Master technical and career interviews with structured answers—short definition, real examples, pitfalls, and how to answer in 60–90 seconds.
uthentication & Authorization (JWT, Identity) What interviewers expect A clear definition tied to ASP.NET Core in ASP.NET Core projects Trade-offs (performance, maintainability, security, cost) When you would and…
✅ Best practices: Don't log sensitive values Use [JsonIgnore] or remove values before logging Mask in logs manually: _logger.LogInformation("Token: {Token}", Mask(token)); Never store secrets in source-controlled files (…
SP.NET Core Identity provides a complete solution for: User registration & login Roles, claims, tokens Password hashing Two-factor authentication ✅ Setup: dotnet add package Microsoft.AspNetCore.Identity.EntityFramew…
JWT (JSON Web Token) is a compact, URL-safe token format used for authentication. ✅ Configure JWT auth: services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.TokenValida…
✅ Role-based: [Authorize(Roles = "Admin")] ✅ Policy-based: services.AddAuthorization(options => { options.AddPolicy("CanEdit", policy => policy.RequireClaim("EditPermission")); }); Then use: [Authorize(Policy = "Ca…
Answer: dd claims when creating identity: var claims = new List<Claim> { new Claim(ClaimTypes.Name, user.UserName), new Claim("Permission", "Edit") }; ccess in code: var claim = User.FindFirst("Permission")…
.Value; What interviewers expect A clear definition tied to ASP.NET Core in ASP.NET Core projects Trade-offs (performance, maintainability, security, cost) When you would and would not use it in production Real-world exa…
Answer: wait HttpContext.SignInAsync(principal); Cookies are stored in the browser and sent with each request. What interviewers expect A clear definition tied to ASP.NET Core in ASP.NET Core projects Trade-offs (perform…
Used in traditional MVC apps for session-based auth. services.AddAuthentication(CookieAuthenticationDefaults.Authenticati onScheme) .AddCookie(options => { options.LoginPath = "/Account/Login"; }); On login: await Htt…
Answer: lso supports: Facebook Microsoft Twitter OpenID Connect Azure AD Use RemoteAuthenticationHandler<T> or Identity scaffolding. What interviewers expect A clear definition tied to ASP.NET Core in ASP.N…
Use built-in providers: services.AddAuthentication() .AddGoogle(options => { options.ClientId = "..."; options.ClientSecret = "..."; }); Also supports: Facebook Microsoft Twitter OpenID Connect Azure AD Use RemoteAuth…
Used with JWT to renew access tokens after expiration without logging in again. Issue refresh token along with access token. Store securely (DB or secure HTTP-only cookie). On access token expiration, send refresh token…
JWTs typically expire in 5–30 minutes. Expired tokens cannot be used. Revocation requires token blacklisting (e.g., database of revoked tokens). ✅ Configure expiration: Expires = DateTime.UtcNow.AddMinutes(30) ✅ Use refr…
Answer: [Authorize]: Requires authenticated user [Authorize(Roles = "Admin")]: Requires role [AllowAnonymous]: Allows access without login Example: [Authorize] public IActionResult Dashboard() { } [AllowAnonymous] public…
Define complex authorization rules using IAuthorizationHandler: public class MinimumAgeRequirement : IAuthorizationRequirement { public int Age { get; } public MinimumAgeRequirement(int age) => Age = age; public class…
SP.NET Core uses Data Protection API to: Encrypt authentication cookies Protect tokens (e.g., password reset tokens) Configure: services.AddDataProtection() .PersistKeysToFileSystem(new DirectoryInfo("path")) .SetApplica…
Multi-tenancy can involve: Per-tenant databases Per-tenant user stores Per-tenant roles/policies Strategies: Use claims to store tenant ID Filter data per tenant Custom middleware for tenant resolution Can integrate with…
SP.NET Core Identity uses PBKDF2 hashing by default. Best practices: Never store plaintext passwords Use salted + hashed storage Use PasswordHasher<T> or Identity defaults Use: PasswordHasher<T>.HashPassword(…
Supported out of the box in ASP.NET Core Identity. Options: SMS (via provider) Email Authenticator app (TOTP) Enable via Identity configuration: services.Configure<IdentityOptions>(options => { options.SignIn.Re…
Filters are components that run code before or after certain stages in the request pipeline within MVC or Razor Pages. Types of filters include: Authorization filters: Run before any other filter to check user authorizat…
Middleware is part of the global HTTP request pipeline and executes for every request. Filters only run within MVC/Razor pipeline, for controller actions or Razor Pages handlers. Middleware runs earlier and can short-cir…
Create a custom filter by implementing one of the filter interfaces like: public class CustomActionFilter : IActionFilter { public void OnActionExecuting(ActionExecutingContext context) { // Before action executes } publ…
Answer: ctions. Global filters are best for cross-cutting concerns like logging, exception handling. Controller/action filters are best for behavior specific to particular routes or endpoints. What interviewers expect A…
Global filters apply to all MVC actions, registered via AddControllers or AddMvc options. Controller or action filters are applied via attributes directly on controllers or actions. Global filters are best for cross-cutt…
Filter attributes are instantiated per request and support parameters, but have limited DI capabilities. Service-based filters (using ServiceFilter or TypeFilter) allow filters to be resolved from DI container, enabling…
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
uthentication & Authorization (JWT, Identity)
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
✅ Best practices:
_logger.LogInformation("Token: {Token}", Mask(token));
Authentication & Authorization
(JWT, Identity)
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
SP.NET Core Identity provides a complete solution for:
✅ Setup:
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore
In Startup or Program.cs:
services.AddIdentity<IdentityUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
JWT (JSON Web Token) is a compact, URL-safe token format used for authentication.
