OpenID Connect and To Practice over ASP.NET Core

Posted by o.atoui on August 15, 2023

Please note that this is a draft for personal use, it misses some extended explanation and details, but I think it will be useful as an initial startup

1.   Useful Resources with comments

Recent trends for securing web APIs and Web Apps are dependent on the OAuth 2.0 with OpenID Connect protocols. Below are useful resources to understand the theory and the architecture. Additionally, some of them could help to implement Authentication and Authorization systems to secure ASP Core apps. The popular way is the utilization of Asp Core Identity with IdentityServer4.

1.1.     The official Microsoft documentation (Continuous)

Make it your main handbook,

·      For Microsoft Identity check the link

·      To review the security that is specific to ASP .NET Core check

//TODO: put most important points related to ASP .NET Core API, such as Shared Cookies, Authorization, and Authentication...

1.2.     The Official IdentityServer4 Documentation (Continues)

1.3.     Introduction to understand the OAuth 2.0 and OpenID Connect

It is important to have a clear definition of the OAuth and OpenID Connect (OIDC). Like many developers, they used them in the wrong way. To avoid such wrong definitions, check the links below:

-       Remove fear by to gain a necessary terminology and nutshell explanation. You will also find some useful resources in the video description. You can also read this small article which I find useful


-       For a deep review, I highly recommend starting with a video presented by Dr. Philippe De Ryck that mainly gave a clear definition for them and explained the different recommended flows for authentication and authorization. Notice that you should focus as much as you can to understand the different proposed flows, as they are essential to rich the highest levels of the security process for your apps


-       Introduction to OAuth 2.0 and OpenID Connect • Philippe De Ryck • GOTO 2018

You can download the slides from the link Slides to extract the flows diagrams.

Also, you can watch another video for the same presenter that talks about the different API Security pitfalls

1.3.1.    Authentication and Authorization flow

-       Broad explanation given in

1.4.     OpenID Connect and OAuth 2.0 specifically in ASP .NET Core

1.4.1.    An introduction to OpenID Connect in ASP.NET Core:  

{Not well reviewed}

It also has some other useful links that may appear as a series of tutorials.

1.4.2.    OAuth2 implicit flow with AngularJs and core 2.0 Identityserver4

It also has some other useful links that may appear as a series of tutorials.

1.4.3.    IdentityServer 4 By Scott Brady  




1.4.4.    PART 1 IdentityServer4 ASP.NET Core Identity


1.5.     Additional Terminologies

1.5.1.    Proof Key for Code Exchange (PKCE)


1.5.2.    Refresh Token


-       An in-depth look at refresh tokens in the browser


2.   Angular OIDC and OAuth 2.0 client

2.1.     angular-oauth2-oidc – used by ABP IO – seems awesome

It has an official documentary in 

-       Code Sample

2.2.     angular-auth-oidc-client

2.3.     oidc-client [seems old]

used by Jason Taylor CleanCode Template but feel not recommended now

3.   Additional Resources

Authentication as a Microservice