When building applications with .NET's dependency injection container, misconfigured services can lead to runtime exceptions that only surface when a particular code path is executed.| The art of simplicity
Today, when building web applications, security has to be a top priority. An easy mistake to make is forgetting to add the [Authorize] attribute to controllers or actions inside your ASP.NET Core backend. This creates a security vulnerability where sensitive pages become accessible to unauthenticated users.| The art of simplicity
The article demonstrates how to implement a secure MCP OAuth desktop client using Microsoft Entra ID. The MCP server is built with ASP.NET Core and secured using Microsoft Entra ID. The MCP client …| Software Engineering
In this post I discuss fallback endpoints and show how adding metadata to MVC or Razor Page fallback endpoints has some quirks to be aware of| Andrew Lock | .NET Escapades
When working with Entity Framework Core, understanding change tracking behavior is crucial for both performance and data consistency. While I was ware of the AsNoTracking() method, I discovered a lesser-known but powerful alternative: AsNoTrackingWithIdentityResolution() during a code review. | The art of simplicity
Welcome to the final post in our file upload security series. We've covered content type validation, file size validation, and file signature validation—each providing a crucial layer of defense. Today, we're implementing the final and most sophisticated protection: malware scanning using Windows Antimalware Scan Interface (AMSI).| The art of simplicity
In our previous posts, we covered content type validation and file size validation as the first two layers of defense in our file upload security pipeline. Today, we're diving into what I consider the most critical validation step: file signature validation, also known as "magic number" validation. This is where we stop trusting what files claim to be and start verifying what they actually are.| The art of simplicity
In the first post of this series, we explored how content type validation serves as the first line of defense against malicious file uploads. Today, we're tackling another critical security concern: file size validation and why it's essential for protecting your application from resource exhaustion attacks.| The art of simplicity
File upload functionality is a common feature in web applications, but it's also one of the most common attack vectors. A recent security review of our applications revealed some vulnerabilities in our file upload handling that needed our attention. This is the first post in a series where I'll share how we systematically secured our file upload functionality.| The art of simplicity
The article shows how to implement a secure model context protocol (MCP) server using OAuth and Entra ID. The MCP server is implemented using ASP.NET Core and uses Microsoft Entra ID to secure the …| Software Engineering
In this post I describe a small native AOT .NET tool that I built to force a Windows PC to go to sleep after a timer expires| Andrew Lock | .NET Escapades
.NET Full Framework updates on your server(s) become available as Windows Updates and can be pushed through centralized tools like Microsoft...| bartwullems.blogspot.com
Due to the licensing changes for AutoMapper, we decided to make the switch to Mapster. Although most changes where rather obvious and easy t...| bartwullems.blogspot.com
As I gladly accept any kind of performance improvement I can get in my applications, I like to use the System.Text.Json source generator to ...| bartwullems.blogspot.com
In this post I walk through the process of solving a native library loading issue on alpine with an old .NET runtime, showing the steps we took and the solution| Andrew Lock | .NET Escapades
In this post I discuss the new TUnit testing framework, why I ported one of my libraries to use it instead of xUnit and related issues I had to deal with| Andrew Lock | .NET Escapades
Some identity providers use the EdDSA / ED25519 algorithm to sign and issue tokens. This post shows how to validate the tokens using the Nuget package from ScottBrady and ASP.NET Core. Using the default OpenID Connect setup, the keys are not read and the tokens cannot be validated. The error message could return something like […]| Software Engineering
Last week I finally started my journey with Microsoft.Extensions.AI after having used only Semantic Kernel for all my agentic AI workflows...| bartwullems.blogspot.com
This post looks at implementing an OpenID Connect client in ASP.NET Core and require a level of authentication (LoA) implemented using Keycloak. The applications are hosted using Aspire. The LoA is…| Software Engineering
For the last 2 days I have been struggling with a breaking change I had in my ASP.NET Core web api that caused the consuming application to ...| bartwullems.blogspot.com
This post looks at an alternative way of implementing a native app authentication and authorization. At present, a web browser is used to implement authentication of native applications when using OAuth and OpenID Connect. The alternative approach implemented in the post is based on the OAuth 2.0 for First-Party Applications draft and adapted to be […]| Software Engineering
ASP.NET Core provides great extension points for handling OpenID Connect error events. This blog looks at implementing error handling in an ASP.NET Core application implemented using ASP.NET Core I…| Software Engineering
In this post I describe how I converted the deployment method of the mailing-list manager lismonk from a docker-compose.yml file to an Aspire app host project| Andrew Lock | .NET Escapades
