Security
The senior bar on security is high — not just "use OAuth," but knowing the dozen ways JWT validation goes wrong, the OIDC flow taxonomy, what Data Protection actually does, and how to map OWASP Top 10 to real ASP.NET Core code.
Topics (canonical order)
-
Cookie / JWT / session / API key, authentication vs authorization
-
alg=none, key confusion, audience, issuer, clock skew,kidhandling, token storage in SPA -
Authorization Code + PKCE, client credentials, refresh, token lifecycle, when each flow applies
-
Duende IdentityServer, OpenIddict, Keycloak, Microsoft Entra — when to pick which
-
Authorization — Policies & Claims
Policy/handler/requirement, resource-based authorization, claims transformation
-
What it actually does, key rings, persistence, multi-instance considerations
-
A1–A10 mapped to concrete .NET defenses
-
User secrets, Key Vault, env vars, managed identity, rotation
-
CSRF defenses, CORS pitfalls, the SameSite story
-
UserManager / RoleManager / SignInManager, password hashing (V3 / Argon2id), lockout, 2FA / TOTP, external login providers, custom user types, migrations
Why this order
AuthN basics → JWT depth (its own file because it's the #1 failure surface) → OAuth/OIDC (the protocol) → IdP comparison (the implementation) → AuthZ (the consequence) → Data Protection (the foundation) → OWASP map (the audit) → secrets (the storage) → antiforgery+CORS (the browser side). Each step depends on the previous.
Cross-references
- JWT pitfalls reference Auth Flows — React + API.
- OAuth flows reference Auth in Blazor.
- Data Protection cross-links to Azure Key Vault & Managed Identity.
- AI security in AI Security builds on these foundations (output validation, PII handling).