- Home>
- ASP.NET core
All posts in "ASP.NET core"
Securely log to blob storage using NLog with connection string in key vault.
If you do a simple google search on how to log to blob storage using NLog, you can find examples from the project page as well as posts from other developers. However, in most of the examples I have found, the connection string for the blob storage are directly embedded in the nlog.config file, which is not ideal. In this post, I show you another example of using NLog to log to azure blob storage, with the connection string coming from an azure key vault.
Why you need to register authentication middleware even if your ASP.NET core web API does not handle authentication.
Sometimes ago, I was confused about the role of the Authentication middleware in an ASP.NET core web API that does not authenticate an user. It makes sense to me that you need to use the Authentication middleware if your web application handles the authentication. Specifically, I did not understand why you need to use Authentication middleware if your app is a web API that does not handle authentication. For instance, my web API performs token validation but it does not authenticate a user. Authentication handling is part of the client application which implements OpenID implicit flow to authenticate the user and obtains authorization to access the web API. I believed I only needed the Authorization middleware so that I can annotate the endpoints I want to protect with the [Authorized] attribute. The document states
The
Authentication Middleware and servicesUseAuthenticationmethod adds a single authentication middleware component, which is responsible for automatic authentication and the handling of remote authentication requests.
So if my web API does not handle authentication, why do I still need to call UseAuthentication to add the middleware?
Implement OAuth2 Client-Credentials flow with Azure AD and Microsoft Identity Platform.
Published December 16, 2019
in ASP.NET core
, Azure
, Azure Active Directory
, OAuth2
, OpenID Connect
, security
- 5 Comments
OAuth2 Client Credentials flow is a protocol to allow secure communication between two web APIs. Specifically, the protocol specifies the flow of obtaining authorization for a client to access protected endpoints of a resource server with no user interaction involved. With Microsoft Identity Platform, Azure portal, Microsoft Authentication Library (MSAL), and .NET core security middleware, you can implement the OAuth2 client credentials flow without much difficulty. In this post, I go over how to leverage those technologies to protect your ASP.NET core web APIs.
Connect to azure key vault from an ASP.NET core app using azure managed identity
Of the three different ways to access an azure key vault from an ASP.NET core application, if your app runs on an azure resource, the best option is using azure managed identities for simplicity and the highest security. In this post, I go over how I configure the application and azure sides to leverage azure managed identities when accessing the key vault.
Configure OAuth2 implicit flow for Swagger UI
Published November 8, 2019
in ASP.NET core
, Azure
, Azure Active Directory
, OAuth2
, security
- 1 Comment
In this post, I share some example codes of how to enable OAuth2 implicit flow within Swagger UI to obtain an access token from Microsoft Identity Framework (v2.0 endpoint).
Pass user’s identity and authorization from a client application to a web API to another web API using OAuth 2.0 On-Behalf-Of flow.
Published October 20, 2019
in Angular
, ASP.NET core
, Azure
, Azure Active Directory
, OAuth2
, OpenID Connect
, security
- 7 Comments
A few months ago, I gave an overview of the libraries I use to implement OpenID Connect implicit flow in an angular app, and On-Behalf-Of (OBO) flow in ASP.NET core backend APIs. You can checkout this post for more info. In that post, I talk about the security flow from the angular app to the downstream APIs. The angular app communicates only with a single backend API which acts as a gateway that forwards the requests from to other downstream APIs.
In this post, I go over the details of obtaining an access token via the OBO flow to call protected endpoints from a web API (which I refer to as the gateway in this post) to another web API .
Access azure key vault from an ASP.NET core app on IIS using X.509 certificate
In this post, I go over in more details the steps of retrieving secrets from an azure key vault using client id and secret. This approach is one of the three ways to authenticate a Windows virtual machine against azure key vault. It is suitable if your app runs on a virtual machine which is not an azure resource and so cannot use azure managed identity.
At the high level, the process involves these steps:
- Register the application in azure.
- Generate and add a X.509 certificate into a certificate store.
- Grant IIS_IUSRS user permission to access the private key of the certificate.
- Upload the public key of the certificate to the app’s registration.
- Grant the app access to the key vault.
- Add codes to Startup file to authenticate against AD using the certificate.
You can find the sample project for this post here.
Build and deploy an ASP.NET core app running on IIS using Azure pipelines
This is part III of the series in which I cover how to build and deploy an ASP.NET core app to IIS running on a Windows VM. In part I, I cover how to build and publish an artifact using visual studio. In part II, I cover how to manually deploy the artifact to IIS and go over some of the concepts such as bindings, app pools and website.
In this tutorial, I walks you through the steps to automate the build and deployment process using azure pipelines.
Stamp a PDF using iTextSharp for .NET core
Recently I had to implement the logic to “stamp” a PDF file in my ASP.NET core project. I found the sample codes from this SO post, which works greatly. I’ve extracted the logic into a sample project, which you can find on my github.
Protecting angular and ASP.NET core applications – An Overview.
In this and upcoming blog posts, I’ll be talking about integrating Azure Active Directory (AAD) and leveraging open source libraries to protect a system consisting of an angular application and ASP.NET core web apis.
In this post, I just want to give a high level overview of the setup and the technologies involved in securing such as system. As such, I likely gloss over some of the points. In subsequent posts, I’ll cover the specific parts in more details.