Build a secure Angular client using ASP.NET Core and OAuth

What is the resource owner password credentials grant? How can I secure my Angular client using OAuth and JWT bearer tokens? In this post I will focus on the resource owner password credentials grant, a different kind of credential flow supported by the OAuth protocol, and how it can be used to secure certain resources on an Angular application. Similarly to previous post, I will create the authorization server from scratch, then the resource server, a simple ASP.NET Core RESTful API, and finally the Angular 6 application, with all the bits and pieces required to prevent unauthorized access.

Continue reading

ASP.NET Core API authentication using JWT bearer tokens

What is OAuth 2.0 and how its flows can be applied for securing my applications? What does a token do and how it is useful in securing API’s? Is there any way to implement all these nice and easy in ASP.NET Core? In this post I will cover these topics, by first discussing about why token based security is so successful in security scenarios, and the OAuth protocol play in this. We’ll see more closely one of OAuth flows, the client credentials flow and implement it to secure an ASP.NET Web API application.

Continue reading

ASP.NET Core 2.0 Authentication with Azure Active Directory B2C

In today’s post of ASP.NET Core 2.0 Authentication series, I am going to discuss about Azure Active Directory B2C, a service provided by Microsoft Azure for identity access and management.
In previous post, I talked about Azure Active Directory and how useful it is in corporate scenarios, however B2C is a better option for external user access and identity management, with powerful features such as support for various identity providers, policies and many more.

I will first briefly discuss about Azure AD B2C, what is it and how it is different from standard Azure AD. Then I am going to show you how to setup a tenant on Azure Portal, how to configure an identity provider, GitHub in this scenario, and how to setup policies. In the last part, I will show you how to configure your application to authenticate users using Azure AD B2C and how to handle failure events.

Continue reading

ASP.NET Core 2.0 Authentication with Azure Active Directory

In previous posts of this series, ASP.NET Core 2.0 Authentication, I talked about local logins, where you have your own identity management solution and also social logins, where you work with social media or third party providers to sign in users in your application. In this one, I am going to talk about Azure Active Directory, which is a cloud based solution for identity management and how you can make this work with your ASP.NET Core 2.0 application.

Continue reading

ASP.NET Core 2.0 Authentication with local logins – Implementing custom authorization policies

This post is part of a series on ASP.NET Core 2.0 Authentication and I am going to talk about authorization policies, something different from what we’ve seen so far in the series, as most of posts are focusing in authorization.

I will show how to secure certain resources based on specific criteria on user’s claims.

Continue reading

ASP.NET Core 2.0 Authentication with local logins – Responding to backend changes

ASP.NET Core 2.0 makes it very easy and straightforward to setup a cookie authentication mechanism in your application. Framework provides numerous ways to achieve that, with or without ASP.NET Core Identity membership system.

This post is part of a series on ASP.NET Core 2.0 Authentication and I am about to talk about cookie events and how to respond to them.
Continue reading

ASP.NET Core 2.0 Authentication with local logins – Implementing claims transformation

ASP.NET Core 2.0 makes it very easy and straightforward to setup a cookie authentication mechanism in your application. Framework provides numerous ways to achieve that, with or without ASP.NET Core Identity membership system.

This post is part of a series on ASP.NET Core 2.0 Authentication and I am about to talk about cookie authentication and claims transformation.
Continue reading

Cookies

ASP.NET Core 2.0 Cookie Authentication – Local logins

ASP.NET Core 2.0 makes it very easy and straightforward to setup a cookie authentication mechanism in your application. Framework provides numerous ways to achieve that, with or without ASP.NET Core Identity membership system.

This post is part of a series on ASP.NET Core 2.0 Authentication and I am about to talk Cookie Authentication without ASP.NET Core Identity. I will show how to setup, login and logout using local logins, a custom implementation of a membership system. In the coming examples I will show how to simply secure your ASP.NET Core 2.0 MVC application using cookies and in-memory stored users, though they could be stored anywhere, database, flat files, etc.
In coming blog posts I am going to show a more appropriate way to do the local login authentication, using a database, signing-up users, transforming their claims, etc., but first let’s see something quick and simple.
Continue reading