EF Core Fundamentals

Security is not an optional feature that can be added after an application is built — it must be designed into the architecture from the beginning. ASP.NET Core provides a comprehensive security framework that addresses authentication (who are you?), authorization (what are you allowed to do?), data protection (are secrets safe?), and communications security (is the connection encrypted?). The security primitives in ASP.NET Core are composable, testable, and aligned with modern security standards including OAuth 2.0, OpenID Connect, JWT, and the OWASP Top 10 vulnerability mitigations. ASP.NET Core Identity is the built-in membership system for managing users, passwords, roles, and claims. It provides a full user management pipeline: registration with email confirmation, login with lockout after failed attempts, two-factor authentication with authenticator apps or SMS, external login via Google, Facebook, and Microsoft OAuth, password reset via secure email tokens, and role-based access control. ASP.NET Core Identity stores user data in a database using EF Core, with a default schema that covers users, roles, claims, and login providers. The entire system is extensible — you can replace any component, add custom user properties, or integrate with an existing user database. JSON Web Tokens (JWTs) are the standard for stateless API authentication in modern web applications. When a user authenticates, the server generates a signed JWT containing claims (user ID, roles, permissions, expiry time) and returns it to the client. The client sends this token in the Authorization: Bearer header on subsequent API requests. The server validates the token's signature using the secret key without consulting the database — making JWT-based authentication highly scalable with no server-side session state. ASP.NET Core's AddJwtBearer() extension configures token validation with just a few lines of configuration. Refresh token strategies extend session lifetimes without requiring users to re-authenticate. Authorization in ASP.NET Core uses a policy-based model that is far more flexible than simple role checks. An authorization policy is a named set of requirements. The [Authorize(Policy = "RequireAdminRole")] attribute on a controller or action enforces the named policy. Policies can express complex rules: require specific claims, require users to complete email verification, restrict access based on resource ownership, or implement time-of-day access controls. The IAuthorizationHandler interface allows imperative, runtime-evaluated authorization logic for complex business rules that cannot be expressed declaratively. This policy system supports the principle of least privilege and scales cleanly from simple role checks to complex attribute-based access control.

Entity Framework Core is a lightweight, extensible, open source and cross-platform version of the popular Entity Framework data access technology. It's designed to be used with .NET Core applications.