When you're building an ASP.NET Core MVC web app or API, you'll want to secure it sooner than later. In this course, you'll learn how to utilize OAuth2 and OpenID Connect, today's widely-used standards, to help you achieve your goals efficiently.
Knowing how to secure applications is important, but knowing why we make certain decisions is, arguably, even more important. In this course, Securing ASP.NET Core with OAuth2 and OpenID Connect, you'll learn the ins and outs of OAuth2 and OpenID Connect (OIDC), being today's widely-used standards. First, you'll explore what these standards entail, and how you can integrate their implementations in ASP.NET Core. Next, you'll discover how to secure both a web app and an API, from integrating OIDC support to working with authorization policies, handling credentials, and going live. Finally, you'll learn how to use, configure, and extend IdentityServer4. By the end of this course, you'll have the necessary knowledge to efficiently secure your ASP.NET applications.
Course Overview Hi, I'm Kevin. Welcome to this Pluralsight course, Securing ASP. NET Core with OAuth2 and OpenID Connect. I'm a solution architect focused to APIs and security and a Microsoft MVP. Securing applications has always been important but maybe even more so today with applications living outside of company walls and being used in a variety of devices. But at the same time it has become increasingly harder to secure these applications. In this course, you'll learn how to secure your ASP. NET core web applications and APIs using modern-day standards like OAuth2 and OpenID Connect. You'll learn what these standards entail and what they can be used for. We'll use IdentityServer4 throughout the course starting with integrating it with an ASP. NET core web app, right up to securely calling an ASP. NET core API. We'll cover working with claims but also authorization policies and access control. You'll also learn how to deal with expiration and token replication. But we won't stop there. We'll cover dealing with credentials including custom user stores, Windows credentials, and integrating with social providers like Facebook. You'll also learn how to implement 2-factor authentication. We'll end the course with a module on what to take care of when going to production. After this course, you'll have a thorough understanding of what you should take care of when securing your ASP. NET core applications and how to do it.
Introduction Hi there, and welcome to this Pluralsight course, Securing ASP. NET Core with OAuth2 and OpenID Connect. My name is Kevin and I'll guide you through this course. This course is a pretty deep dive into the subject. You'll not just learn how to secure web app and API, but you'll also learn why we make certain decisions and what the potential trade-offs are. The why is probably even more important than the how when talking about security, so I hope you'll find that as important as I do. First of all, we'll have a look at the Course Prerequisites and Tooling. After that, we're starting with the part on Application Architectures Security. This is a short dive into the history of how applications were built and how they were secured. This will help us understand why what we used to do when securing apps isn't efficient anymore these days, and how OAuth2 and OpenID Connect fit into the story. Then we'll learn why using a central identity provider is important and we'll introduce Oauth2 and OpenID Connect. If you happen to have any questions, the best place to pose them is on the Discussion tab on the course page. I check this regularly and like that the questions and answers can help other people out as well. For very short questions that require a quick answer, you can contact me on Twitter, or just follow me if you want to know about my upcoming courses, usergroup events, technical links, and the occasional picture of the family cat. Let's have a look at the prerequisites.
Understanding Authentication with OpenID Connect Hi there and welcome to the Understanding Authentication with OpenID Connect module from the securing ASP. net Core with OAuth2 and OpenID Connect course at Pluralsight. I'm Kevin, and I'll guide you through this module. Starting this module with a high-level perspective of how OIDC works, and then we're covering the concepts related to it, confidential and public clients, the various endpoints, and the flows or grants. When that's finished, we can already start setting up our identity provider, IdentityServer4.
Securing Your Web Application Hi there. And welcome to the Securing Our Web Application module from the Securing ASP. NET Core with OAuth2 and OpenID Connect course at Pluralsight. I'm Kevin and I'll guide you through this module. In this module, we'll dive into securing our web application. We just learned the hybrid flow is advised for our app. So we'll start by detailing it. After that, we'll use it to log in. And we'll see how we can get identity claims and identity token. And whether or not that's a good idea. An alternative is using the userinfo endpoint to get identity claims, which is what we'll look at next. And that leaves us with the last few demos of the module, logging out. Let's start by looking into the hybrid flow.
Working with Claims in Your Web Application Hello, and welcome to the Working with Claims in Our Web Application module from the Securing ASP. NET Core with OAuth and OpenID Connect course at Pluralsight. I'm Kevin, and I'll guide you through this module. And this module is focused on working with claims, as the title implies. We'll look into transformation first. Claims returned from an identity provider are sometimes renamed to other claims, for example, because the application was built with those claim names in mind. In fact, by default, the claims returned from the identity provider are already renamed to other claim types before they end up in our claims identity. We will ensure that that's no longer the case. And often, an application doesn't even need all the returned claims from the token, so we'll also see how we can handle that. We learned about the userinfo endpoint in the previous module, but there we left it to the middleware to call it. We can also call this manually to get additional claims that are only required by a specific part of the application. And lastly, we'll look into what we can do with a role claim. But let's start with transforming our claims.
