Loading user information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading user information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Advanced ASP.NET Core Authorization with Barry Dorrans

38 minutes, 39 seconds


Right click “Save as…”

In this video, I had the chance to have a look at some more advanced implementations ASP.NET Core's new policy authorization model with Microsoft's crack security analyst Barry Dorrans (emphasis crack). I learned how to configure ASP.NET Core in more realistic scenarios to authorize access to web applications using code instead of just the presence of a role. We configured a web application to properly grant access to alcohol sales dependent on the country and their minimum age laws. I also discovered how to handle credentials like our security teams do at the office: accepting not just my company id, but also temporary ids and guest ids. I now know everything there is to know about ASP.NET Core Security and am ready to secure my next web application.


Follow the discussion

  • Oops, something didn't work.

    Getting subscription
    Subscribe to this conversation
  • MrSmithMrSmith

    Excellent, right on Barry. Even tough it´s easter: this is far from an easter egg, but so elegant, powerful and simple. So when you first open it, why not use, extend and enjoy it;-)

  • These videos on security have been very insightful.

    it would be great if you could do another one on setting up token based security or federated identity with IdentityServer :)

  • blowdartblowdart Peek-a-boo

    @scyonx: As identity server isn't a Microsoft product I wouldn't presume to make a video on it.

  • figuerresfiguerres ???

    , blowdart wrote

    @scyonx: As identity server isn't a Microsoft product I wouldn't presume to make a video on it.

    Hey what about a good talk on how to play with OAuth and Identity ?

    I spent several weeks figuring out how to do OAuth for my new job we did not want to use 3rd party Oauth servers and did not want to re-invent stuff.  it seems like the Microsoft bits for this are lacking some key items and I had to use one of the parts from ID Server to make my implementation work.

    the issue was getting the tokens issued as I recall.

    it was a painful process as there seems to be very little documentation out there.  most of what I saw was how to use some other auth server to store and issue.  almost nothing on how to just configure the Microsoft bits to work.   it was all on using Azure or Live ID or Google etc...


  • @blowdart fair enough. How would you demonstrate leveraging security tokens (JWT, etc) for web based APIs w/ aspnet-core ?

  • hsakarphsakarp

    This is a good video.but,I am kind of confused between the AuthorizeActionFilter and resource based authorization.

  • blowdartblowdart Peek-a-boo

    @figuerres:Yea, our previous attempts were sadly lacking, so come ASP.NET Core we decided to reinvest dev resources elsewhere as, frankly, Identity Server did everything better than our previous attempts. So don't expect an OAuth Server from our team any time soon.


  • blowdartblowdart Peek-a-boo

    @scyonx: That's just "Use the JWT middleware".  However it's still in flux a little, and it's owned by the AAD team really. Really it just boils down to.


    var key = Convert.FromBase64String("base64-encoded symmetric key");
    .UseJwtBearerAuthentication(options => { options.AutomaticAuthenticate = true; options.AutomaticChallenge = true;
    .Authority = Configuration["jwt:authority"]; options.Audience = Configuration["jwt:audience"];
    .TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(key);});


  • blowdartblowdart Peek-a-boo

    @hsakarp: Well I didn't cover filters :) AuthorizeActionFilters are at a deep level. Frankly we hope with the new policy based stuff you won't ever need to write one, but they're there, in case you want to do something really odd.

  • Hi, I have a Web API app using Azure B2C with the configuration shown below. From a Xamarin client, I can call AcquireTokenAsync and get a Token and IdToken successfully. I can take that token and paste it into an online decoder (like https://jwt.io/) and I can view the payload. However I haven't figured out how to view the payload from my Xamarin app. Every JWT decoder I have tried gives me errors, like "rs256 is not supported"

    I'm wondering if you have an recommendations. Thanks!



    app.UseJwtBearerAuthentication(new JwtBearerOptions
                    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                        IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String("key="))
                    AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
                    AutomaticAuthenticate = true,
                    AutomaticChallenge = true,
                    MetadataAddress = String.Format(CultureInfo.InvariantCulture, "{0}/{1}/{2}/{3}?p={4}", policySettings.Value.AadInstance, policySettings.Value.Tenant, "v2.0", OpenIdProviderMetadataNames.Discovery, policySettings.Value.SignUpInPolicyId),
                    Audience = policySettings.Value.ClientId




  • I've had a pain in my Auth for a very long time, thanks for making it go away :)

Remove this comment

Remove this thread


Comment on the post

Already have a Channel 9 account? Please sign in