ASP.NET Core Authentication and Authorization - the Key Concepts - Anders Abel - NDC Oslo 2024

Learn essential auth concepts in ASP.NET Core: authentication pipeline, cookies vs OpenID Connect, policies, token management, and avoiding common security pitfalls.

Key takeaways
  • Authentication and authorization are separate concerns in ASP.NET Core - authentication determines who you are, authorization determines what you’re allowed to do

  • Authentication handlers work through a pipeline of Authenticate/Challenge/Forbid:

    • AuthenticateAsync validates credentials/tokens
    • ChallengeAsync triggers sign-in (e.g. redirect to login)
    • ForbidAsync handles unauthorized access (returns 403)
  • Cookie authentication is used for maintaining local sessions while OpenID Connect/external providers handle remote authentication

  • Named authentication schemes allow configuring multiple auth handlers (e.g. cookies + OpenID Connect) with specific options and behaviors

  • Data protection needs explicit configuration in production:

    • Don’t rely on default file system storage
    • Configure keys persistence and encryption
    • Use cloud provider specific solutions when available
  • ASP.NET Identity provides built-in user management but:

    • Adds significant complexity and scaffold code
    • Changes default cookie scheme names
    • Consider simpler alternatives for basic scenarios
  • Authorization policies can use:

    • Simple requirements (authenticated, roles, claims)
    • Complex custom logic via RequireAssertion
    • Multiple requirements combined
  • Token management for APIs:

    • Consider refresh token patterns
    • Handle token lifetime and renewal
    • Use libraries like Duende Access Token Management
  • Single sign-out needs to handle both:

    • Local session termination
    • Remote provider logout
  • Common pitfalls:

    • Missing data protection configuration
    • Confusion around default schemes
    • Complex scaffolded Identity code
    • Token lifetime management
    • Session handling across multiple servers