Skip to content
Learn Netverks

Lesson

Step 32/36 89% through track

authentication-authorization

Authentication and authorization

Last reviewed May 28, 2026 Content v20260528
Track mode
server_compiled
Means
Compiled runner
Reading
~2 min
Level
intermediate

This lesson

This lesson teaches Authentication and authorization: the syntax, APIs, and habits you need before advancing in ASP.NET.

Identity and JWT schemes underpin most .NET APIs—misconfigured cookies or CORS break login flows.

You will apply Authentication and authorization in contexts like: Line-of-business APIs, intranets, BFF layers, and cloud-hosted services on Linux or Windows.

Write C# (top-level or Program class), click Run on server—the dev runner uses dotnet build/run on a temp net8 project (requires .NET SDK; LEARNING_RUNNER_ENABLED=true).

Toward the end of the track—consolidate before capstone-style review lessons.

Authentication verifies who the user is; authorization decides what they can do. ASP.NET Core supports cookies, JWT bearer tokens, OpenID Connect, and external providers (Google, Microsoft).

Cookie auth (MVC sites)

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie();
builder.Services.AddAuthorization();

Login creates encrypted cookie; subsequent requests include it automatically.

JWT (SPAs and mobile)

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options => { /* Authority, Audience */ });

Clients send Authorization: Bearer <token>; stateless validation at each request.

Authorization

[Authorize(Roles = "Admin")]
[Authorize(Policy = "CanEditProducts")]

Policies combine claims, roles, and custom requirements in AddAuthorization.

Important interview questions and answers

  1. Q: Cookie vs JWT?
    A: Cookies suit same-site MVC with CSRF protection; JWT suits cross-origin SPAs and mobile—often with refresh tokens.
  2. Q: Authentication middleware order?
    A: UseAuthentication before UseAuthorization in the pipeline.
  3. Q: [AllowAnonymous]?
    A: Opts out of [Authorize] on specific actions (login, health checks).

Self-check

  1. Which header carries JWT tokens?
  2. What attribute restricts an action to admins?

Pitfall: JWT in localStorage is XSS-sensitive—prefer httpOnly cookies for same-site apps or hardened SPA patterns with short-lived tokens and refresh rotation.

Interview prep

Cookie vs JWT for ASP.NET?

Cookies suit same-site MVC with antiforgery tokens; JWT bearer tokens suit cross-origin SPAs and mobile clients—often paired with refresh tokens.

Interview tip Lesson completion confidence

Can you explain this lesson in 30 seconds without reading notes?

Not saved yet.

Playground

Runs on the configured server runner (dev: npm run runner with LEARNING_RUNNER_ENABLED=true). Output appears below the editor.

Check yourself

Multiple choice — immediate feedback.

Discussion

Past discussion is visible to everyone. Only logged-in users can post comments and replies.

Starter discussion topics

  • JWT vs cookie API?
  • Policy-based auth?

Sign up or log in to post comments and sync lesson progress across devices.

No discussion yet. Be the first to ask a question.

Jump

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36