In this talk, we'll dive into the basics of authentication from an asp.net developer's perspective. If words like "JWT", "claims", "OAuth", "OpenID", "authentication server", "refresh tokens" etc confuse you, then this talk is for you. We'll also peek into identity platforms like Auth0, Okta, Azure AD B2C, IdentityServer etc which are commonly used with asp.net. Finally we'll walk through some best practices and checklists. All slides & code samples will be publicly shared after the presentation.
Author: Mithun Shanbhag
5. twitter: @MithunShanbhagblog: mithunshanbhag.github.io
AppType Channels User
Interaction
Client
Secret
response_type field Recommended Flow
Single Page Apps Front Yes No “token id_token” Implicit
Server-Side Web Apps Front, Back Yes Yes “code” Authorization Code
Native Apps Front, Back Yes Yes “code” Authorization Code/PKCE
CLI,daemons, services Back No Yes N/A Client Credentials
Legacy Apps Front, Back No No N/A Resource Owner/Password
PKCE:
Proof key for code exchange
Code verifier, code challenge
Client Credentials:
Directly call the /token endpoint with client id + client secret, get access_token back
Resource Owner Password:
Directly call the /token endpoint with usernam + password, get access_token back