Authentication & Security

Core concepts

TermMeaning
AuthenticationProving identity — who are you?
AuthorizationDetermining access — what are you allowed to do?
AccountingTracking what was done — audit logs

Principle of Least Privilege — grant only the minimum permissions needed.
Separation of Duties — no single person/system has end-to-end control over critical processes.


Authentication categories

FactorExamples
Something you knowPassword, PIN
Something you haveSmart card, PKI certificate, hardware key
Something you areFingerprint, facial recognition, retinal scan

Multi-factor authentication (MFA) combines two or more factors.


Authorization types

TypeHow it works
Central/ExplicitPermissions granted directly to user/resource
Decentral/ImplicitPermissions inferred from group/role membership
RBAC (Role-Based Access Control)Permissions assigned to roles, users assigned to roles

Security tokens

A security token is a protected data structure containing claims — facts about the issuer and the subject. Tokens are:

  • Signed — tamper-proof and authentic
  • Time-limited — contain an expiration

Token evolution:

FormatEncodingNotes
SAML 1.1/2.0XMLEnterprise standard, verbose, complex
SWT (Simple Web Token)Form-URL encodedSymmetric signatures only
JWT (JSON Web Token)JSONModern standard; symmetric and asymmetric signing

JWT — JSON Web Tokens

Three base64url-encoded parts separated by dots: header.claims.signature

Header: metadata — algorithm used

{ "typ": "JWT", "alg": "HS256" }

Claims payload:

{
  "iss": "http://myIssuer",       // issuer
  "aud": "http://myResource",     // audience
  "sub": "alice",                 // subject
  "iat": 1348819380,              // issued at
  "exp": 1348823380,              // expiration
  "scope": "read search"          // custom claims
}

Producing a JWT (.NET):

var token = new JwtSecurityToken(
    issuer: "http://myIssuer",
    audience: "http://myResource",
    claims: GetClaims(),
    signingCredentials: GetKey(),
    notBefore: DateTime.UtcNow,
    expires: DateTime.UtcNow.AddHours(1));
 
var tokenString = new JwtSecurityTokenHandler().WriteToken(token);

Consuming/validating a JWT (.NET):

var validationParams = new TokenValidationParameters
{
    ValidIssuer = "http://myIssuer",
    ValidAudience = "http://myResource",
    IssuerSigningKey = GetSigningKey()
};
var handler = new JwtSecurityTokenHandler();
var principal = handler.ValidateToken(tokenString, validationParams, out _);

JWT advantages: easy to create, transmit, parse, and validate. Mandatory in OpenID Connect.


OAuth 2.0

Open protocol for delegated authorisation — lets a third-party app obtain limited access to a resource on behalf of a user, without sharing credentials.

RFC 6749 (2012) — the current standard.

Roles:

RoleDescription
Resource OwnerThe user who owns the data
ClientThe app requesting access
Authorization ServerIssues tokens after authenticating the user
Resource ServerHosts the protected API/data

OAuth 2.0 flow (Authorization Code — most common):

1. Client redirects user to Authorization Server
2. User authenticates and grants consent
3. Authorization Server returns authorization code to client
4. Client exchanges code for access token (server-to-server)
5. Client uses access token to call Resource Server

OAuth 2.0 is for authorisation, NOT authentication. It answers “what can this app access?” not “who is this user?“.


OpenID Connect (OIDC)

Built on top of OAuth 2.0 — adds authentication. Returns an ID token (a JWT containing user identity claims) in addition to the access token.

OAuth 2.0 → authorisation (access token)
OIDC       → authentication (id token) + authorisation (access token)

Common OIDC claims in the ID token: sub (user ID), name, email, picture.


Modern vs legacy security stacks

EraStack
Enterprise / intranetSAML, Kerberos, LDAP, WS-Federation
Mobile / modern webOAuth 2.0, OpenID Connect, JWT

The mobile revolution drove the shift — SOAP/SAML don’t work well on mobile. JSON-based tokens became the “common denominator”.


PCI DSS (Payment Card Industry Data Security Standard)

Compliance framework for organisations handling credit card data.

Key activities:

  • Control testing — documenting assigned PCI controls to satisfy audit requirements
  • Evidence documentation — must meet standards defined in the Good Evidence Guide
  • Audit trail — detailed logs of who accessed cardholder data and when

PCI applies whenever your application stores, processes, or transmits cardholder data.


ASP.NET Core auth patterns

// JWT bearer authentication setup
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidIssuer = "https://myapp.com",
            ValidAudience = "https://myapi.com",
            IssuerSigningKey = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes(config["Jwt:Key"]))
        };
    });
 
// In pipeline
app.UseAuthentication();
app.UseAuthorization();
// Protect endpoints
[Authorize]                            // any authenticated user
[Authorize(Roles = "Admin")]           // role-based
[Authorize(Policy = "CanEdit")]        // policy-based
[AllowAnonymous]                       // explicitly public

See also

  • ASP-NET — authentication middleware setup
  • CSharpSystem.Security.Claims, ClaimsPrincipal
  • Angular — JWT handling in HTTP interceptors