In today's world of increasing digital crime and internet fraud, all modern web applications require the implementation of strong security mechanisms for preventing attacks and user identity usurpation.
Until now, we have mainly concentrated on understanding how to build efficient ASP.NET Core 3 web applications, without thinking about user authentication, authorization, or any data protection at all, but since the Tic-Tac-Toe application is getting more and more complicated, we will have to address security issues before finally deploying it to the public.
Building a web application and not thinking about security would be a big fail and could bring down even the greatest and most famous websites. In the case of security breaches and personal data theft, the negative reputation and user confidence impacts could be tremendous, and nobody would want to work with those applications and—more troublesome—companies anymore.
This is a topic that needs to be taken very seriously. You should work with security companies to execute code verifications and intrusion tests to ensure that you comply with best practices and high-security standards (the OWASP Top 10, for example, can be found here: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).
Luckily, ASP.NET Core 3 contains everything necessary to help you with this complicated, but important, topic. Most of the built-in features do not even require advanced programming or security skills. You will see that it is very easy to understand and implement secure applications by using the ASP.NET Core 3 Identity framework.
The main skills that you will learn in this chapter include how to authenticate users for your application and how to authorize your users to be able to carry out different tasks in the application. You will learn how to use different types of authentication, including how to implement two-factor authentication.
We will naturally start by looking at implementing authentication, and then implementing authorization. In authentication, we will first look at basic forms authentication, before then looking at adding external authentication, working with two-factor authentication, and finishing up by adding mechanisms for forgotten passwords and resetting mechanisms, before we then tackle authorization as a whole.
In this chapter, we will cover the following topics:
- Implementing authentication:
- Adding basic user form authentication
- Adding external provider authentication
- Adding forgotten password and password reset mechanisms
- Working with two-factor authentication
- Implementing authorization