We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
ASP.NET Core Authentication and Authorization - the Key Concepts - Anders Abel - NDC Oslo 2024
Learn essential auth concepts in ASP.NET Core: authentication pipeline, cookies vs OpenID Connect, policies, token management, and avoiding common security pitfalls.
-
Authentication and authorization are separate concerns in ASP.NET Core - authentication determines who you are, authorization determines what you’re allowed to do
-
Authentication handlers work through a pipeline of Authenticate/Challenge/Forbid:
- AuthenticateAsync validates credentials/tokens
- ChallengeAsync triggers sign-in (e.g. redirect to login)
- ForbidAsync handles unauthorized access (returns 403)
-
Cookie authentication is used for maintaining local sessions while OpenID Connect/external providers handle remote authentication
-
Named authentication schemes allow configuring multiple auth handlers (e.g. cookies + OpenID Connect) with specific options and behaviors
-
Data protection needs explicit configuration in production:
- Don’t rely on default file system storage
- Configure keys persistence and encryption
- Use cloud provider specific solutions when available
-
ASP.NET Identity provides built-in user management but:
- Adds significant complexity and scaffold code
- Changes default cookie scheme names
- Consider simpler alternatives for basic scenarios
-
Authorization policies can use:
- Simple requirements (authenticated, roles, claims)
- Complex custom logic via RequireAssertion
- Multiple requirements combined
-
Token management for APIs:
- Consider refresh token patterns
- Handle token lifetime and renewal
- Use libraries like Duende Access Token Management
-
Single sign-out needs to handle both:
- Local session termination
- Remote provider logout
-
Common pitfalls:
- Missing data protection configuration
- Confusion around default schemes
- Complex scaffolded Identity code
- Token lifetime management
- Session handling across multiple servers