Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
.NET Day 19 - Authentication and Authorization ...
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
.NET Day
May 28, 2019
Technology
350
0
Share
.NET Day 19 - Authentication and Authorization in ASP.NET Core by Damien Bowden
.NET Day
May 28, 2019
More Decks by .NET Day
See All by .NET Day
.NET Day 2025: How to Lie with AI: Understanding Bias, Ethics, and the Hidden Risks in Machine Learning
dotnetday
0
32
.NET Day 2025: Most Expensive Design Mistakes (Ever) and how to avoid them
dotnetday
0
36
.NET Day 2025: Turbocharged: Writing High-Performance C# and .NET Code
dotnetday
0
46
.NET Day 2025: Developing ASP.NET Core Microservices with Dapr: A practical guide
dotnetday
0
41
.NET Day 2025: Enhancing Legal Document Analysis with Reflection Agents, Semantic Kernel, and Azure AI Search
dotnetday
0
31
.NET Day 2025: Future-Proof Your Blazor Apps with bUnit
dotnetday
0
24
.NET Day 2025: .NET Core Testing: pushing the limits
dotnetday
0
47
.NET Day 2025: The best ways to use the latest OpenAPI features in .NET 9!
dotnetday
0
38
.NET Day 2025: Supercharged Search with Semantic Search and Vector Embeddings
dotnetday
0
36
Other Decks in Technology
See All in Technology
LLMと共に進化するプロセスを目指して
ymatsuwitter
10
2.7k
「気づいたら仕事が終わっている」バクラクAIエージェント本番運用の裏側 / layerx-bakuraku-aie2026
yuya4
18
9.9k
Javaコミュニティをもっと楽しむための9箇条
takasyou
0
1.3k
「嘘をつくテスト」の失敗例から学ぶ 良いテストコード #frontend_phpcon_do
asumikam
0
250
DevOps Agentで始めるAWS運用 〜フロンティアエージェントが変える運用の現場〜
nyankotaro
1
210
JEP 522 Deep Dive - G1 GC同期コスト削減によるスループット向上を徹底検証&解説
tabatad
1
820
TypeScript Compiler APIとPHP-Parserを活用し、TypeScriptとPHPで型を共有する
shuta13
0
360
Oracle Cloud Infrastructure IaaS 新機能アップデート 2026/3 - 2026/5
oracle4engineer
PRO
1
190
Platform Engineering as a Product: Criteria for Improvement and Multi-Tenant Design
kumorn5s
0
500
新アーキテクチャ「TiDB X」解説とDedicated比較 TiDB Cloud Premiumのゲーム運用活用を検証
staffrecruiter
0
110
Dynamic Workersについて
yusukebe
2
580
イベントストーミングとKiroの仕様駆動開発で実現する要件の認識合わせプロセス
syobochim
7
1.2k
Featured
See All Featured
Done Done
chrislema
186
16k
YesSQL, Process and Tooling at Scale
rocio
174
15k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
The Mindset for Success: Future Career Progression
greggifford
PRO
0
350
The SEO Collaboration Effect
kristinabergwall1
1
480
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
2
570
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
340
The Power of CSS Pseudo Elements
geoffreycrofte
82
6.3k
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
200
Code Review Best Practice
trishagee
74
20k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
23k
Digital Ethics as a Driver of Design Innovation
axbom
PRO
1
300
Transcript
ASP.NET Core Security • Damien Bowden Microsoft MVP • https://damienbod.com
• @damien_bod
https://github.com/damienbod ASP.NET Core, OpenID Connect, OAuth, Identity, Azure Angular, angular-auth-oidc-client
npm
Security & Applications today OpenID Connect, OAuth2 Authorization: ASP.NET Core
Policies
Security & Applications today
Application
Application Authentication Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
None
None
HTTPS everywhere, Certs
WAF HTTPS everywhere, Certs Protected Zone
WAF HTTPS everywhere, Certs Protected Zone
Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certs TLS
1.2, 1.3 WAF Web Application Firewall
Authentication Authorization Signout Session
USE Standards Don’t implement this yourself, use certified libs, packages,
tested
None
OAuth2 OpenID Connect Authentication Authorization Delegated
OpenID Connect http://openid.net/connect/ • Standard, Specification • Authentication and Authorization
• built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint
Open ID Connect (OIDC) is supported by almost all systems
. Azure AD, Azure B2C, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider
Authentication Authorization Signout Session
OpenID Connect Flows OAuth2 Flows http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner
Credentials Flow OpenID Connect Code flow OpenID Connect Hybrid flow OpenID Connect PKCE Authorization Code Flow RFC 7636 OAuth Device Flow
id token token (access token) reference / self contained token
refresh token scope Back-Channel Front-Channel User Agent
OAuth2 Resource Owner Credentials Flow • MC to MC applications
• trusted client • grant_type=client_cred ential&client_id=xxxxx xxxxx&client_secret=xx xxxxxxxx • Limited user cases
OAuth2 Resource Owner Credentials Flow
OpenID Connect Authorization Code flow • Server to server applications
with User • Can keep secrets, is trusted • Client is authenticated • response_type = code
OIDC Authorization Code flow
OIDC Hybrid flow • Mix of the Code and Implicit
Flow • Can be used for Web applications with server side rendering. • response_type = code id_token | code id_token token | code token
OIDC Hybrid flow
Native App PKCE Authorization Code Flow RFC 7636 https://tools.ietf.org/html/rfc 7636
None
Single Page Applications Cookies OIDC Code Flow with PKCE OIDC
Implicit Flow
OpenID Connect Code flow with PKCE • For browser applications,
SPAs • Client is not authenticated, or trusted • response_type = code • NO SECRET
OAuth Device Flow RFC 7636 https://tools.ietf.org/html/dra ft-ietf-oauth-device-flow-12
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OpenID Connect Hybrid Flow / Code Flow Code
examples
None
None
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OAuth2 Resource Owner Credentials Flow Code examples
None
None
None
None
Authorization: ASP.NET Core Policies
Authorization is the responsibility of the Application / API, not
the STS. This can be implemented in an separate library.
Standard Requirements Complex Requirements Policies uses Requirements Authorization Handlers
Create a Requirement
Make a Handler
Create a Policy
Apply the Policy (Controller)
Apply the Policy (Razor Page)
Apply a Requirement directly
Handler with Resource
ASP.NET Core Policies, Handlers and Requirements makes it easy to
focus on Authorization
Thank you @damienbod
https://openid.net/developers/specs/ https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 https://www.npmjs.com/package/angular-auth-oidc-client https://openid.net https://auth0.com/blog/cookies-vs-tokens-definitive-guide https://www.npmjs.com/package/angular-auth-oidc-client https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate https://scotthelme.co.uk/say-hello-to-security-txt https://csp-evaluator.withgoogle.com/
dotnetday
ymatsuwitter
yuya4
takasyou
asumikam
nyankotaro
tabatad
shuta13
oracle4engineer
kumorn5s
staffrecruiter
yusukebe
syobochim
chrislema
rocio
aarron
greggifford
kristinabergwall1
inesmontani
apolaine
geoffreycrofte
codingconduct
trishagee
danielanewman
axbom
