Identity & access control for modern web applications & APIs

(using ASP.NET 4 & 5, OpenID Connect, OAuth2, and IdentityServer)

Brock Allen & Dominick Baier

Modern application design has changed quite a bit in recent years. “Mobile-first” and “cloud-ready” are the types of applications you are expected to develop. Additionally, Microsoft has revamped their web stack with OWIN, Katana, and ASP.NET 5 to keep pace with these architectural demands.

Needless to say, you also have to secure these apps.

Multi-platform, multi-client, and highly-mobile users bring a new set of challenges, so the approaches of the past are no longer appropriate for modern applications. This three day workshop is your chance to dive into all things security related to these new technologies. Learn how to securely connect native and browser-based applications to your back-ends and integrate them with enterprise identity management systems as well as social identity providers and services.

The first day will focus on securing web applications, whereas the second day will shift to Web APIs and their security needs. The first two days will utilize the current ASP.NET framework including OWIN and Katana. The third day will conclude with a look towards the next ASP.NET runtime and the unification of MVC and Web API, as well as the most common customizations of the popular open source IdentityServer framework.

Day 1: Web Applications

Authentication & Authorization on .NET 4.5

Middleware-based Security Framework

  • Cookie-based Authentication
  • Enterprise Authentication with WS-Federation
  • Social Logins (e.g. Google, Facebook, Twitter, etc.)
  • OpenID Connect

Web Application Patterns

  • Single Sign On / Single Sign Off
  • Federation Gateway
  • Account & Identity Linking
  • Delegation
  • Home Realm Discovery

Day 2: Web APIs

ASP.NET Web API Security

  • Architecture
  • Authentication & Authorization
  • CORS
  • Katana Integration

Web API Patterns

  • Token-based Authentication
  • Delegated Authorization


  • Flows
  • Scopes
  • OAuth2 Middleware
  • Federation

OpenID Connect (revisited)

Day 3: ASP.NET 5 and IdentityServer

From Katana to ASP.NET 5

  • DNX
  • Pipeline
  • DI
  • MVC 6
  • Security middleware

Customizing IdentityServer

  • Scopes and Clients
    • Persistence of configuration
  • UserService
    • Login workflow (e.g. 2fa)
    • Registration
  • Views/branding
  • Patterns
    • Token types, lifetimes, and renewal
    • Persistence of operational data
  • Deployment


Speaker profiles


Brock Allen

Brock is an independent consultant with almost 20 years of industry experience, specialising in .NET, web development, and web-based security. He’s an author and instructor for developer training company DevelopMentor, where he manages the web curriculum. Brock is also a member of Thinktecture, and contributes to the various open source projects there. He frequently posts to the ASP.NET forums, is an MVP for ASP.NET/IIS, a member of ASPInsiders, and a contributor to the ASP.NET platform.

platform.  @BrockLAllen


Dominick Baier

Dominick works as an associate consultant for the German company Thinktecture ( His focus is on identity & access control protocols and APIs, and how to apply them to real-world software projects. He started the popular IdentityModel, IdentityServer and AuthorizationServer open source projects (, which are now used by many developers and companies around the world.  @leastprivilege