Identity & Access Control for modern Applications and APIs using ASP.NET 10

Modern application design is more complex than it was a decade or two ago. A modern application is expected to be mobile-first and cloud-based. Microsoft’s answer to these demands was to create ASP.NET Core. A decade later, ASP.NET Core has matured into a trusted development platform covering all components needed in a modern application architecture.

Multi-platform, microservices, multi-client, and highly-mobile users bring a set of challenges that were not present a decade ago. A modern application cannot be secured just by handling access control in the single UI of the application, because there is no longer any single UI. There are web applications, mobile apps and APIs that are exposed to partners and third-party developers. Internally, an application often consists of multiple microservices calling each other. These services are also frequently reused between different applications and externally visible APIs.

To properly secure this landscape, a zero-trust approach is required. There should be a verifiable proof of the end user (or end machine) identity for any user session established or API.

This workshop is your chance to dive into all these security-related technologies. Learn how to securely connect native and browser-based applications to your back-ends and integrate them with enterprise identity management systems as well as social identity providers and services.

After attending this workshop you will have a good understanding of the concepts and will be ready to start implementing a modern identity and access management solution tailored to your organization’s needs.

You will learn:

• The ASP.NET Core Authentication and Authorization System Design Principles.
• How to use external authentication and offer single sign-on and single logout.
• How to securely call APIs on behalf of the authenticated user.
• The principles of the OpenID Connect and OAuth 2.0 Protocols.
• An overview on how to configure, customize, and deploy Duende IdentityServer.

Day 1: Authentication

• ASP.NET Core Fundamentals
• Claims
• Authentication
• Cookie-Based Sessions
• Data Protection
• Authorization
• Tokens
• External Authentication in ASP.NET Core
• Identities and Identifiers
• Account and Identity Linking
• External Login Callback Pattern

Day 2: OpenID Connect (OIDC) & OAuth 2.0

• OpenID Connect
  • Clients
  • Scopes
• Web Application Patterns
  • Single Sign On / Single Sign Off
  • Federation Gateway
  • Home Realm Discovery
• Protecting APIs with OAuth 2.0
  • Machine-to-Machine
  • Interactive Applications
  • Authorization Code Flow
  • Proof Key Code Exchange
  • Token Lifetime Management & Refresh Tokens
• Client Application Types
  • Server-Side Web Apps
  • Single Page Applications
  • Backend-for-Frontend (BFF) Pattern
  • Mobile/Native Apps

Computer Setup:
Attendees will need to bring a computer with the latest .NET Core SDK and the IDE of their choice (e.g. Visual Studio) installed.