✨ Shield now has support for Avalonia UI

Authentication Security in ASP.Net 9.0

Apr 5, 2024 | .NET

In the ever-evolving landscape of web development, security remains a top priority for ensuring the integrity of user data and access control. ASP.Net 9.0 introduces a range of enhancements to authentication and authorization mechanisms, bolstering security measures and simplifying the process of verifying user identities. Let’s delve into the key features that aim to fortify security and streamline authentication processes.

OIDC and OAuth Parameter Customization

The OAuth and OpenID Connect (OIDC) authentication handlers in ASP.Net 9.0 now introduce the AdditionalAuthorizationParameters option, a pivotal feature that simplifies the customization of authorization message parameters typically found in the redirect query string. Previously, achieving such customization necessitated intricate implementations involving custom callbacks or overrides within handlers. However, with this latest enhancement, developers can seamlessly tailor authorization parameters with increased efficiency.


In earlier versions of .NET, achieving custom parameter customization involved complex configurations. For instance:

builder.Services.AddAuthentication().AddOpenIdConnect(options =>
    options.Events.OnRedirectToIdentityProvider = context =>
        context.ProtocolMessage.SetParameter("prompt", "login");
        context.ProtocolMessage.SetParameter("audience", "https://api.example.com");
        return Task.CompletedTask;

With the streamlined approach in ASP.Net 9.0, achieving the same outcome is now more intuitive:

builder.Services.AddAuthentication().AddOpenIdConnect(options =>
    options.AdditionalAuthorizationParameters.Add("prompt", "login");
    options.AdditionalAuthorizationParameters.Add("audience", "https://api.example.com");

Configuring HTTP.sys Extended Authentication Flags

A notable advancement in ASP.Net 9.0 is the ability to fine-tune Windows authentication via HTTP.sys using the EnableKerberosCredentialCaching and CaptureCredentials properties. These properties empower developers to optimize the authentication process handled by HTTP.sys, allowing for granular control over flags such as enabling Kerberos credential caching for enhanced performance and capturing user credentials during authentication.


Configuring HTTP.sys with extended authentication flags can be achieved as follows:

webBuilder.UseHttpSys(options =>
    options.Authentication.Schemes = AuthenticationSchemes.Negotiate;
    options.Authentication.EnableKerberosCredentialCaching = true;
    options.Authentication.CaptureCredentials = true;


Through these authentication enhancements in ASP.Net 9.0, developers are equipped with powerful tools to fortify security measures, customize authentication parameters, and optimize authentication processes, ultimately elevating the overall user experience and data protection within web applications.

Happy coding!

You May Also Like