ASP.NET Core Authentication and Authorization - the Key Concepts - Anders Abel - NDC Oslo 2024

Authentication and authorization are separate concerns in ASP.NET Core - authentication determines who you are, authorization determines what you’re allowed to do

Authentication handlers work through a pipeline of Authenticate/Challenge/Forbid:

• AuthenticateAsync validates credentials/tokens
• ChallengeAsync triggers sign-in (e.g. redirect to login)
• ForbidAsync handles unauthorized access (returns 403)

Cookie authentication is used for maintaining local sessions while OpenID Connect/external providers handle remote authentication

Named authentication schemes allow configuring multiple auth handlers (e.g. cookies + OpenID Connect) with specific options and behaviors

Data protection needs explicit configuration in production:

• Don’t rely on default file system storage
• Configure keys persistence and encryption
• Use cloud provider specific solutions when available

ASP.NET Identity provides built-in user management but:

• Adds significant complexity and scaffold code
• Changes default cookie scheme names
• Consider simpler alternatives for basic scenarios

Authorization policies can use:

• Simple requirements (authenticated, roles, claims)
• Complex custom logic via RequireAssertion
• Multiple requirements combined

Token management for APIs:

• Consider refresh token patterns
• Handle token lifetime and renewal
• Use libraries like Duende Access Token Management

Single sign-out needs to handle both:

• Local session termination
• Remote provider logout

Common pitfalls:

• Missing data protection configuration
• Confusion around default schemes
• Complex scaffolded Identity code
• Token lifetime management
• Session handling across multiple servers