How Modern Authentication Works in .NET Applications
Series: Security by Design in .NET: From JWT to Certificate-based Authentication
If you have used:
-
Login with Google
-
Login with Microsoft
-
Identity Server
-
Keycloak
๐ then you have used OAuth2 or OpenID Connect (probably without knowing exactly how it works).
๐ง The main problem
Many believe:
OAuth2 = authentication
โ FALSE
๐ What is OAuth2
OAuth2 is:
๐ an authorization protocol
It allows an application to access resources on behalf of a user.
Simple example
โLogin with Googleโ
Actually:
๐ your application requests access to:
-
email
-
profile
Google says:
โOK, but only if the user consents.โ
Result
You receive:
{
"access_token": "abc123"
}
This token is used for:
โ API access
โ NOT to know who the user is (correct)
๐ง What is OpenID Connect (OIDC)
OpenID Connect is:
๐ a layer on top of OAuth2 for authentication
It adds the concept of:
{
"id_token": "jwt_here"
}
ID Token
It is a JWT that contains:
{
"sub": "user123",
"email": "user@email.com",
"name": "John Doe"
}
๐ this tells you who the user is
โ๏ธ OAuth2 vs OpenID Connect
|
Feature |
OAuth2 |
OpenID Connect |
|---|---|---|
|
Purpose |
Authorization |
Authentication |
|
Token |
Access Token |
ID Token + Access Token |
|
User info |
โ Not guaranteed |
โ Yes |
|
JWT |
Not mandatory |
Yes (ID Token) |
๐ Main flow: Authorization Code Flow
Steps:
1๏ธโฃ User is redirected to the provider
2๏ธโฃ Authenticates
3๏ธโฃ Receives an authorization code
4๏ธโฃ The application exchanges it for:
-
access token
-
id token (OIDC)
๐ PKCE (important in 2026)
PKCE protects against code interception. Used in:
โ SPA
โ mobile apps
โ Blazor WebAssembly
๐งฑ How it integrates in .NET
ASP.NET Core natively supports OIDC.
Example:
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://your-identity-server";
options.ClientId = "client-id";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
});
๐ Common providers
You can integrate with:
-
Google
-
Microsoft
๐ง When you need OAuth2 / OIDC
โ enterprise applications
โ login with Google / Microsoft
โ microservices
โ SSO (Single Sign-On)
โ When you DO NOT need it
If you have:
-
small application
-
simple login
-
no external providers
๐ you can just use Identity + JWT
๐จ Common mistakes
โ using OAuth2 for authentication without OIDC
โ not validating ID Token
โ insecure token storage
โ missing PKCE
โ using implicit flow (deprecated)
๐งฑ Modern architecture
Client (Blazor / SPA)
↓
OIDC Provider (Keycloak / IdentityServer)
↓
Access Token (API)
↓
Resource Server (ASP.NET Core API)
๐ฅ Best Practices
โ Use Authorization Code Flow
โ Enable PKCE
โ Validate ID Token
โ Do not expose access token in frontend
โ Use HTTPS mandatory
โ Configure scopes correctly
๐ฏ Conclusion
๐ OAuth2 = authorization
๐ OpenID Connect = authentication
Together they form:
๐ the modern authentication standard in enterprise applications
