Security | Software Engineering
Posts about Security written by damienbod| Software Engineering
Posts about Authentication written by damienbod| Software Engineering
2 posts published by damienbod during January 2025| Software Engineering
2 posts published by damienbod during March 2025| Software Engineering
3 posts published by damienbod during August 2025| Software Engineering
This post looks at implementing a cookie reset in an ASP.NET Core application using Duende identity server which federates to Entra ID. Sometimes cookies need to be reset for end users due to size problems, or unknown remote authentication server errors. The cookies can be cleared and a new sign in can be forced. Code: […]| Software Engineering
Some identity providers use the EdDSA / ED25519 algorithm to sign and issue tokens. This post shows how to validate the tokens using the Nuget package from ScottBrady and ASP.NET Core. Using the default OpenID Connect setup, the keys are not read and the tokens cannot be validated. The error message could return something like […]| Software Engineering
This post shows how to issue and verify identities (verifiable credentials) using the Swiss Digital identity and trust infrastructure, (swiyu), ASP.NET Core and .NET Aspire. The swiyu infrastructur…| Software Engineering
Posts about OpenId connect written by damienbod| Software Engineering
Posts about Azure storage written by damienbod| Software Engineering
Posts about aspnetcore dotnet written by damienbod| Software Engineering
This article shows how to onboard different clients or organizations in an ASP.NET Core application to use separated Azure blob containers with controlled access using security groups and RBAC appl…| Software Engineering
4 posts published by damienbod during February 2024| Software Engineering
This post looks at implementing an OpenID Connect client in ASP.NET Core and require a level of authentication (LoA) implemented using Keycloak. The applications are hosted using Aspire. The LoA is…| Software Engineering
4 posts published by damienbod during February 2025| Software Engineering
This post looks at an alternative way of implementing a native app authentication and authorization. At present, a web browser is used to implement authentication of native applications when using OAuth and OpenID Connect. The alternative approach implemented in the post is based on the OAuth 2.0 for First-Party Applications draft and adapted to be […]| Software Engineering
ASP.NET Core provides great extension points for handling OpenID Connect error events. This blog looks at implementing error handling in an ASP.NET Core application implemented using ASP.NET Core I…| Software Engineering
This blog looks at implementing a strong Content Security Policy (CSP) in web applications implemented using Blazor and ASP.NET Core. When implementing CSP, I always recommend using a CSP nonce or at least CSP hashes. If a technical stack does not support CSP nonces, you should probably avoid using this solution when implementing secure and […]| Software Engineering
This blog post shows how an ASP.NET Core Identity application can integrate and implement multiple external identity providers. An OIDC client UI uses the solution and is implemented using Duende IdentityServer. The same scheme is used for all the external providers and mapped to the identity for the client UI and the application. Using OpenID […]| Software Engineering
This blog looks at implementing client assertions for the client credentials flow using OAuth 2.0 Demonstration of Proof-of-Possession (DPoP). The client credentials flow is an OAuth 2.0 authorizat…| Software Engineering
This blog implements client assertions using an OAuth client credential flow in ASP.NET Core. Client assertions provide a secure way for client authentication without sharing a secret, enhancing th…| Software Engineering
This blog shows how to implement a delegated Microsoft On-Behalf-Of flow in ASP.NET Core, and has a focus on access token management. The solution uses Microsoft.Identity.Web to implement the diffe…| Software Engineering
This post shows how to implement phone (SMS) verification and two-factor authentication (2FA) using ASP.NET Core Identity. The solution integrates phone-based verification and 2FA mechanisms. The i…| Software Engineering
Client assertions is a method of client authentication which can be used in OpenID Connect. This provides an alternative to client secrets. This approach enhances security by using signed tokens (J…| Software Engineering
This blog shows how to implement a delegated OAuth 2.0 Token Exchange RFC 8693 flow in ASP.NET Core, and has a focus on access token management. It looks at how the OAuth Token Exchange can be impl…| Software Engineering
This article looks at management application access tokens in an ASP.NET Core web application. Any application with or without a user can use application access tokens as long as the application ca…| Software Engineering
The article looks at managing user delegated access tokens for a downstream API in an ASP.NET Core web application. There are many ways of implementing this, all with advantages and disadvantages. …| Software Engineering
Posts about ASP.NET Core written by damienbod| Software Engineering
This article shows how to implement a secure upload and a secure download in ASP.NET Core using Azure blob storage. The application uses Microsoft Entra ID for authentication and also for access to…| Software Engineering
The article looks at the different way a Microsoft Graph application client can be implemented and secured in an ASP.NET Core application or a .NET application. This type of client is intended for …| Software Engineering
This post shows how to implement a Swagger UI using a .NET 9 produced OpenAPI file. The Swagger UI is deployed to a secure or development environment and is not deployed to a public production targ…| Software Engineering
This post implements a basic ASP.NET Core API using .NET 9 and the Microsoft OpenAPI implementation. The OpenAPI Nuget package supports both Controller based APIs and minimal APIs. Until now, we us…| Software Engineering
This article shows how an ASP.NET Core application can control the write access to an Azure blob storage container using an application app registration. Microsoft Entra ID is used to control the u…| Software Engineering