This blog post shows how an ASP.NET Core Identity application can integrate and implement multiple external identity providers. An OIDC client UI uses the solution and is implemented using Duende IdentityServer. The same scheme is used for all the external providers and mapped to the identity for the client UI and the application. Using OpenID […]| Software Engineering
This blog looks at implementing client assertions for the client credentials flow using OAuth 2.0 Demonstration of Proof-of-Possession (DPoP). The client credentials flow is an OAuth 2.0 authorizat…| Software Engineering
In this post I use the new Microsoft's new .NET AI template to ingest the contents of a website and create a chatbot that can answer questions with citations| Andrew Lock | .NET Escapades
In this post I explore the new .NET AI Chat Web App template (currently in preview) and take a brief look at the implementation it provides| Andrew Lock | .NET Escapades
This blog implements client assertions using an OAuth client credential flow in ASP.NET Core. Client assertions provide a secure way for client authentication without sharing a secret, enhancing th…| Software Engineering
This blog shows how to implement a delegated Microsoft On-Behalf-Of flow in ASP.NET Core, and has a focus on access token management. The solution uses Microsoft.Identity.Web to implement the diffe…| Software Engineering
This post shows how to implement phone (SMS) verification and two-factor authentication (2FA) using ASP.NET Core Identity. The solution integrates phone-based verification and 2FA mechanisms. The i…| Software Engineering
Client assertions is a method of client authentication which can be used in OpenID Connect. This provides an alternative to client secrets. This approach enhances security by using signed tokens (J…| Software Engineering
This blog shows how to implement a delegated OAuth 2.0 Token Exchange RFC 8693 flow in ASP.NET Core, and has a focus on access token management. It looks at how the OAuth Token Exchange can be impl…| Software Engineering
In this post I show how to emit your source generator output to disk, so you can include it in source control and code reviews.| Andrew Lock | .NET Escapades
This article looks at management application access tokens in an ASP.NET Core web application. Any application with or without a user can use application access tokens as long as the application ca…| Software Engineering
The article looks at managing user delegated access tokens for a downstream API in an ASP.NET Core web application. There are many ways of implementing this, all with advantages and disadvantages. …| Software Engineering
Revisiting an article about how I got triggered after somebody exclaimed that WCF had lower response times than ASP.NET Web API and ASP.NET Core MVC.| Erik Heemskerk
How does WCF, a 13-year-old mega-abstraction framework hold up against the modern, lean, ASP.NET Core? You’d be surprised.| Erik Heemskerk
Somebody published a new version of a NuGet package with a different assembly name. You’ll never guess what happens next.| Erik Heemskerk
MSBuild seems to have issues with transitive NuGet dependencies, but after a deep dive into the build logs, it turns out to be more subtle.| Erik Heemskerk
In this post I describe the experimental interceptor support in NetEscapades.EnumGenerators that replaces ToString() calls with ToStringFast() automatically| Andrew Lock | .NET Escapades
This post shows how to implement a Swagger UI using a .NET 9 produced OpenAPI file. The Swagger UI is deployed to a secure or development environment and is not deployed to a public production targ…| Software Engineering
This post implements a basic ASP.NET Core API using .NET 9 and the Microsoft OpenAPI implementation. The OpenAPI Nuget package supports both Controller based APIs and minimal APIs. Until now, we us…| Software Engineering
This article shows how an ASP.NET Core application can control the write access to an Azure blob storage container using an application app registration. Microsoft Entra ID is used to control the u…| Software Engineering
In this post I describe some important things to think about when designing your incremental source generator, particularly the pitfalls to watch out for| Andrew Lock | .NET Escapades
Let’s see how it’s implemented. For why it is implemented, see Part I. The FxCop code analyzers get upset if I don’t declare this, which also impede me from using unsigned numeral…| x += x++
The main idea is to use [ETW events]( to detect when a GC occurs and to call an user provided delegate at that point. You can then do whatever you want in the delegate (i.e. shutdown the process, s…| x += x++
.NET 8 RC2 is now available with new NuGet package READMEs for .NET packages, simple CLI-based project evaluation for MSBuild, publishing containers to tar.gz archives, and Tensor Primitives for .NET.| .NET Blog
Technical blog of Microsoft certified developer James Hickey. Helping you reach the next step of your career as a software developer!| blog.jamesmichaelhickey.com
Technical blog of Microsoft certified developer James Hickey. Helping you reach the next step of your career as a software developer!| blog.jamesmichaelhickey.com
Technical blog of Microsoft certified developer James Hickey. Helping you reach the next step of your career as a software developer!| blog.jamesmichaelhickey.com
Technical blog of Microsoft certified developer James Hickey. Helping you reach the next step of your career as a software developer!| blog.jamesmichaelhickey.com
Technical blog of Microsoft certified developer James Hickey. Helping you reach the next step of your career as a software developer!| blog.jamesmichaelhickey.com
