Tag Archives: Security

Securing Azure Functions using API Keys

August 17, 2020 · by · in .NET Core, App Service, Azure, Azure functions, Serverless, Web · 3 Comments

This article shows how to secure Azure Functions using API Keys. This is useful, if you have no control over the API client implementation, the client code base cannot be easily changed or the client is not Azure hosted. This should only be used with trusted clients and is for machine to machine usage. Code: […]

Restricting access to an Azure AD protected API using Azure AD Groups

June 13, 2020 · by · in .NET Core, ASP.NET Core, Azure · 3 Comments

This post shows how to restrict access to an ASP.NET Core API to only allow users from a defined Azure AD group to use a protected API. The API uses an Azure App registration for authorization. The user signs in with an ASP.NET Core Razor page application or an Angular App and can access the […]

Using HTTP Request Routes, Request Body, and Query string parameters for Authorization in ASP.NET Core

December 2, 2019 · by · in .NET Core, ASP.NET Core, ASPNET5, dotnet · 2 Comments

This post shows how HTTP route parameters, a HTTP request body or HTTP request query string parameters can be used for authorization in ASP.NET Core. Code: https://github.com/damienbod/AspNetCoreWindowsAuth Authorization using ASP.NET Core Route parameters An AuthorizationHandler can be used to implement authorization logic in ASP.NET Core. The handler can authorize HTTP requests using a route parameter […]

User claims in ASP.NET Core using OpenID Connect Authentication

November 1, 2019 · by · in .NET Core, ASP.NET Core, MVC · 9 Comments

This article shows two possible ways of getting user claims in an ASP.NET Core application which uses an OpenID Connect server. Both ways have advantages and require setting different code configurations in both applications. Code: https://github.com/damienbod/AspNetCoreHybridFlowWithApi History The Microsoft.AspNetCore.Authentication.OpenIdConnect Nuget package can be used to support OpenID Connect in an ASP.NET Core application. This needs […]

Securing a Web API using multiple token servers

October 25, 2019 · by · in .NET, .NET Core, ASP.NET Core, MVC, OAuth2, Security, Web · 1 Comment

This article shows how a single secure Web API could be used together with multiple secure token servers. The API uses JWT Bearer token authentication, but because the access token come from different token servers, the tokens validation need to be changed. Code: https://github.com/damienbod/ApiJwtWithTwoSts Using multiple Authorities with shared certitficate The first way this can […]

Securing an ASP.NET Core Razor Page App using OpenID Connect Code flow with PKCE

October 11, 2019 · by · in ASP.NET Core, MVC, OAuth2, Security · 8 Comments

This article shows how to secure an ASP.NET Core Razor Page application using the Open ID Connect code flow with PKCE (Proof Key for Code Exchange). The secure token server is implemented using Duende IdentityServer but any secure token server (STS) can be used which supports PKCE. Code: https://github.com/damienbod/AspNetCoreHybridFlowWithApi See WebCodeFlowPkceClient project. History An ASP.NET […]

Certificate Authentication in ASP.NET Core 3.1

June 13, 2019 · by · in .NET Core, ASP.NET Core, MVC, OAuth2, Security · 28 Comments

This article shows how Certificate Authentication can be implemented in ASP.NET Core 3.1. In this example, a shared self signed certificate is used to authenticate one application calling an API on a second ASP.NET Core application. Code https://github.com/damienbod/AspNetCoreCertificateAuth Posts in this series Certificate Authentication in ASP.NET Core 3.1 (Self Signed) Using Chained Certificates for Certificate […]

Securing browser based Javascript, Typescript applications

April 2, 2019 · by · in angular, javascript, MVC, OAuth2, Security, SignalR, Typescript, UI, Web · 2 Comments

This article should help you in choosing the right security for your browser based Javascript or Typescript applications. You should aim to secure the application as best as possible. The following diagram should help you in making your decision. Also for any of these flows, you should always use HTTPS. Appendix SPA: Single page application […]

Security Experiments with gRPC and ASP.NET Core 5

March 6, 2019 · by · in .NET Core, ASP.NET Core, OAuth2, Security · 10 Comments

This article shows how a gRPC service could implement OAuth2 security using IdentityServer4 as the token service. Code: https://github.com/damienbod/Secure_gRpc Posts in this series Security Experiments with gRPC and ASP.NET Core 5 Running Razor Pages and a gRPC service in a single ASP.NET Core application gRPC Bi-directional streaming with Razor Pages and a Hosted Service gRPC […]

ASP.NET Core OAuth Device Flow Client with IdentityServer4

February 20, 2019 · by · in .NET, .NET Core, ASP.NET Core, MVC, OAuth2, Security, Web · 5 Comments

This article shows how to implement the OAuth 2.0 Device Flow for Browserless and Input Constrained Devices in an ASP.NET Core application. The tokens are then saved to a cookie for later usage. IdentityServer4 is used to implement the secure token server. Code: https://github.com/damienbod/AspNetCoreHybridFlowWithApi History 2020-12-11 Updated to .NET 5 2019-10-06 Updated to .NET Core […]

Older posts Newer posts