✅ Configure JWT auth:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
options.TokenValidationParameters = new
TokenValidationParameters {
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new
SymmetricSecurityKey(Encoding.UTF8.GetBytes("your-secret"))
};
});
Use [Authorize] to secure endpoints.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
✅ Role-based:
[Authorize(Roles = "Admin")]
✅ Policy-based:
services.AddAuthorization(options => {
options.AddPolicy("CanEdit", policy =>
policy.RequireClaim("EditPermission"));
});
Then use:
[Authorize(Policy = "CanEdit")]
Policy-based gives more flexibility (custom requirements, claims, logic).
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: dd claims when creating identity: var claims = new List<Claim> { new Claim(ClaimTypes.Name, user.UserName), new Claim("Permission", "Edit") }; ccess in code: var claim = User.FindFirst("Permission")?.Value;
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
.Value;
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: wait HttpContext.SignInAsync(principal); Cookies are stored in the browser and sent with each request.
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Used in traditional MVC apps for session-based auth.
services.AddAuthentication(CookieAuthenticationDefaults.Authenticati
onScheme)
.AddCookie(options => {
options.LoginPath = "/Account/Login";
});
On login:
await HttpContext.SignInAsync(principal);
Cookies are stored in the browser and sent with each request.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: lso supports: Facebook Microsoft Twitter OpenID Connect Azure AD Use RemoteAuthenticationHandler<T> or Identity scaffolding.
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Use built-in providers:
services.AddAuthentication()
.AddGoogle(options => {
options.ClientId = "...";
options.ClientSecret = "...";
});
Also supports:
Use RemoteAuthenticationHandler<T> or Identity scaffolding.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Used with JWT to renew access tokens after expiration without logging in again.
You must manually implement refresh token logic (not built-in to Identity).
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
✅ Configure expiration:
Expires = DateTime.UtcNow.AddMinutes(30)
✅ Use refresh tokens to handle expiration.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: [Authorize]: Requires authenticated user [Authorize(Roles = "Admin")]: Requires role [AllowAnonymous]: Allows access without login Example: [Authorize] public IActionResult Dashboard() { } [AllowAnonymous] public IActionResult Login() { }
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Define complex authorization rules using IAuthorizationHandler:
public class MinimumAgeRequirement : IAuthorizationRequirement {
public int Age { get; }
public MinimumAgeRequirement(int age) => Age = age;
public class MinimumAgeHandler :
AuthorizationHandler<MinimumAgeRequirement> {
protected override Task HandleRequirementAsync(...) {
// logic
Register in DI and use with [Authorize(Policy = "...")].
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
SP.NET Core uses Data Protection API to:
Configure:
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo("path"))
.SetApplicationName("AppName");
Used internally by Identity and cookie middleware.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Multi-tenancy can involve:
Strategies:
Can integrate with IdentityServer4 or Azure AD B2C for federated auth.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
SP.NET Core Identity uses PBKDF2 hashing by default.
Best practices:
Use:
PasswordHasher<T>.HashPassword(user, password)
Can switch to Argon2, Bcrypt via custom password hasher.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Supported out of the box in ASP.NET Core Identity.
Options:
Enable via Identity configuration:
services.Configure<IdentityOptions>(options => {
options.SignIn.RequireConfirmedEmail = true;
});
Use SignInManager<T> to handle verification and token generation.
Filters & Middleware Overlaps
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Filters are components that run code before or after certain stages in the request pipeline
within MVC or Razor Pages. Types of filters include:
Filters allow you to inject logic at these specific points.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
request.
handlers.
scoped to MVC processing.
for concerns around controller/action execution.ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Create a custom filter by implementing one of the filter interfaces like:
public class CustomActionFilter : IActionFilter
{
public void OnActionExecuting(ActionExecutingContext context)
{
// Before action executes
}
public void OnActionExecuted(ActionExecutedContext context)
{
// After action executes
}
}
Register globally in Startup:
services.AddControllersWithViews(options =>
{
options.Filters.Add<CustomActionFilter>();
});
Or decorate controllers/actions:
[ServiceFilter(typeof(CustomActionFilter))]
public class HomeController : Controller { ... }ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: ctions. Global filters are best for cross-cutting concerns like logging, exception handling. Controller/action filters are best for behavior specific to particular routes or endpoints.
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
options.
actions.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
limited DI capabilities.
resolved from DI container, enabling constructor injection.
Use service-based filters when you need dependencies injected.