Security is the core component in any enterprise application. With proper implementation, we can not only protect sensitive information from unauthorized user access but also maintain the integrity of the data. Security can be implemented using different techniques, where authentication and authorization are the two main principles. In this chapter, we will discuss the different approaches of implementing security in an ASP.NET Core web application and cover the following topics:

• Authenticating websites using cookie middleware, external authentication, ASP.NET Identity and two-factor authentication
• Exploring different options for authorizing user access
• Discussing the core concepts and flows of OAuth and OpenID Connect
• Implementing a Central Authentication System (CAS) using IdentityServer4
• Exploring safe storage to store sensitive information

ASP.NET Core comes with a wide range of Open Web Interface for .NET (OWIN) middleware that facilitates developers and architects to authenticate applications using identity, open authentication, social authentication such as Facebook, Google, and Microsoft, and two-factor authentication. Moreover, custom middleware can also be implemented to implement a specific security model. For authorization, ASP.NET Core Identity system provides a rich security model for defining roles, claims, and policies, which we will cover later in this chapter.