Authentication and Authorization in ASP.NET Core

To get the most from this course, you should have:

• Basic knowledge of ASP.NET Core (equivalent to our ASP.NET Core fundamentals course)
• Solid understanding of C# including LINQ and lambda expressions
• Understanding of the HTTP/HTTPS protocol and web fundamentals
• A development environment with Visual Studio or an equivalent .NET IDE, capable of running ASP.NET Core 10.
• Windows-based development environment recommended. macOS/Linux users can follow the course using alternative HTTP debugging proxy tools; see the FAQ for details and limitations.

After completing this course, you will have the skills and confidence to implement secure authentication and authorization in your ASP.NET Core applications. Specifically, you will be able to:

• Implement cookie-based authentication from scratch without relying on black-box libraries
• Create and manage ClaimsPrincipal and ClaimsIdentity objects for user representation
• Configure authentication middleware and understand how it processes requests
• Handle all authentication operations: Challenge, SignIn, Authenticate, SignOut, and Forbid
• Configure secure cookie settings including lifetime, persistence, and renewal policies
• Implement role-based, claims-based, and policy-based authorization strategies
• Create custom authorization requirements and handlers for complex business rules
• Apply resource-based authorization for fine-grained access control
• Debug authentication flows using Fiddler to identify and resolve security issues
• Protect your applications against broken access control vulnerabilities

• Understand the ASP.NET Core authentication pipeline and how requests are processed
• Work with ClaimsPrincipal, ClaimsIdentity, and the security context
• Master authentication operations: Challenge, SignIn, Authenticate, SignOut, and Forbid
• Understand authentication schemes, tickets, and the cookie handler internals
• Configure cookie and ticket lifetimes for different security scenarios
• Implement custom cookie event handlers for advanced scenarios
• Apply role-based, claims-based, and policy-based authorization
• Create custom authorization requirements and handlers
• Implement resource-based authorization for fine-grained access control
• Debug authentication flows using Fiddler
• Avoid common security pitfalls including broken access control

When taking the authentication and authorization in ASP.NET Core workshop, you’ll receive:

• Comprehensive Course Material:
  Created by the instructor, the material is regularly updated to reflect the latest practices and standards.
• Hands-On Exercises:
  Engage in practical exercises where you will explore and apply the concepts taught in the course.
• Ongoing Support:
  During and after the workshop, access a private chat for additional resources, questions, and updates.
• Workshop Materials:
  Receive a PDF of the presentation and exercises.
• Live and Interactive Sessions:
  Ask questions in real-time via chat or audio and get immediate clarifications. Includes live demonstrations by the instructor.

• ASP.NET Core Developers: Who want to understand the fundamentals of authentication and authorization to ensure user security, compliance and reliability.
• Developers Moving From ASP.NET Framework​: To ASP.NET Core in order to modernize applications and their security.
• Backend Developers: Who need to implement strong, reliable, and scalable security solutions within web applications. ​
• Developers Needing To Understand Authentication: Those who need to know how authentication works before using higher-level libraries. ​
• Developers Looking to Use OAuth, OIDC, or ASP.NET: In order to modernize applications and their security and performance capabilities.​ 

What topics are covered in this course?

This course focuses on local authentication using cookies and the core ASP.NET Core authentication and authorization infrastructure.

You’ll learn cookie authentication, claims-based identity, the authentication middleware, and both basic and advanced authorization patterns.

What topics are NOT covered in this course?

This course does not cover external authentication providers (Google, Facebook, Microsoft), OAuth 2.0, OpenID Connect, or ASP.NET Core Identity. These topics build upon the fundamentals taught in this course and are covered in our other courses.

To learn OpenID Connect and OAuth, see our Introduction to OpenID Connect and OAuth course.

Is this course suitable for beginners?

This course assumes you have basic ASP.NET Core knowledge. If you’re new to ASP.NET Core, we recommend taking our ASP.NET Core fundamentals course first. However, no prior authentication or security experience is required.

What version of .NET is used?

This course uses ASP.NET Core 10 and .NET 10. The concepts and patterns taught apply to earlier versions as well, though some API details may differ.

Here is a shortened, punchy version that gets straight to the point for a web audience:

What if I am using an older version like .NET 6-9?

You can definitely still attend. The foundations of authentication and authorization have remained stable across recent versions. Most concepts (cookies, claims, and policies) apply directly to .NET 6-9. We will highlight the few areas where .NET 10 introduces specific API changes or new features.

Why learn cookie authentication when Identity and OAuth exist?

Understanding cookie authentication gives you the foundation to work effectively with any authentication system.

ASP.NET Core Identity and OAuth/OIDC providers are all built on top of the authentication and authorization primitives you’ll learn in this course. This knowledge helps you debug issues, customize behavior, and make informed architectural decisions.

Is this a recorded course or instructor-led?

This is an instructor-led course, available either as in-person classroom training or as a live online session. You’ll have direct access to the instructor for questions and discussions throughout the course.

Can the course be customized for our team?

Yes, we offer private team sessions where the content can be adjusted to focus on topics most relevant to your organization. Contact us to discuss your specific needs.

Will there be exercises?

Yes, this course includes an extensive set of hands-on exercises integrated throughout each module. After most topics, you’ll complete practical exercises that let you apply what you’ve just learned. More than half of the course time is dedicated to this hands-on work, ensuring you leave with real, applicable skills rather than just theoretical knowledge.

Do I need any special tools?

You will need a .NET development environment capable of running ASP.NET Core 10 (such as Visual Studio or an equivalent .NET IDE) and an HTTP/HTTPS debugging proxy.

The course demonstrations and exercises assume the use of Fiddler Classic (Windows) for inspecting authentication traffic. If you are using macOS or Linux, you can follow the course using an alternative proxy tool; see the macOS/Linux FAQ for details and limitations.

What if I am using macOS or Linux?

The course and hands-on exercises assume the use of Fiddler Classic (Windows) for inspecting HTTP/HTTPS traffic. If you use a different HTTP debugging proxy, you should still be able to follow along, as the underlying concepts and workflows are the same.

Common alternatives include Fiddler Everywhere (commercial, with a trial), Charles Proxy, Proxyman, and HTTP Toolkit. Please note that tool-specific support for these alternatives cannot be provided.