Please note that this is a draft for personal use, it misses some extended explanation and details, but I think it will be useful as an initial startup
Recent trends for securing web APIs and Web Apps are dependent on the OAuth 2.0 with OpenID Connect protocols. Below are useful resources to understand the theory and the architecture. Additionally, some of them could help to implement Authentication and Authorization systems to secure ASP Core apps. The popular way is the utilization of Asp Core Identity with IdentityServer4.
Make it your main handbook,
· For Microsoft Identity check the link https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
· To review the security that is specific to ASP .NET Core check https://docs.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-5.0
//TODO: put most important points related to ASP .NET Core API, such as Shared Cookies, Authorization, and Authentication...
http://docs.identityserver.io/en/latest/index.html
It is important to have a clear definition of the OAuth and OpenID Connect (OIDC). Like many developers, they used them in the wrong way. To avoid such wrong definitions, check the links below:
- Remove fear by https://www.youtube.com/watch?v=t18YB3xDfXI to gain a necessary terminology and nutshell explanation. You will also find some useful resources in the video description. You can also read this small article which I find useful https://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/
- For a deep review, I highly recommend starting with a video presented by Dr. Philippe De Ryck that mainly gave a clear definition for them and explained the different recommended flows for authentication and authorization. Notice that you should focus as much as you can to understand the different proposed flows, as they are essential to rich the highest levels of the security process for your apps
- Introduction to OAuth 2.0 and OpenID Connect • Philippe De Ryck • GOTO 2018
You can download the slides from the link Slides to extract the flows diagrams.
Also, you can watch another video for the same presenter that talks about the different API Security pitfalls https://www.youtube.com/watch?v=Ss1tZjooo9I.
- Broad explanation given in https://auth0.com/docs/flows#authorization-code-flow-with-proof-key-for-code-exchange-pkce-
{Not well reviewed}
https://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/
It also has some other useful links that may appear as a series of tutorials.
https://damienbod.com/2015/11/08/oauth2-implicit-flow-with-angular-and-asp-net-5-identity-server/
It also has some other useful links that may appear as a series of tutorials.
- https://www.scottbrady91.com/OAuth/Cheat-Sheet-OAuth-for-Browser-Based-Applications
https://deblokt.com/2019/09/23/04-part-1-identityserver4-asp-net-core-identity/
- https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce
- https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
- An in-depth look at refresh tokens in the browser
https://github.com/manfredsteyer/angular-oauth2-oidc
It has an official documentary in https://manfredsteyer.github.io/angular-oauth2-oidc/docs/index.html
- Code Sample https://www.angulararchitects.io/aktuelles/authentication-in-angular-2-with-oauth2-oidc/
https://github.com/damienbod/angular-auth-oidc-client
https://github.com/IdentityModel/oidc-client-js
used by Jason Taylor CleanCode Template but feel not recommended now
Authentication as a Microservice
https://auth0.com/docs/protocols/openid-connect-protocol