In the previous article we finally turned our demo authorisation server into something that feels like a real OAuth 2.0 implementation. We consolidated the token and refresh endpoints into a single /token endpoint that dispatches on the official grant_type parameter. We switched to standard OAuth conventions: snake_case,
Although this blog is focused on the role of JWTs in .NET APIs, when you begin to make a concerted study of the subject, you discover that JWTs are actually part of a wider authentication landscape. They're a central component of OAuth 2.0 and the proposed OAuth
If you're like me, whenever you watch a video tutorial about building .NET APIs, the teacher always gives you the minimum information necessary and seldom explains why you should do something. It's always like: "Here's this cool feature and everybody says you should
I originally planned for this article to focus on common JWT attacks in ASP.NET API's. But while reviewing the code from this series, I realised an important gap: We hadn’t properly covered audience validation. In earlier articles, we intentionally kept the implementation minimal so we could
In the previous article we added the two standard JWKS discovery endpoints to our authentication server. As part of the OpenId Connect (OIDC) protocol, the first of these endpoints enables an API to discover where the other relevant endpoints are and the second endpoint publishes the public keys that clients
This article isn't going to be as long as the previous article, but it's going to be just as interesting and powerful. I'm going to be covering JWKS, that is, a JSON Web Key Set. Why JWKS matters for scalable API's In
In the last article, we finished the topic we started in the article before last, which was refreshing tokens. We're developing API's that use JWT (JSON Web Tokens) as access tokens to provide a secure, self-contained way of authenticating using a compact URL-friendly format. All the
In the previous article, we built out our authentication server API to include an endpoint to refresh our JWT. We created a SQLite database to store them and we implemented a rotation policy based on the OAuth 2.1 specification. Then we built a client API to call the authentication
In the previous article, we built an ASP.NET Minimal API in .NET 10 with JWT authentication. In this article, we're going to take the code we wrote last time and extend it to include refresh tokens, so we in effect have our own authentication server. That means
In the previous article, I discussed the structure of a JWT, how to construct one manually in code and the principles behind each step of the process. In this article I'm going to take that knowledge and show you how to build a working ASP.NET Minimal API
In the last post I used an analogy about authentication being like a passport which identifies you to the resource you're trying to access. In this post I'm going to show you how to make a JWT from scratch without using the standard .NET libraries, so
The passport analogy What is authentication and why do we need it? A good analogy is to think about the concept of authentication as a passport. If you want to get into a country, you have to show them your passport. It proves who you are. How does it prove