization 1m
- Demo - Role-based Authorization: Ensuring the Role Is Included 4m
- Demo - Role-based Authorization: Using the Role in Your Views 3m
- Demo - Role-based Authorization: Using the Role in Your Controllers 2m
- Demo - Creating an Access Denied Page 3m
- Summary 1m
- Coming Up 1m
- The Authorization Code Flow + PKCE 2m
- Demo - Securing Access to Your API 6m
- Demo - Passing an Access Token to Your API 8m
- Demo - Showing an Access Denied Page 2m
- Demo - Using Access Token Claims when Getting a Resource Collection 5m
- Including Identity Claims in an Access Token 1m
- Demo - Including Identity Claims in an Access Token 1m
- Demo - Protecting the API When Creating a Resource (with Roles) 5m
- Summary 1m
- Coming Up 1m
- Token Lifetimes and Expiration 2m
- Demo - Token Lifetimes and Expiration 2m
- Gaining Long-Lived Access with Refresh Tokens 2m
- Demo - Supporting Refresh Tokens 3m
- Demo - Gaining Long-lived Access 7m
- Working with Reference Tokens 2m
- Demo - Working with Reference Tokens 2m
- Token Revocation 1m
- Demo - Revoking Tokens 2m
- Token Validation 6m
- Summary 2m
- Coming Up 1m
- Using a Signing Certificate 2m
- Demo - Creating a Signing Certificate 3m
- Demo - Using a Signing Certificate 3m
- Configuration Data and Operational Data 2m
- Demo - Persisting Configuration Data 7m
- Demo - Persisting Operational Data 2m
- Handling What's Next: Dealing with Users and Credentials 1m
- Summary 1m
About the author
Kevin Dockx is a freelance solution architect, author & consultant, living in Antwerp (Belgium). He's mainly focused on solution/application architectures & security for web-based (API) applications built with .NET, but he also keeps an eye out for new developments concerning other products from the .NET stack. He's a Microsoft MVP and board member of the RD MS Community. He's also a regular speaker at various (inter)national conferences & user group events, and works on various open source pro... more