Workshop: OAuth, OpenID Connect & .NET – the Good Parts
OAuth has been around for more than 10 years and has become the standard protocol for token-based security. Like every popular technology that has been growing with its requirements, there are some things which work really well, and some that did not quite stand the test of time.
With the upcoming OAuth 2.1 protocol revision, the protocol has been streamlined and simplified and the specification has been updated to meet modern application and security requirements. At the same time ASP.NET Core and .NET in general have excellent support for implementing an OAuth-based security system.
This full day workshop teaches you all the OAuth you need utilizing the most common and practical techniques and libraries in the .NET ecosystem. Besides looking at built-in features of (ASP).NET, we will use Duende IdentityServer and we will learn how to secure native/desktop and web applications as well as SPAs, Blazor WASM applications, APIs and daemons.
Agenda
Intro
- OAuth history and motivation
- OAuth terminology and architecture
- OAuth 2.1
- Typical protocol flows and application scenarios
Machine to Machine Communication
- Client Credentials Flow
- Access tokens
- Token Management
- Simplifying protocol interactions with IdentityModel
- Automatic token management
Securing APIs
- JWT Bearer authentication handler for ASP.NET
- Authorization policies
Interactive Applications
- Authorization Code Flow
- Proof Key for Code Exchange (PKCE)
- The need for OpenID Connect
- Session management
- Refresh tokens
- Automatic token management with Duende.AccessTokenManagement
- Writing web applications using ASP.NET
Bringing it all together
- Integrating various applications into one coherent architecture
- Identity Providers & token services
- Federation gateways
- Daemons
- Web applications
- Native/desktop applications (e.g. Windows desktop or mobile apps)
- SPAs / Blazor applications