Tag Archives: Security

User claims in ASP.NET Core using OpenID Connect Authentication

This article shows two possible ways of getting user claims in an ASP.NET Core application which uses an IdentityServer4 service. Both ways have advantages and require setting different code configurations in both applications. Code: https://github.com/damienbod/AspNetCoreHybridFlowWithApi To use OpenID Connect in an ASP.NET Core application, the Microsoft.AspNetCore.Authentication.OpenIdConnect package can be used. This needs to be added […]

Securing a Web API using multiple token servers

This article shows how a single secure Web API could be used together with multiple secure token servers. The API uses JWT Bearer token authentication, but because the access token come from different token servers, the tokens validation need to be changed. Code: https://github.com/damienbod/ApiJwtWithTwoSts Using multiple Authorities with shared certitficate The first way this can […]

Securing an ASP.NET Core Razor Page App using OpenID Connect Code flow with PKCE

This article shows how to secure an ASP.NET Core Razor Page application using the Open ID Connect code flow with PKCE (Proof Key for Code Exchange). The secure token server is implemented using IdentityServer4 but any STS could be used which supports PKCE. Code: https://github.com/damienbod/AspNetCoreHybridFlowWithApi History 2020-12-11 Updated to .NET 5 An ASP.NET Core 5 […]

Certificate Authentication in ASP.NET Core 3.1

This article shows how Certificate Authentication can be implemented in ASP.NET Core 3.1. In this example, a shared self signed certificate is used to authenticate one application calling an API on a second ASP.NET Core application. Code https://github.com/damienbod/AspNetCoreCertificateAuth Posts in this series Certificate Authentication in ASP.NET Core 3.1 (Self Signed) Using Chained Certificates for Certificate […]

Securing browser based Javascript, Typescript applications

This article should help you in choosing the right security for your browser based Javascript or Typescript applications. You should aim to secure the application as best as possible. The following diagram should help you in making your decision. Also for any of these flows, you should always use HTTPS. Appendix SPA: Single page application […]

Security Experiments with gRPC and ASP.NET Core 5

This article shows how a gRPC service could implement OAuth2 security using IdentityServer4 as the token service. Code: https://github.com/damienbod/Secure_gRpc Posts in this series Security Experiments with gRPC and ASP.NET Core 5 Running Razor Pages and a gRPC service in a single ASP.NET Core application gRPC Bi-directional streaming with Razor Pages and a Hosted Service gRPC […]

ASP.NET Core OAuth Device Flow Client with IdentityServer4

This article shows how to implement the OAuth 2.0 Device Flow for Browserless and Input Constrained Devices in an ASP.NET Core application. The tokens are then saved to a cookie for later usage. IdentityServer4 is used to implement the secure token server. Code: https://github.com/damienbod/AspNetCoreHybridFlowWithApi History 2020-12-11 Updated to .NET 5 2019-10-06 Updated to .NET Core […]

Is a SPA less secure than a server rendered web application?

In this post, I try to explain some of the differences between a single page application and a server rendered application and why the application types have different threat models. What is an Single Page Application (SPA)? A single page application runs in the browser, and handles routing in the client without posting back to […]

Using Azure Key Vault with ASP.NET Core and Azure App Services

This article shows how to use an Azure Key Vault with an ASP.NET Core application deployed as an Azure App Service. The Azure App Service can use the system assigned identity to access the Key Vault. This needs to be configured in the Key Vault access policies using the service principal. Code: https://github.com/damienbod/AspNetCoreBackChannelLogout Posts in […]

Implementing User Management with ASP.NET Core Identity and custom claims

The article shows how to implement user management for an ASP.NET Core application using ASP.NET Core Identity. The application uses custom claims, which need to be added to the user identity after a successful login, and then an ASP.NET Core policy is used to authorize the identity. Code: https://github.com/damienbod/AspNetCoreAngularSignalRSecurity History 2021-01-25 Updated Angular 11.1.0 .NET […]