Category Security

Is a SPA less secure than a server rendered web application?

In this post, I try to explain some of the differences between a single page application and a server rendered application and why the application types have different threat models. What is an Single Page Application (SPA)? A single page application runs in the browser, and handles routing in the client without posting back to […]

Securing Angular applications using the OpenID Connect Code Flow with PKCE

In this post, I show how an Angular application could be secured using the OpenID Connect Code Flow with Proof Key for Code Exchange (PKCE). The Angular application uses the OIDC lib angular-auth-oidc-client. In this example, the src code is used directly, but you could also use the npm package. Here’s an example which uses […]

Deploying ASP.NET Core App Services using Azure Key Vault and Azure Resource Manager templates

This article shows how to create an Azure Resource Manager (ARM) template which uses an Azure Key Vault. The ARM template is used to deploy an ASP.NET Core application as an Azure App Service. By using an Azure Resource Group project, the secret app settings can be fetched from the Azure Key Vault during deployment, […]

Using Azure Key Vault with ASP.NET Core and Azure App Services

This article shows how to use an Azure Key Vault with an ASP.NET Core application deployed as an Azure App Service. The Azure App Service can use the system assigned identity to access the Key Vault. This needs to be configured in the Key Vault access policies using the service principal. Code: https://github.com/damienbod/AspNetCoreBackChannelLogout Posts in […]

OpenID Connect back-channel logout using Azure Redis Cache and IdentityServer4

This article shows how to implement an OpenID Connect back-channel logout, which uses Azure Redis cache so that the session logout will work with multi instance deployments. Code: https://github.com/damienbod/AspNetCoreBackChannelLogout Posts in this series: OpenID Connect back-channel logout using Azure Redis Cache and IdentityServer4 Using Azure Key Vault with ASP.NET Core and Azure App Services Deploying […]

Implementing User Management with ASP.NET Core Identity and custom claims

The article shows how to implement user management for an ASP.NET Core application using ASP.NET Core Identity. The application uses custom claims, which need to be added to the user identity after a successful login, and then an ASP.NET Core policy is used to authorize the identity. Code: https://github.com/damienbod/AspNetCoreAngularSignalRSecurity Setting up the Project The demo […]

Implementing a multi-tenant OIDC Azure AD external login for IdentityServer4

This article shows how to setup a multi-tenant Azure AD external login for IdentityServer4 which uses ASP.NET Core Identity. Code: IdentityServer4 app with Identity Setting up the Azure AD Application registration for multiple tenants An Azure AD Application registration needs to be setup for the Active Directory tenant. Login to the Azure portal and switch […]