Single Sign-on Authentication and authorization in ASP.NET Core.png

sso.tar.gz

Stand Alone Auth Provider

Client App Only

Full Authentication Flow

Full Authentication Flow With Secondary App

Blazor WebAssembly OIDC

Client and back-end

Securing web applications is extremely important, as you do not want unauthorized people to gain access to your data. The most convenient way of securing an application is to use single sign-on (SSO) because it allows users to authenticate once and gain access to all apps within the same system.

In this course, you’ll cover the process of using SSO in ASP.NET Core apps. You’ll also cover its usage inside all application types supported by ASP.NET Core, including MVC, web API, gRPC services, Blazor, and SignalR.

By the end of this course, you will have learned what SSO consists of, what protocols it uses, and how it’s configured inside an ASP.NET Core middleware. You will also have learned how to secure any endpoints, pages, and views supported by ASP.NET Core.

Using Single Sign-On for Securing Applications in ASP.NET Core

It is a token that is passed from the IdP to the client application during the OIDC authentication flow.

It is a JWT used for a one-off request to an endpoint that requires authorization.

It is a refresh token issued by the IdP to keep the client authenticated.

The `Authority` setting in the authentication configuration must match the URL of the IdP.

The JWT needs to have the same audience configured as the URL of the Web API application.

The `RequireHttpsMetadata` property in the authentication options must be set to `true`.

The endpoint that the client is setting the bearer token to must have an authorization policy set.

What must be *true* for a bearer token to be accepted by a web API application?

What must be true for a bearer token to be accepted by a web API application?

Apply the `[Authorize]` attribute on every controller class.

Set the `DefaultPolicy` option in the `UseAuthorization()` invocation.

Invoke the `RequireAuthorization()` method on the `MapControllers()` method of the `app` object.

Apply the `[Authorize]` attribute on individual endpoint methods.

What is the best way to apply the same authorization requirement to all the web API controllers but not the minimal API endpoints?

What is the best way to apply the same authorization requirement to all the web API controllers but not the minimal API endpoints?

Using the `AllowAnonymous()` invocation is redundant because all minimal API endpoints are anonymous by default.

When you have the `RequireAuthorization()` invoked on the `MapControllers()` method

When the default authorization policy is set globally inside the `AddAuthorization()` invocation

There is no such method available on minimal APIs.

Which situation will be appropriate to use the `AllowAnonymous()` invocation if you want to retain anonymous access to this endpoint and a minimal API endpoint?

Which situation will be appropriate to use the <code>AllowAnonymous()</code> invocation if you want to retain anonymous access to this endpoint and a minimal API endpoint?

Endpoint methods in the controller classes

**(Select all that apply.)** Which of the following have their authorization policy enabled via the `[Authorize]` attribute? 

(Select all that apply.) Which of the following have their authorization policy enabled via the <code>[Authorize]</code> attribute?

Test your knowledge of using SSO in a web API application.

Introduction to Single Sign-On (SSO)

JWT and Authorization Middleware

Enabling SSO in MVC Apps

Enabling SSO in Razor Pages

Enabling SSO in Web API

Enabling SSO in Blazor

Enabling SSO in gRPC

Enabling SSO in SignalR

Wrapping Up

Appendix

Quiz Yourself on Using SSO in a Web API