OpenID Connect and Authentication

This is a list of OpenID Connect and authentication talks that I’ve created.

< Back to Talks

OIDC & Authentication Talks

A Tokenless SPA: Secure Authentication with the BFF Pattern

Single-page applications often implement OAuth/OIDC directly in the browser. This can work, but it also increases the attack surface and adds complexity that is easy to get wrong.

This talk presents a modern alternative: the Backend-for-Frontend (BFF) pattern. Instead of treating the SPA as the OAuth client, the BFF becomes the client and the browser receives only a secure, HttpOnly session cookie. We will walk through the architecture, the request flows (login, API calls, logout), and practical defenses such as SameSite cookies, cookie prefixing, CORS lockdown, and CSRF protections designed for same-origin SPAs.

Attendees will leave with a clear migration path from “tokens in the browser” to a session-based BFF model, including live ASP.NET Core code and implementation guidance for real-world deployments.

You will learn:

  • The real risks of browser-based token handling
  • How the BFF pattern works and why it is safer
  • How to build SPAs that stay secure without storing tokens in the browser
  • Practical implementation guidance and common pitfalls

This talk is for developers working with OpenID Connect and OAuth who want a modern and secure approach to SPA authentication. Live code examples will be shown using ASP.NET Core.

Demystifying authentication in ASP.NET Core

In this talk, we’ll explain how authentication works in ASP.NET Core, which can be complicated and have many different parts. We’ll cover the main ideas, such as schemas, handlers, ClaimsPrincipal, claims, challenges, session cookies, and more. It will be a practical, in-depth look at how authentication actually works under the hood.

Top Authentication Fails in ASP.NET Core (and How to Avoid Them)

After writing over 1,000 answers on Stack Overflow, mostly about authentication and OpenID Connect, I’ve seen the same mistakes and pitfalls appear over and over. In this talk, I’ll share some of the most common mistakes developers make when building authentication solutions.

From simple misconfigurations to deeper misunderstandings of protocols and security flows, we’ll explore the traps that are all too easy to fall into when working with ASP.NET Core authentication. You’ll learn why some common practices are actually anti-patterns, how to avoid opening security vulnerabilities, and what best practices can help you build secure, reliable authentication.

The Data Protection API: The Hidden Security Hero in ASP.NET Core

The Data Protection API protects authentication cookies, antiforgery tokens, and other sensitive data in ASP.NET Core. It often “just works” in development, but in production it can cause broken logins and random sign-outs after redeployments or when scaling out behind a load balancer.

This session explains Data Protection from a production-first perspective. We will cover how key rings are created and rotated, why multi-instance setups fail, how purpose strings affect isolation and interoperability, and how to safely share authentication cookies across services.

You will leave with a clear understanding of how ASP.NET Core applications behave in production and what is required to run Data Protection reliably at scale.

AddJwtBearer - deep dive

Most use the JwtBearer authentication handler in ASP.NET Core to secure our APIs. But what does it actually do? What makes it tick? What security and reliability considerations should we be aware of when we go to production? And finally, are there any changes in .NET 8? In this presentation, we will try to bring clarity to these questions.

Introduction to OAuth/OpenID-connect

Token-based security is an area that can be very complex, with its many different standards and concepts. In this seminar I will introduce what OpenID Connect is all about. We will address, among other things: 

  • Where are our security challenges in modern software architectures? 
  • Why do we need OAuth/OpenID Connect?
  • What are tokens and what different tokens are there? 
  • What are scopes and claims? 
  • What flows are there in OpenID Connect?

OpenID Connect and ASP.NET Core

In this part, we look at how we can apply OpenID Connect in an ASP.NET Core environment and together with IdentityServer to secure an MVC application and API.

This talk is a continuation of the Introduction to OAuth/OpenID Connect talk. We address, among other things: 

  • How is authentication and authorization implemented in ASP.NET Core?
  • How to secure an ASP.NET Core MVC and API application using OpenID Connect
  • What is IdentityServer and how can we use it in our architecture?

Securing User Logins and Cookie Sessions

Stolen browser cookies and phishing attacks are real threats to modern web applications. Even users with strong passwords and two-factor authentication (2FA) can still be compromised.

In this session, we will look at how attackers steal session cookies, what happens when a cookie is hijacked, and how to detect and respond to these attacks. You will also see why mobile authenticator apps are not as safe as many believe, and how attackers can bypass 2FA even when one-time codes are used.

You will leave with practical strategies to protect user logins and sessions, improve session security, and reduce the risk of account takeovers.

For more talks, visit my Talks page.

Interested In A Talk?

Contact me for a price enquiry or to submit interest.

About the Trainer

My name is Tore Nestenius and I have worked as a professional trainer since 2012. I have taught both on-premise at our customers and through various training companies in the Nordic countries, including:

Tore Nestenius presenting at the .NET Skåne usergroup in Malmö, December 2024 about Rebuilding the Task and ThreadPool Concepts in .NET.
Photo of Tore Nestenius, presenting at a meetup in Malmö, Sweden.