Identity & Access Control for Modern Applications and APIs using ASP.NET Core

The ultimate workshop for ASP.NET Core Authentication and Authorization, Duende IdentityServer, OAuth 2.0, and OpenID Connect.
Register now
Contact us

Duende Software's legendary training on Identity and Access Management was originally created by Dominick Baier and Brock Allen. With their world-class knowledge, they’ve created a workshop focused on the essential concepts and how they interact. Based on the experience from decades of consulting for hundreds of customers, the workshop is packed with content relevant for real-world modern systems.

Modern application design is more complex than it was a decade or two ago. A modern application is expected to be mobile-first and cloud-based. Microsoft’s answer to these demands was to create ASP.NET Core. A decade later, ASP.NET Core has matured into a trusted development platform covering all components needed in a modern application architecture.

Multi-platform, microservices, multi-client, and highly-mobile users bring a set of challenges that were not present a decade ago. A modern application cannot be secured just by handling access control in the single UI of the application, because there is no longer any single UI. There are web applications, mobile apps and APIs that are exposed to partners and third-party developers. Internally, an application often consists of multiple microservices calling each other. These services are also frequently reused between different applications and externally visible APIs.

To properly secure this landscape, a zero-trust approach is required. There should be a verifiable proof of the end user (or end machine) identity for any user session established or API.

This workshop can be delivered publicly, online, and on-site. For more information, please contact us.

Upcoming Workshops

Register today to secure your spot in one of our signature workshops, currently open for enrollment! Or contact us for an in-house version.
August 12 – 21, 2025 (Remote)

Sustainsys

  • Location: Online
  • Timezone: EDT & PDT
  • Length: 6 Half-day Sessions
  • Instructor: Anders Abel
September 23 – 25, 2025 (EU)

Sustainsys

  • Location: Stockholm, Sweden
  • Timezone: CET
  • Length: 3 Days
  • Instructor: Anders Abel

Goals

This workshop is your chance to dive into all these security-related technologies. Learn how to securely connect native and browser-based applications to your back-ends and integrate them with enterprise identity management systems as well as social identity providers and services.

After attending this workshop you will have a good understanding of the concepts and will be ready to start implementing a modern identity and access management solution tailored to your organization’s needs.

You will learn:

  • The ASP.NET Core Authentication and Authorization System Design Principles.
  • How to use external authentication and offer single sign-on and single logout.
  • How to securely call APIs on behalf of the authenticated user.
  • The principles of the OpenID Connect and OAuth 2.0 Protocols.
  • What advanced concepts are available for high security environments, multi-tenancy SAAS offerings, etc.
  • How to configure, customize, and deploy Duende IdentityServer.

Curriculum

The full workshop is three days long, so that we can cover all the topics in depth. We also offer the first two days at select conferences (where the workshops are only two days).
Each workshop block starts with lectures explaining the concepts,
mixed with extensive live demos and live coding that show how to set up working solutions.
At the end of each block, detailed step-by-step labs offer an excellent chance to try it out yourself.

Day 1: Authentication

  • ASP.NET Core Fundamentals
  • Claims
  • Authentication
  • Cookie-Based Sessions
  • Data Protection
  • Authorization
  • Half-day Break
  • Tokens
  • External Authentication in ASP.NET Core
  • Identities and Identifiers
  • Account and Identity Linking
  • External Login Callback Pattern

Day 2: OpenID Connect (OIDC) & OAuth 2.0

  • OpenID Connect
    • Clients
    • Scopes
  • Web Application Patterns
    • Single Sign On / Single Sign Off
    • Claims Transformation
    • Federation Gateway
    • Home Realm Discovery
  • Half-day Break
  • Protecting APIs with OAuth 2.0
    • Machine-to-Machine
    • Interactive Applications
    • Authorization Code Flow
    • Proof Key Code Exchange
    • Token Lifetime Management & Refresh Tokens
  • Client Application Types
    • Server-Side Web Apps
    • Single Page Applications
    • Backend-for-Frontend (BFF) Pattern
    • Mobile/Native Apps

Day 3: Customizations

  • Advanced OAuth 2.0
    • Resource Design
    • Parameterized Scopes
    • Resource Isolation
    • Token Exchange Impersonation/Delegation
    • High-security Overview: DPoP, mTLS, PAR and FAPI
    • Client Initiated Back Channel Authentication (CIBA)
    • Device Code Flow
    • Pushed Authorization Requests
  • Half-day Break
  • Duende IdentityServer
    • Architecture
    • UI Customizations
    • Extensibility
    • Deployment
    • Multi Tenancy

Hands-on Labs

Each of these hands-on labs will take you and your team approximately 1–2 hours to complete. All labs include step-by-step instructions, as well as reference solutions.

Lab 1: Authentication and Authorization

In this lab, you will add cookie-based authentication to the movie review website using the cookie authentication middleware and claims-based identity. Once users are authenticated, you will then also implement policy-based and resource-based authorization using the ASP.NET Core authorization framework.

Lab 2: External Authentication

In this lab you will remove the local authentication in the movie review application and change it to use external authentication. For the first part, you will use the OIDC protocol and use Duende IdentityServer as the provider. For the second part, you will use social media accounts as the provider.

Lab 3: Federation Gateway

In this lab, you will consolidate all external authentication into a single authentication gateway. Duende IdentityServer will act as this gateway. You will also implement single sign-out, which allows the user to sign out of both the movie web app and Duende IdentityServer.

Lab 4: Web APIs

In this lab, the movie review logic has been split into two projects: one for the back-end movie review logic as a web API, and one for the front-end movie review UI as a web application. The web API will require access tokens to use its functionality, and the movie review web app will obtain access tokens and pass them to the web API. Duende IdentityServer will be used to issue this access token to the movie review web application.

Lab 5: Mobile and Native Client Applications

In this lab, the client application is transformed into a native, cross-platform console application. The pertinent steps in this lab will be the same if you're building a Windows or macOS desktop application, and are no different than if you were to use a platform-specific UI framework to build your application (e.g. WinForms, WPF, MacApp, Cocoa, GTK#, etc.).

Lab 6: JavaScript Client Applications

In this lab, the movie review application has been rewritten as a pure JavaScript-based application. It won't have as much functionality as the previous labs, but it will suffice to show how to obtain an access token and call a web API.