In this chapter, we'll implement authentication and authorization in our Q and A app. We will use a popular service called Auth0, which implements OpenID Connect (OIDC), to help us to do this. We will start by understanding what OIDC is and why it is a good choice before getting our app to interact with Auth0.
At the moment, our web API is accessible by unauthenticated users, which is a security vulnerability. We will resolve the vulnerability by protecting the necessary endpoints with simple authorization. This will mean that only authenticated users can access protected resources.
Authenticated users shouldn't have access to everything though. We will learn how to ensure authenticated users only get access to what they are allowed to by using custom authorization policies.
We'll also learn how to get details about the authenticated user so that we can include these when questions and answers are saved to the database.
In this chapter, we'll cover the following topics:
- Understanding OpenID Connect
- Setting up Auth0 with our ASP.NET Core backend
- Protecting endpoints
- Using the authenticated user when posting questions and answers