Understanding ASP.NET Core Security

Course Overview
Hi everyone, my name is Roland Guijt and welcome to my course Understanding ASP. NET Core Security. I'm an MVP independent software architect, developer and trader based in the Netherlands. Security of web applications is now more important than ever. In this course you'll learn the aspects of ASP. NET Core security and how to efficiently integrate them in your projects. Some of the major topics I will cover include protecting your app against common attacks, such as cross site scripting and click checking, encrypting sensitive data with a brand new data protection API, authenticating users for a single application but also in a centralized way with the token service, how to write access rules to limit access to your application using ASP. NET Core's new authorization system. By the end of this course you will be ready to secure your application by efficiently applying threat protection, encryption, authentication and authorization. Before beginning the course you should be familiar with ASP. NET Core. Get up to speed with all the goodness that is in ASP. NET Core security here at Pluralsight.

Understanding the Data Protection API and the Secret Manager
This module is about data protection in ASP. NET Core and the secret manager. First, you'll see how encryption worked in earlier versions of ASP. NET and what disadvantages it has. Afterwards, we'll see the much-improved data protection API now present in ASP. NET Core. And finally, we will see what the techniques are to store secrets, such as database passwords, at development time.

Implementing Authentication with ASP.NET Core Identity
In the next two modules, I'll present two ways to implement authentication in your application. The first one is about ASP. NET Core Identity, which lets you implement local authentication. That mean the actual authentication is done by the application itself, things like registering the user and logging in and out. You can completely customize the ASP. NET Core Identity framework if needed, and it's features include: account lockouts, generation of tokens used to send in an email to let the user reset the password, for example, two factor authentication, and external authentication providers, like Google and Facebook.

Centralized Authentication with a Token Service
When you have multiple apps and web APIs in an application landscape it is not efficient, nor desirable to have each application do its own authentication. You will want one centralized service called a token service to handle that for all apps simultaneously in a way that adheres to the going standards. In this module we'll take a look at what a token service is exactly, and what roles OAuth2 and OpenID Connect play. Of course, we're going to build a token service using the IdentityServer framework and we're going to configure the ConfArch project and other applications to use it. You'll learn about tokens and the different kinds there are, and about the typical endpoints of a token service. And just like ASP. NET Core Identity, we're going to configure external authentication providers for your token service to work with.

Applying Authorization
We've already seen the Authorize Attribute in Action. We used it to allow access to Controllers and Actions only when a user is authenticated. In this module, we'll explore the possibilities to do more sophisticated authorization, based on Claims, Roles, Resources, and in Views. I'll show you how to do this in multiple application types. The ConfArch web application, and the APIs. I will use the ConfArch solution with the Token Service within memory configuration as a basis for the demos.