• ASP.NET Core Authentication and External Providers

    Khalid Abuhakmeh |

    Managing users and their identities is among the most challenging components of application building. That’s why some developers use external identity providers to reduce the maintenance burden and focus on solving new and interesting problems. The most popular external providers include Google, Microsoft, and other social media platforms.

    In this post, we’ll show how to create a basic ASP.NET Core web application that defers its authentication to an external provider, in our case, Google. We’ll also discuss the relationship between external authentication and cookie authentication. And finally, why you may want to consider a different option for your production applications.

    To follow along, you will need a Google Account to create a new Client with a corresponding Client ID and Client Secret. It only takes a few minutes and is easy to set up.

  • Integration Testing .NET Auth with Duende IdentityServer

    Khalid Abuhakmeh |

    Getting all the moving parts to work together can be daunting when building and maintaining a .NET auth solution. Developers are adopting OAuth 2.0 and OpenID Connect for authorization and authentication, powered by Duende IdentityServer, to quickly provide a tested and mature security solution more easily. With the Duende-provided SDK, developers can customize their instance of IdentityServer, but still want to ensure it works as intended.

    In this post, we’ll show you how to take your existing IdentityServer instance, or even an IdentityServer development instance, and use it with your favorite unit testing framework. We’ll also show you how to add a special test client for a unit test.

  • What's In the Duende Software Toolkit?

    Khalid Abuhakmeh |

    While Duende’s most notable offering is the IdentityServer SDK, the OpenID Connect and OAuth solution for .NET developers, we provide more value with other products, services, and libraries.

    In this post, we will explain the commercial and free open-source options we offer .NET developers, the problems these solutions solve, and how you can use them to improve a .NET application’s security posture.

  • Step Up Challenges with Duende IdentityServer and ASP.NET Core APIs

    Khalid Abuhakmeh |

    In a previous post, we discussed implementing a Step Up challenge in a typical ASP.NET Core client application powered by Duende IdentityServer. A Step Up challenge helps you build applications that ensure critical actions are performed by the user in question by attempting additional levels of scrutiny.

    While client logic can handle most Step Up Challenge scenarios, modern ASP.NET Core solutions may depend on a distributed architecture of APIs, each with unique security requirements.

    In this post, we’ll cover the OAuth RFC 9470 specification. This specification allows API developers to request that a client perform a Step Up challenge and issue access tokens that meet the security requirements of an API endpoint. We’ll also see how to implement challenges in your ASP.NET Core APIs and dependent clients.

  • Astro - Open Source Sponsorship

    Maarten Balliauw |

    We’re passionate about open source and grateful for the many maintainers and contributors who make the software world better for everyone. Our team has been fortunate to play a part in the .NET open source ecosystem, with contributions to numerous projects and NuGet packages over the years. We know firsthand that maintaining open source projects is both rewarding and challenging, and we want to do our part in supporting the community.

    This time around, we selected Astro as our next open source sponsorship recipient as part of our ongoing commitment to supporting the open source projects that empower our products and community.

  • Step Up Challenges for ASP.NET Core Client Apps with Duende IdentityServer

    Khalid Abuhakmeh |

    Modern software solutions involve hundreds of user actions. When building solutions, user interactions can have impacts ranging from mundane to critical, making it the application’s responsibility to ensure that the user acts intentionally. While a system can follow the best security practices, it may be beneficial to reaffirm a user’s identity before they perform a potentially irreversible action. For example, by requiring multi-factor authentication (MFA) as a Step Up challenge to confirm a user's actions.

    In this post, we’ll define Step Up challenges, and highlight their role in a modern .NET solution. We'll also examine how to implement the feature in your ASP.NET Core apps powered by Duende IdentityServer to add a layer of security to mission-critical user decisions.

  • .NET 8.0.17 Upgrades, Forwarded Headers, and Unknown Proxy Issues

    Khalid Abuhakmeh, Wesley Cabus |

    We've recently seen a trend of issues in our priority support related to a .NET 8.0.17 release that we thought we'd address publicly to give developers information about the cause and how to resolve it quickly.

    With any luck, we'll help many folks avoid this issue entirely before it becomes a problem in their production environments. Let's get started.

  • What is an OAuth 2.0 and OpenID Connect Client?

    Khalid Abuhakmeh |

    For anyone in the security industry, especially developers who communicate in security lingo about OpenID Connect and OAuth 2.0 daily, the question and answer to “What is a client?” may seem self-evident. However, for many folks on the non-technical side of application security, the term “client” can feel fuzzy and involve overlapping and muddling concepts from other subject domains.

    A common and understandable misconception is that folks new to security confuse “client” with an individual or paying customer. These misunderstandings can lead to miscommunication and frustrating times between parties. So, let’s clear that up today.

    In this short post, we will explain clearly what a client is in the context of application security and how understanding the concept can help you better understand your current solution's inner workings.

  • Monitoring Duende IdentityServer License Usage with ASP.NET Core Health Checks

    Maarten Balliauw |

    Health checks are vital for maintaining the reliability and performance of modern applications. They provide a systematic way to monitor the health and status of your application and its dependencies. ASP.NET Core offers built-in support for health checks, and with the help of third-party packages, you can easily integrate these checks with popular monitoring systems like Prometheus, Grafana, and Azure Application Insights.

    With health checks, you can monitor various aspects of your application, including dependencies (e.g., databases, external services), specific metrics (e.g., response times, error rates), and compliance with licensing or other operational requirements. For IdentityServer, you may want to monitor the health of the discovery endpoint, or monitor license compliance to ensure your application remains within the terms of the license agreement.

    In this blog post, we will see how to implement a custom ASP.NET Core health check that reports on IdentityServer license status and usage.

  • Testing Duende IdentityServer Login Flow With a .NET 10 dotnet run app.cs

    Khalid Abuhakmeh |

    We recently attended NDC Oslo and had a great time chatting with current and future Duende IdentityServer customers. During the event, an individual approached us with an interesting dilemma and wondered if we could help them solve it.

    They wanted to automate a UI test against their deployed instance of Duende IdentityServer but avoid using an end-to-end library like Selenium or Playwright, because those libraries depend on a headless browser like Chromium or Firefox. Can we test that first-party logins work properly entirely through .NET Code?

    Luckily, brilliant folks work at Duende, including our Director of Engineering, Damian Hickey, who was able to write a simple console application simulating a browser. Still, with the recent announcement of .NET 10’s dotnet run app.cs, we thought we could provide this value through a script that is easily editable and runnable from any environment with .NET 10 available.