Understanding Authorization with OAuth2 and OpenID Connect Hi there, and welcome to the Understanding Authorization with OAuth2 and OpenID Connect module from the Securing ASP. NET Core with OAuth2 and OpenID Connect course at Pluralsight. I'm Kevin, and I'll guide you through this module. We're starting this module with an explanation of how OAuth2 works, but quickly after that, we'll learn why it's actually better to use OpenID Connect, which supersedes OAuth2. We talked about this a few times before in this course. In this module we will learn why it's the case. And once we know that we can check out how you can use OpenID Connect for authentication and authorization. After that we'll dive into the OAuth2 flows, and we'll inspect an access token. Let's start with looking into how OAuth2 works.
Securing Your API Hi there, and welcome to the Securing Our API module from the Securing ASP. NET Core with OAuth2 and OpenID Connect Course at Pluralsight. I'm Kevin, and I'll guide you through this module. In this module, we'll learn how to secure our API. We'll start by checking out that hybrid flow again in more detail, this time including an access token. Then, we'll dive right into the demos. We'll learn how we can pass an Access Token to the API on each request, and we'll learn how to validate that token at the level of the API. Then, we'll check out what to keep an eye out for when reading, creating, updating and deleting resources. All of these have slightly different things to keep into account. Lastly, we'll look at how we can include identity-related claims in an Access Token, because that will allow us to use Role-based Authorization at level of the API. Let's dive in.
Authorization Policies and Access Control Hi there, and welcome to the Authorization Policies and Access Control Module, from the securing ASP. NET Core we go out to an OpenID Connect course at Pluralsight. I'm Kevin and I'll guide you through this module. We've worked with role-based authorization at level of the web app and API. But these days another type of access control is preferred. Attribute-based access control or ABAC. That's done use in combination with an authorization policy in ASP. NET Core. These allow us not to just replace a few pieces of role-based authorization. When used correctly they result in a full-fledged authorization layer. In this module, we'll look into that, both at level of the web client and at API level. For starters, let's have a look at the differences between role-based access control and attribute-based access control.
Advanced Topics Hi and welcome to the advanced topics module from the Securing ASP. NET Core with OAuth2 and OpenID Connect Course at Pluralsight. I'm Kevin and I'll guide you through this module. In this module, we'll look into token lifetimes for both identity tokens and access tokens. From that, we'll learn how to work with refresh tokens to get a new access token when an access token has expired. Sometimes the need to might exist for admins to revoke tokens ad hoc instead of waiting for an access token to expire. We'll add that ability by working with reference tokens. And lastly we'll look into all that token validation logic we talked about quite a few times in the previous modules. But let's dive into token lifetimes first.
Dealing with Credentials Hi there and welcome to the Dealing with Credentials module from the Securing your ASP. NET Core Application with OAuth2 and OpenID Connect course at Pluralsight. I'm Kevin and I'll guide you through this module. This module is all about dealing with user credentials. Up until now, we've worked with in-memory test users but that's not a realistic scenario. A lot of companies have a custom user database so we'll need to connect IdentityServer to that. We'll learn how to create a custom user store and use it from IdentityServer. That means that in this module and in the next one, we'll dive into the quickstart we added when first setting up IdentityServer. Next to connecting to an existing user store, we'll also check out how we can handle user registration. Let's dive in.
Dealing with External Identity Providers and 2FA Hi there, and welcome to the Dealing with External Identity Providers and 2-Factor Authentication module from the Securing ASP. NET Core with an OAuth2 and OpenED connect course at Pluralsight. I'm Kevin, and I'll guide you through this module. In this module, we'll continue with different authentication strategies. You don't always want to force a user to choose a password to store in your own database. A user might want to log in with Windows credentials, or externally available applications might want to integrate social identity providers with IdentityServer, so, a user can log in with his or her Facebook account. In this module, we'll cover all of this. Lastly, there's 2-factor, or even multi-factor identification. To achieve better security than a simple username and password combination, applications now ask users to provide a second, or even a third factor of authentication. An example is a code that's sent to you via email or text message. We'll learn how to achieve 2-factor using IdentityServer. But let's start by looking into external identity providers.
Getting Ready for Production Hi there, and welcome to the Getting Ready for Production module from the Securing ASP. Net Core with OAuth2, and OpenID Connect course at Pluralsight. I'm still Kevin and I'll guide you through this module. In this last module, we'll learn what we have to take care of before going to production. We've been working with a temporary signing credential, up until now. When going live, this should be replaced by a signing certificate. We'll learn why and how. IdentityServer uses configuration data, like Scopes and Clients, and operational data, like tokens and codes, to correctly function, but we currently don't use a persistence layer for that. We learn why we should and how to do it. Let's dive in.