ASP.NET Core Authentication Explained

Ever had to add the ability to your ASP.NET Core web application to authenticate users? Or built an API that needs to verify it's being called by the right clients? Be honest: did you fully understand what you were doing, or did you just copy-paste some code from StackOverflow or your favorite AI assistant and hope for the best?

In this session, I'll explain how authentication actually works in ASP.NET Core from start to finish. We'll begin with configuring the middleware, explore how authentication schemes are selected, and dig into handlers, tokens, cookies and headers.

Bring your questions, and leave your fear of AddAuthentication() behind!

Are you sure your access tokens are really secure?

You've read about OAuth 2.0 and decided to secure your web API using JWT access tokens. To implement this, you're likely relying on an open-source library to parse and validate these tokens, confident that your configuration will only accept tokens from your trusted issuer or token service.

But here's the real question: are you absolutely certain that your API only accepts access tokens issued by your service?

In this session, I’ll demonstrate some tricks that can bypass improperly configured token validation. You’ll see how easy it is to fool your API if you’re not careful. But don’t worry, I’ll also show how to write tests that ensure your application is protected against these exploits, keeping your data and users safe.

From Pong to Playstation: The Evolution of Video Games

Blip... Blip... Blip...
Those were the captivating sounds that echoed from the game Pong back in 1972, accompanied by a handful of pixels bouncing across the screen.

This session invites you to fast forward from those simple beginnings to today's gaming world, illuminated by ray-traced graphics and orchestrated soundtracks, transforming the humble blips of Pong into a grand symphony of digital artistry.

Let's revisit key moments that have forever shaped the landscape of video games, leading us to the immersive gaming experiences we enjoy today. Whether you're a veteran gamer or just a casual player, this nostalgic expedition promises to be an enlightening, entertaining, and engaging experience.

READY.
LOAD

PRESS PLAY ON TAPE

Hardening ASP.NET Core Web applications

At some point, you will or should have your web applications submitted to a penetration test or security assessment. In this test, a team of security engineers will poke your API and Web Apps to see if they can get different results than expected.

But have no fear! I will show you how you can harden your web applications by addressing a lot of common risks:
- fingerprinting
- proper use of cookies
- adding several security-related HTTP headers

In this session, I'll demonstrate hardening ASP.NET Core web apps, but you can also apply this knowledge to other web application technologies.

Preparing web applications for security assessments

At some point, you will have your web applications being submitted to a pen-test or security assessment, where a team of security engineers will poke your API and Web Apps to see if they can get different results than expected.

In this workshop, we're going to harden our API and Web application by addressing a lot of common risks:
- fingerprinting
- proper use of cookies
- adding several security-related HTTP headers
- checking our dependencies for vulnerabilities

We'll be using .NET mostly but the concepts will apply to Java, React, Angular and other frameworks as well.

Emulating a Game Boy in .NET 6

In 1989, Nintendo released their first handheld console with cartridges, the Game Boy, which sold over 100 million of units. This device has been the inspiration for game developers around the world to start creating games, and even today, games are still being created for the Game Boy, although not officially on cartridges.

Enter the world of emulation, where the Game Boy is now available as a .NET 6 project. Want to know more about how to emulate a CPU, graphical unit, hardware interrupts and more? Let's dive into C# code and dusty hardware manuals on this journey back to our favorite Italian plumber.

Building a feature-rich OpenID Connect Identity and Access Management Platform

Identity and access management (IAM in short) is critical to protecting confidential data and applications. With the increasing adoption of cloud-based applications, building a scalable and secure identity and access management platform is a must for organizations of all sizes.

In this session, you'll learn about the journey of building an advanced IAM platform based on Duende IdentityServer. We'll discuss the standard capabilities of IdentityServer and explore how we extended it with features such as multi-factor authentication, home realm discovery, and user impersonation. You'll also learn about the best practices for building a resilient and secure platform, including strategies for handling scale and redundancy.

Whether you're just starting out with OpenID Connect or you're looking to take your identity and access management platform to the next level, this session is for you.

This session is not a sales pitch for Duende IdentityServer, I will also briefly mention what other options we considered and why the decision was made to go for Duende's solution.

Safety first! Low-level C# without the unsafe keyword

For a side project, I converted DooM from C to C#. Having to deal with strange file types, alternative ways of (re)allocating memory, data structures being passed around as void* pointers and the likes, it's tempting to use unsafe code in C#. Turns out, that's not needed!

In this session, let's look at how C translates to modern C#, and how C# adds safeguards to avoid shooting yourself in the foot.