Understanding ASP.NET Core Security

This course has been updated to explain security in ASP.NET Core 2. ASP.NET Core security shouldn't be an afterthought when designing an application. Learn how to mitigate common attacks and implement encryption, authentication, and authorization.
Course info
Rating
(96)
Level
Intermediate
Updated
Mar 8, 2017
Duration
3h 6m
Table of contents
Course Overview
Protecting Your Application Against Common Attacks
Understanding the Data Protection API and the Secret Manager
Implementing Authentication with ASP.NET Core Identity
Centralized Authentication with a Token Service
Applying Authorization
Description
Course info
Rating
(96)
Level
Intermediate
Updated
Mar 8, 2017
Duration
3h 6m
Description

Learn how to make your ASP.NET Core app secure in this course. First you'll learn about common attacks and how to mitigate them with NWebSec. You'll learn the ins and outs of the new encryption API and how to protect secrets with the secret manager. Authentication is covered by explaining ASP.NET Core Identity as well as implementing a token service with IdentityServer. Finally you'll see that ASP.NET Core's authorization system is now policy based.

About the author
About the author

Roland is a Microsoft MVP enjoying a constant curiosity around new techniques in software development. His focus is on all things .Net and browser technologies.

More from the author
A Practical Start with React
Beginner
1h 28m
21 Apr 2018
Understanding ASP.NET Core 2.x
Beginner
2h 48m
20 Oct 2017
More courses by Roland Guijt
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone, my name is Roland Guijt and welcome to my course Understanding ASP. NET Core Security. I'm an MVP independent software architect, developer and trader based in the Netherlands. Security of web applications is now more important than ever. In this course you'll learn the aspects of ASP. NET Core security and how to efficiently integrate them in your projects. Some of the major topics I will cover include protecting your app against common attacks, such as cross site scripting and click checking, encrypting sensitive data with a brand new data protection API, authenticating users for a single application but also in a centralized way with the token service, how to write access rules to limit access to your application using ASP. NET Core's new authorization system. By the end of this course you will be ready to secure your application by efficiently applying threat protection, encryption, authentication and authorization. Before beginning the course you should be familiar with ASP. NET Core. Get up to speed with all the goodness that is in ASP. NET Core security here at Pluralsight.

Understanding the Data Protection API and the Secret Manager
This module is about data protection in ASP. NET Core and the secret manager. First, you'll see how encryption worked in earlier versions of ASP. NET and what disadvantages it has. Afterwards, we'll see the much-improved data protection API now present in ASP. NET Core. And finally, we will see what the techniques are to store secrets, such as database passwords, at development time.

Implementing Authentication with ASP.NET Core Identity
In the next two modules, I'll present two ways to implement authentication in your application. The first one is about ASP. NET Core Identity, which lets you implement local authentication. That mean the actual authentication is done by the application itself, things like registering the user and logging in and out. You can completely customize the ASP. NET Core Identity framework if needed, and it's features include: account lockouts, generation of tokens used to send in an email to let the user reset the password, for example, two factor authentication, and external authentication providers, like Google and Facebook.

Centralized Authentication with a Token Service
When you have multiple apps and web APIs in an application landscape it is not efficient, nor desirable to have each application do its own authentication. You will want one centralized service called a token service to handle that for all apps simultaneously in a way that adheres to the going standards. In this module we'll take a look at what a token service is exactly, and what roles OAuth2 and OpenID Connect play. Of course, we're going to build a token service using the IdentityServer framework and we're going to configure the ConfArch project and other applications to use it. You'll learn about tokens and the different kinds there are, and about the typical endpoints of a token service. And just like ASP. NET Core Identity, we're going to configure external authentication providers for your token service to work with.

Applying Authorization
We've already seen the Authorize Attribute in Action. We used it to allow access to Controllers and Actions only when a user is authenticated. In this module, we'll explore the possibilities to do more sophisticated authorization, based on Claims, Roles, Resources, and in Views. I'll show you how to do this in multiple application types. The ConfArch web application, and the APIs. I will use the ConfArch solution with the Token Service within memory configuration as a basis for the demos.