ASP.NET - OAuth 2.0 and OpenID Connect Integration in ASP.NET Core

 

OAuth 2.0 and OpenID Connect (OIDC) are widely used protocols for securing modern web applications and APIs. While OAuth 2.0 focuses on authorization (granting access to resources), OpenID Connect adds a layer of authentication (verifying user identity) on top of OAuth 2.0. In ASP.NET Core, these protocols are commonly used to implement secure login systems, single sign-on (SSO), and API protection.

1. Understanding OAuth 2.0

OAuth 2.0 is an authorization framework that allows applications to access resources on behalf of a user without exposing the user’s credentials. Instead of sharing passwords, the system uses access tokens.

Key Roles in OAuth 2.0:

  • Resource Owner: The user who owns the data

  • Client Application: The app requesting access

  • Authorization Server: Issues tokens after authentication

  • Resource Server: Hosts the protected data (API)

Common OAuth 2.0 Flow (Authorization Code Flow):

  1. User tries to access a protected resource

  2. Client redirects user to the authorization server

  3. User logs in and grants permission

  4. Authorization server returns an authorization code

  5. Client exchanges the code for an access token

  6. Access token is used to call APIs

2. What OpenID Connect Adds

OpenID Connect extends OAuth 2.0 by introducing authentication. It provides an ID Token, which contains user identity information.

Key Features of OpenID Connect:

  • Authentication layer on top of OAuth 2.0

  • Provides ID Token (JWT)

  • Standard user information endpoint

  • Supports Single Sign-On (SSO)

Tokens Used:

  • Access Token: Used to access APIs

  • ID Token: Contains user identity (claims like name, email)

  • Refresh Token: Used to get new access tokens

3. Integration in ASP.NET Core

ASP.NET Core provides built-in middleware for integrating OAuth 2.0 and OpenID Connect.

Step-by-Step Integration

1. Install Required Packages

Typically includes:

  • Microsoft.AspNetCore.Authentication.OpenIdConnect

  • Microsoft.AspNetCore.Authentication.Cookies

2. Configure Authentication in Program.cs

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
    options.Authority = "https://your-identity-provider.com";
    options.ClientId = "client-id";
    options.ClientSecret = "client-secret";
    options.ResponseType = "code";
    options.SaveTokens = true;

    options.Scope.Add("openid");
    options.Scope.Add("profile");
});

3. Enable Middleware

app.UseAuthentication();
app.UseAuthorization();

4. Protect Controllers

[Authorize]
public class HomeController : Controller
{
    public IActionResult Index()
    {
        return View();
    }
}

4. Identity Providers

ASP.NET Core applications can integrate with various identity providers such as:

  • Azure Active Directory

  • Google

  • Facebook

  • Custom Identity Servers

These providers handle authentication and token issuance.

5. Claims-Based Identity

After authentication, user information is stored as claims inside the ID token. ASP.NET Core maps these claims into the User object.

Example:

User.Identity.Name
User.FindFirst("email")?.Value

Claims allow fine-grained authorization decisions.

6. Securing APIs with OAuth 2.0

For APIs, OAuth 2.0 is typically used with Bearer tokens.

Configuration Example:

builder.Services.AddAuthentication("Bearer")
    .AddJwtBearer("Bearer", options =>
    {
        options.Authority = "https://your-identity-provider.com";
        options.Audience = "api-name";
    });

API Protection:

[Authorize]
[ApiController]
[Route("api/[controller]")]
public class DataController : ControllerBase
{
    public IActionResult Get() => Ok("Secure Data");
}

7. Common Flows Used in ASP.NET

  • Authorization Code Flow (with PKCE) – recommended for web apps

  • Client Credentials Flow – for machine-to-machine communication

  • Implicit Flow – mostly deprecated

  • Hybrid Flow – combination of code and token

8. Security Best Practices

  • Always use HTTPS

  • Use Authorization Code Flow with PKCE

  • Store secrets securely (environment variables, vaults)

  • Validate tokens properly

  • Use short-lived access tokens

  • Implement refresh token rotation

9. Advantages of Using OAuth 2.0 and OIDC

  • Eliminates password sharing

  • Enables Single Sign-On (SSO)

  • Works across multiple applications

  • Supports modern architectures like microservices

  • Provides scalable and secure authentication

10. Real-World Use Cases

  • Login with Google or Microsoft

  • Enterprise SSO systems

  • Securing REST APIs

  • Mobile and SPA authentication

  • Multi-tenant SaaS applications

In summary, OAuth 2.0 and OpenID Connect integration in ASP.NET Core allows developers to build secure, scalable, and standards-based authentication and authorization systems. OAuth 2.0 handles access control, while OpenID Connect ensures user identity, making them essential for modern web and API security.