Modern Identity and Security for ASP.NET Core

Master ASP.NET Core Security: OAuth2, OpenID Connect, JWT, and Workload Identity for Modern Web APIs and AI Agents

Role Play

Created byAref Karimi

Last updated 5/2026

English

What you'll learn

Secure ASP.NET Core apps with OAuth2, OpenID Connect and JWT.
Implement Client Credentials, PKCE and On Behalf Of flows.
Manage secrets safely using Managed Identity and Workload Identity.
Validate and use access, ID and refresh tokens in real apps.
Design secure API, microservice and AI agent architectures.

Course content

10 sections • 27 lectures • 2h 21m total length

Introduction3:01
Welcome to ASP.NET Core Identity Management and Security. In this introduction lecture, I explain to you that how the course structured and what you should expect.
Authentication and Authorisation3:17
Identity Flows in Modern Applications6:26

Beyond Local Storage: The Rise of the BFF Pattern1:59
Modern web development is moving away from storing sensitive tokens in the browser. As security threats evolve, the Backend for Frontend (BFF) pattern has emerged as the industry standard for securing Single Page Applications (SPAs) and mobile clients. This lecture explores why traditional local storage is no longer sufficient and how the BFF pattern provides a robust architectural solution for modern identity management.
You will learn how the BFF acts as a dedicated security layer that handles the complexities of OAuth2 and OpenID Connect on behalf of the frontend. We will examine how this pattern mitigates Cross-Site Scripting (XSS) risks by keeping tokens out of reach from malicious scripts. By moving the heavy lifting of token exchange and session management to the server side, you can build leaner, more secure applications that align with current Best Current Practices (BCP).
The session covers practical implementation strategies, including how to handle cookies with the SameSite attribute and how to proxy requests to downstream microservices. We also discuss the trade-offs involved in adopting a Backend for Frontend approach, ensuring you have the architectural insight to decide when this pattern is the right fit for your software ecosystem.
The Process of PKCE with BFF Architecture3:06
Implementation of Authorisation Code with PKCE in ASP.NET Core7:23
Refresh Tokens in Open ID Connect4:58

Requirements

Beginner-level knowledge of ASP .NET Core

Description

Mastering modern application security is now essential for anyone building APIs, cloud services or AI driven applications. This course gives you a practical, hands on path to understanding authentication, authorisation and identity in ASP.NET Core.

You will learn how real world identity flows work, how to secure your APIs, how to handle users safely, and how to protect services talking to each other in distributed systems.

This course is designed for developers who want a strong, practical understanding of OAuth2, OpenID Connect, JWTs, PKCE, secrets management, delegated access and externalised policy-based authorisation.

What you will learn:

• The fundamentals of modern authentication and authorisation
• How identity actually flows through an application
• How JSON Web Tokens are structured, decoded and validated
• How to issue and inspect tokens using tools like Postman
• How to secure service to service communication with the Client Credentials Flow
• How to call protected APIs using C sharp and bearer tokens
• How to validate JWTs manually when you are not using ASP.NET Core middleware
• Why OpenID Connect is required for user authentication
• How ID tokens work and where they fit in the login process
• When to use OAuth and when to use OpenID Connect
• How the Authorisation Code Flow with PKCE protects mobile and browser based apps
• How to implement PKCE inside ASP.NET Core
• How to use refresh tokens safely
• How to call APIs on behalf of the signed in user
• Modern secrets management in the cloud
• How Managed Identity and Workload Identity remove the need for stored secrets
• How delegated authorisation works using the On Behalf Of Flow
• How to design upstream and downstream API security
• How to build policy based authorisation using PDP and PEP patterns

Throughout the corse you will work with Auth0 and Microsoft Entra ID to implement various authentication scenarios. We will also see how a modern Policy Decision Point pattern is implemented so easily using Amazon Verified Permissions.

Please bear in mind that in this third edition of the course, ASP.NET Identity Framework is not thaught, as the modern applications do not implement their own identity systems.

By the end of this course, you will understand modern identity flows with absolute clarity and have the confidence to design and secure applications using current industry standards.

Who this course is for:

ASP.NET Core developers who want a clear, practical guide to modern identity
Backend engineers building secure cloud native services
Developers who want to understand OAuth2, OpenID Connect and JWTs without the confusion
Teams moving to microservices or distributed architectures
Anyone building systems where APIs call other APIs
ngineers working with AI agents or tool based architectures

Modern Identity and Security for ASP.NET Core

What you'll learn

Explore related topics

Course content

Security Fundamentals3 lectures • 13min

Getting Started with JWTs3 lectures • 15min

Implementing Client Credentials Flow in ASP.NET Core3 lectures • 20min

OpenID Connect for User Authentication3 lectures • 9min

Authorisation Code with PKCE2 lectures • 10min

Modern Web Security: The Backend-for-Frontend (BFF) Pattern4 lectures • 17min

Service-to-Service Security2 lectures • 15min

Delegated Authorisation and On-Behalf-Of (OBO) Flow3 lectures • 12min

Decoupled Authorisation with PDP and PEP3 lectures • 24min

Wrap Up2 lectures • 8min

Requirements

Description

Who this course is for: