Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Secure .Net Microservices with IdentityServer4 OAuth2,OpenID

Name: Secure .Net Microservices with IdentityServer4 OAuth2,OpenID
Rating: 4.1 (1243 reviews)

Securing .Net Microservices with IdentityServer4 using OAuth2, OpenID Connect and Ocelot API Gateway

Created byMehmet Ozkaya

Last updated 5/2026

English

What you'll learn

Building IdentityServer4 Authentication Microservice
Get Token from Identity Server with client_credentials grant_type
Protecting API with Using IdentityServer4 OAuth 2.0 and JWT Token
OpenID Connect with IdentityServer4 For Interactive MVC Client Micorservice
IdentityServer4 OpenID Connect Integration For Client MVC Interactive Client Application
Consume Protected API with HttpClientFactory From Client Application
Adding the UI for OpenID Connect Login, logout, consent and error
Hybrid Flow of IdentityServer4 Secure Interactive Mvc Client (OpenID) and Api Resources (OAuth2)
Claim Based Authorization in IdentityServer4 Secure Interactive MVC Client (OpenID) and API Resources (OAuth2)
Ocelot API Gateway Implementation for MVC Client to Interact w/ IdentityServer4 and Carry Token
Secure Existing Microservices Reference Application w/ Adding IS4 Integration onto Ocelot and APIs
Claim Based Authentication with client_id Claim Restriction
Securing API with JWT Bearer Token Authentication
Build OpenId Connect Interactive Client for Client MVC Application
Developing HttpHandler for Getting Token from IDPClient with IHttpClientFactory
Securing Ocelot API Gateway with Bearer Token

Course content

13 sections • 76 lectures • 5h 31m total length

Introduction5:50
Secure ASP.NET core microservices with IdentityServer4 and Ocelot API Gateway using OAuth 2.0 and OpenID Connect to issue JWTs and enforce claims-based access.
Prerequisites and Source Code1:17
Outline prerequisites for this course. Expect OAuth 2.0, OpenID Connect, and IdentityServer4 to be covered later, while leveraging C#, ASP.NET MVC, and REST API knowledge with Visual Studio and Postman.
What is JWT (Token) ?1:03
Explore how JSON Web Tokens (JWT) enable authentication and authorization across services, explain RFC 7519 as the industry standard, and describe retrieving a token to access protected resources.
JWT Example Scenario0:56
Demonstrates a jwt example scenario where a user logs in, the authentication server creates a token with a secret key, and clients pass the token in api request headers.
JWT(JSON Web Tokens) Structure2:36
Explore the structure of JSON Web Tokens, detailing header, payload, and signature parts encoded in base64, and how claims, scopes like movieAPI, and data integrity are ensured.
What is OAuth2 ?1:32
OAuth2 Authorization Types and Flows2:10
What is OpenId Connect ?1:18
OpenID Connect Endoints1:07
OpenID Connect Authentication Flows1:47
this lecture explains OpenID Connect authentication flows, covering the authorization code flow, implicit flow, and hybrid flow as extensions of OAuth2, defined by the response_type parameter.
What is Identity Server 4 ?1:38
Discover how IdentityServer4, an open source .NET Core framework, implements OpenID Connect and OAuth2 to provide authentication, access control, and token-based security for web apps and APIs.
Identity Server 4 Terminologies2:21
Identity Server 4 in Microservices World2:12
Explore how IdentityServer4 centralizes authentication and authorization in a microservices world, issuing tokens to clients and securing protected APIs via the Ocelot API gateway.
Microservices Security Quiz

Introduction0:55
Create Visual Studio Solution For Microservice Security Application0:42
Open Visual Studio and create a new blank solution named SecureMicroservices, then add a project and prepare the application for development.
Create Asp.Net Core Web API Project For Movies.API Microservice2:53
Create Asp.Net Core Web API Project For Movies.API Microservice Part 21:38
Create Controller Class for Movie Model4:03
Create a movies api by scaffolding an api controller with actions using Entity Framework Core, wiring the movies api context and the connection string in startup to perform CRUD operations.
Use In-Memory Database for Entity Framework Core MoviesAPIContext3:41
Configure an in-memory database for the entity framework core MoviesAPIContext to replace the real database, enabling quick testing and avoiding sql exceptions during movie retrieval.
Seeding In-Memory Database with Entity Framework Core5:02
Test CRUD with Postman to our Movies.API Asp.Net Web API Project5:56

Introduction1:02
Create IdentityServer4 Asp.Net Web Application2:49
Install IdentityServer4 Nuget Package and Configure Startup.cs2:06
Configure IdentityServer4 with Clients, Resources, Scopes and TestUsers3:10
IdentityServer4 What is Clients, Resources, Scopes and TestUsers2:18
Explain how IdentityServer4 uses clients, API resources, API scopes, and test users with in-memory configurations and the role of identity resources and developer signing credentials.
Adding Config Class for Clients, Resources, Scopes and TestUsers3:54
IdentityServer4 Quiz

Introduction0:58
Protect Movies.API resources with IdentityServer4 and JWT tokens using OAuth 2.0. Generate a JWT token via client_credentials and use it to secure Movies.API resources.
Protecting Movie API using Client Credentials4:26
Get Token from Identity Server with client_credentials grant_type5:22
Learn how to obtain an access token from Identity Server using the client credentials grant type, configure a movie client, and test token responses via Postman.
Securing Movies.API with JWT Bearer Token Authentication5:08
Test Secured Movies.API with JWT Bearer Token Authentication6:26
Claim Based Authentication with client_id Claim Restriction10:52
Demonstrates claim-based authentication with client ID restriction by inspecting user claims via an identity controller, obtaining bearer tokens, and enforcing a client ID policy in a .NET microservices API.

Introduction0:36
Create Asp.Net Core MVC Web Project For Movies.Client Microservice3:05
Create an ASP.NET Core MVC web client for the movies client microservice to consume a protected web API, configure HTTPS and port settings, and run the app.
Adding Model Class into MVC Application1:36
Add a movie model class to the MVC client by creating it in the models folder, copying properties from the API project, and aligning the namespaces.
Create Controller Class for Movie Model7:02
Convert Movies.Client MVC Web Application with Consume Movies.API project15:29
Refactor the movies client MVC app to consume the movies.api via a new API services layer. Implement IMovieApiService and MovieApiService with mock data and wire them in startup.

Introduction0:38
Learn to add an interactive IdentityServer4 UI for user credential entry within the authorization server, explore the architecture for client login operations, and set the stage for coding login experience.
Adding the UI for OpenID Connect Login, logout, consent and error4:09
Set DI Registiration and Pipeline of IS4 MVC UI Pages6:01
Update Config.cs for IS4 OpenID Connect with MVC Interactive Client and TestUser8:28
Register OpenID Connect Client and TestUsers into Asp.Net DI3:12

Introduction1:04
Build OpenId Connect Interactive Client for Movies.Client MVC Application7:25
Configure an OpenID Connect authentication layer for the movies mvc client, enabling login via IdentityServer and protecting the movies page with cookie-based authentication and OpenID Connect.
Authorize Movies Page2:47
See Token into Output Window When OpenId Connect Get Token from IS42:53
Run All Projects Discover Open Id Connect From MVC Client opens Login Window8:22
Run a multi-project setup to discover OpenID Connect from an MVC client, opening the identity server login window and initiating the authorization flow, and review tokens and claims.
Developing Logout Button For Signout from IS45:27
Post Logout Redirect Uri Options5:46

Introduction1:05
Consume protected Movie API resources from the Movies.Client project using HttpClientFactory, obtain a token from Identity Server with client credentials, and call the protected API validated by the server.
Consume Protected API with Getting Token from IS417:25
Obtain a token from the identity server using the identity model, then call the protected movies API with a bearer token and deserialize the response into a movie list.
Refactor Consume Operation with IHttpClientFactory10:10
Developing HttpHandler for Getting Token from IDPClient17:37
ASSIGNMENT - DEVELOP CRUD OPERATIONS FROM API2:39
Develop and integrate full crud operations for the movies api by consuming http calls with token authentication, extending the mvc app to create, update, delete, and get by id.

Introduction3:59
Learn how hybrid flow blends front-channel and back-channel token delivery in OpenId Connect, using authorization code, implicit, and hybrid flows via the authorization and token endpoints.
Using Hybrid Flow For Getting Token and Combine Scopes for Interactive Channel6:57
Why We Are Getting Token When We Had OpenID Connect ?5:32
Refactor token retrieval to reuse the OpenID Connect token via IHttpContextAccessor, eliminating extra identity server requests and using GetTokenAsync to access the movies API and OpenID Connect token.
Login With OpenID Connect on Hybrid Flow and Extend Claim Based Authorization9:41
Log in with OpenID Connect on hybrid flow and extend claim-based authorization, verifying access tokens and client IDs to access the protected movies API.

