Category dotnet

Force step up authentication in web applications

January 26, 2026 · by · in dotnet, e-id, OAuth2, OpenId, Security · 5 Comments

The post shows how to implement a step up authorization using the OAuth 2.0 Step Up Authentication Challenge Protocol RFC 9470. The application uses ASP.NET Core to implement the API, the web application and the identity provider. Duende IdentityServer is used to implement the OpenID Connect server standard and also OAuth DPoP token binding as […]

Implementing Level of Identification (LoI) with ASP.NET Core Identity and Duende

January 18, 2026 · by · in .NET Core, ASP.NET Core, dotnet, e-id, OAuth2, OpenId, Security, Self Sovereign Identity · 5 Comments

This article explores how to implement Level of Identification (LOI) in an ASP.NET Core application. The solution uses Duende IdentityServer as the OpenID Connect provider and ASP.NET Core Identity for user management. Identity verification is performed using the Swiyu Public Beta infrastructure. Any OpenID Connect client can consume the loi claim together with the loa […]

Implement a secure MCP server using OAuth and Entra ID

September 23, 2025 · by · in .NET, .NET Core, ASP.NET Core, dotnet, Entra CIAM, MCP, Microsoft Entra External ID, OAuth2, Open AI, OpenId · 2 Comments

The article shows how to implement a secure model context protocol (MCP) server using OAuth and Entra ID. The MCP server is implemented using ASP.NET Core and uses Microsoft Entra ID to secure the API. An ASP.NET Core application using Azure OpenAI and semantic kernel is used to implement the MCP client for the agent […]

Handling OpenID Connect error events in ASP.NET Core

June 2, 2025 · by · in .NET, .NET Core, ASP.NET Core, dotnet, OAuth2, Security · 1 Comment

ASP.NET Core provides great extension points for handling OpenID Connect error events. This blog looks at implementing error handling in an ASP.NET Core application implemented using ASP.NET Core Identity. Code: https://github.com/damienbod/IdentityExternalErrorHandling Setup The application uses OpenID Connect to implement the authentication of the user identities. This implements a standard OpenID Connect flow and uses Microsoft […]

ASP.NET Core delegated Microsoft OBO access token management (Entra only)

March 25, 2025 · by · in .NET, .NET Core, App Service, Azure, dotnet, Microsoft Entra ID, OAuth2, Security · 1 Comment

This blog shows how to implement a delegated Microsoft On-Behalf-Of flow in ASP.NET Core, and has a focus on access token management. The solution uses Microsoft.Identity.Web to implement the different flows and it really simple to implement, when you know how to use the Nuget package and use the correct Microsoft documentation. The application can […]

Customizing a single client sign-in using parameters in Duende IdentityServer

February 17, 2025 · by · in .NET, .NET Core, ASP.NET Core, dotnet, OAuth2, Security · 2 Comments

This post looks at customizing the sign-in UI and the sign-in options in an ASP.NET Core application using Duende IdentityServer and ASP.NET Core Identity. There are multiple ways of changing the look and feel of the UI for different OpenID Connect clients or different client flows. In the previous post, the UI was customized per […]

ASP.NET Core user application access token management

January 20, 2025 · by · in .NET Core, ASP.NET Core, dotnet, OAuth2, Security · 3 Comments

This article looks at management application access tokens in an ASP.NET Core web application. Any application with or without a user can use application access tokens as long as the application can persist the tokens in a safe way. Code: https://github.com/damienbod/token-mgmt-ui-application Blogs in this series Setup The ASP.NET Core web application authenticates using OpenID Connect […]

ASP.NET Core user delegated access token management

January 15, 2025 · by · in .NET Core, ASP.NET Core, dotnet · 3 Comments

The article looks at managing user delegated access tokens for a downstream API in an ASP.NET Core web application. There are many ways of implementing this, all with advantages and disadvantages. The tokens are requested from an OpenID Connect server using the recommended standards. In this blog, the UI access token from the application authentication […]

Implement OpenID Connect Back-Channel Logout using ASP.NET Core, Keycloak and .NET Aspire

September 9, 2024 · by · in ASP.NET Core, dotnet, OAuth2, Security · 1 Comment

This post shows how to implement an OpenID Connect back-channel logout using Keycloak, ASP.NET Core and .NET Aspire. The Keycloak and the Redis cache are run as containers using .NET Aspire. Two ASP.NET Core UI applications are used to demonstrate the server logout. Code: https://github.com/damienbod/keycloak-backchannel Setup The applications are run and tested using .NET Aspire. […]

Sonar Webinar, end to end security of a web application

June 11, 2024 · by · in .NET Core, angular, ASP.NET Core, Azure, dotnet, Microsoft Entra ID, OAuth2, Security, Typescript · 1 Comment

I did a Webinar on application security with Denis Troller and Sonar. I would like to thank Sonar for this opportunity, I really enjoyed it and found doing this together with you really professional, pleasant and fun to do. Here’s the recording: Link to the Sonar Q&A: https://community.sonarsource.com/t/webinar-end-to-end-security-in-a-web-application/115405 Link to the repository: https://github.com/damienbod/EndToEndSecurity

Older posts