Introduction0:51
Learn claim-based authorization with Identity Server to secure the Movies.Client MVC and Movies.API using OpenID Connect and OAuth, exploring hybrid flow and role-based access control.
Adding Test Users with Email and Address Claims2:45
Configure predefined test users with email and address claims in identity server to test authentication in secure .NET microservices, using Alice and Bob as example users.
Carry your Claims when Login The System5:13
Create Role Claims For Using Role Based Authorization3:34
Create role-based claims to enable role-based authorization by assigning Alice as user and Bob as admin, defining a role identity resource, and configuring client scopes to expose role claims.
Create Role Claims For Using Role Based Authorization Part 28:20
Extend the identity server by adding a roles scope and mapping role claims to the MVC client for role-based authorization, and verify tokens via login and token inspection.
Use Role Claims For Authorization Admin Page4:06
Developing Only Admin Page with Get User Info From IdentityServer15:02
ASSIGNMENT - ACCESS DENIED PAGE1:26
Develop an access denied page as an assignment for securing IdentityServer4-based microservices, implementing role-based access for unauthorized requests, and submit your GitHub link for review.
ASSIGNMENT - EF CORE INTEGRATION REAL DB1:13
I will plan to implement adding EF.Core implementation into IS4.
Please follow this article series, this will provide to store login information in sql server with using ef.core. ->
https://identityserver4.readthedocs.io/en/latest/quickstarts/5_entityframework.html#

Requirements

C# knowledge
Aspnet core basics knowledge

Description

You will learn how to secure microservices with using standalone Identity Server 4 and backing with Ocelot API Gateway. We’re going to protect our ASP.NET Web MVC and API applications with using OAuth 2 and OpenID Connect in IdentityServer4. Securing your web application and API with tokens, working with claims, authentication and authorization middlewares and applying policies, and so on.

This course will led you get started securing your ASP.NET based microservices applications with IdentityServer4 using OAuth 2 and OpenID Connect on distributed microservices architecture. And Also you’ll learn how to secure protected APIs backing with Ocelot API Gateway in a microservices architecture.

Check the overall picture

You can see that we will have 4 Aspnet core microservices project which we are going to develop one by one and together.

Movies.API

First of all, we are going to develop Movies.API project and protect this API resources with IdentityServer4 OAuth 2.0 implementation. Generate JWT Token with client_credentials from IdentityServer4 and will use this token for securing Movies.API protected resources.

Movies.MVC

After that, we are going to develop Movies.MVC Asp.Net project for Interactive Client of our application. This Interactive Movies.MVC Client application will be secured with OpenID Connect in IdentityServer4. Our client application pass credentials with logging to an Identity Server and receive back a JSON Web Token (JWT).

Identity Server

Also, we are going to develop centralized standalone Authentication Server and Identity Provider with implementing IdentityServer4 package and the name of microservice is Identity Server.
Identity Server4 is an open source framework which implements OpenId Connect and OAuth2 protocols for .Net Core.
With Identity Server, we can provide authentication and access control for our web applications or Web APIs from a single point between applications or on a user basis.

Ocelot API Gateway

Lastly, we are going to develop Ocelot API Gateway and make secure protected API resources over the Ocelot API Gateway with transferring JWT web tokens. Once the client has a bearer token it will call the API endpoint which is fronted by Ocelot. Ocelot is working as a reverse proxy.

After Ocelot re-routes the request to the internal API, it will present the token to Identity Server in the authorization pipeline. If the client is authorized the request will be processed and a list of movies will be sent back to the client.

Also over these overall picture, we have also apply the Claim based authentications.

By the end of this course, you will have a practical understanding of how to secure .Net Microservices with IdentityServer4 using OAuth2, OpenID Connect and Ocelot Api Gateway.

Secure Existing Microservices Architecture

In the last section, we will give an assignment for security operations with identity server integration for an existing microservices reference application. We had developed run-aspnetcore-microservices reference application before this course. We will extend this application with IdentityServer OAuth 2.0 and OpenId Connect features with adding new Identity Server Microservice.

Is this course for you?

This course is very practical, about 90%+ of the lessons will involve you coding along with me on this project. If you are the type of person who gets the most out of learning by doing, then this course is definitely for you.

Tools you need for this course

In this course all the lessons are demonstrated using Visual Studio 2019 as a code editor. You can of course use any code editor you like and any Operating system you like as long as it's Windows or Mac.

Who this course is for:

.Net developers who interested in Secure Microservices

Secure .Net Microservices with IdentityServer4 OAuth2,OpenID

What you'll learn

Explore related topics

Course content

Introduction13 lectures • 26min

Building API Resource - Movie.API Asp.Net Web API Project8 lectures • 25min

Building IdentityServer4 Authentication Microservice6 lectures • 15min

Protecting Movie.API with Using IdentityServer4 OAuth 2.0 and JWT Token6 lectures • 33min

Building MVC Client Application For Consuming API Resource - Movies.Client App5 lectures • 28min

OpenID Connect with IdentityServer4 For Interactive MVC Movie.Client Project5 lectures • 22min

IS4 OpenID Connect Integration For Movie.Client MVC Interactive Client App7 lectures • 34min

Consume Protected Movie.API with HttpClientFactory From Movie.Client5 lectures • 49min

Hybrid Flow of IdentityServer4 Secure Interactive Mvc.Client (OpenID)4 lectures • 26min

Claim Based Authorization in IdentityServer4 Secure Interactive MVC Client9 lectures • 43min

Requirements

Description

Who this course is for: