Dasith Wijesiriwardena

Software Engineer | Solutions Architect | Tech Speaker | Geek with an unhealthy fascination for distributed systems and a #microsoftie. Not in that order. I’m currently based in Melbourne and work for Microsoft.

I’ve been developing software for close to 2 decades now. Since my early days of playing with C++, VB, ASP and PHP, software development has gone through a paradigm shift. These days I mostly work on things that run natively on the cloud and edge. Join me on my journey through the world of .NET and all things distributed.

Consider any opinions expressed here as my own.

Posts by Category

Conference

Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective - Apidays Australia 2024

2 minute read

I, along with my colleagues Jason Goodsell and Juan Burckhardt, had the opportunity to present our key insights and learnings from the rapidly evolving world of Large Language Models (LLMs) at Apidays Australia 2024 in October. The talk, titled “Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective,” shared our experiences from the front lines of developing LLM-powered solutions. Our team has been deeply immersed in creating and integrating LLM solutions, observing firsthand the industr...

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools - API Days Australia 2023

3 minute read

I presented some my learnings around modern software supply chain security tools and landscape at API Days Australia 2023 and K8SUG Meetup in November. I had my team co-present the topic with me this time. My team in Microsoft Industry Solution Engineering have been building solutions to enable government and defence customer teams in Australia and secure software supply chains have been the main focus. With the renewed focus supply chains attacks and with the supply chain security endorsement by the W...

Lessons learned from doing EdgeDevOps (GitOps) in the bush, air and underwater - API Days Australia 2022

1 minute read

I recently spoke at API Days Australia about my experiences building distributed systems and some challenges my team faced deploying and running them on the edge. It is not an exaggeration to say that most modern systems that teams build are running on the cloud in a distributed architecture. There are some well-known successful practices around DevOps for these cloud native solutions as well. But what happens when you want to use the same workflows to deploy and run on the edge where connectivity might...

Propagating context and tracing across your distributed process boundaries using OpenTelemetry - API Days Australia 2021

3 minute read

I spoke at API Days Australia about my experiences building distributed systems and some challenges I’ve faced. We are amidst the 2nd wave of cloud migrations. This means it’s no longer enough just to have a presence on the web if you need a competitive advantage. You need to be able to thrive. We are building more and more cloud native solutions with an emphasis on distributed systems more than any other time in the past. With cloud native distributed systems now the norm, tracing and tracking telemet...

The Shell Game Called Eventual Consistency - API Days Jakarta 2021

3 minute read

A few weeks ago I spoke at API Days Jakarta about some of experiences building distributed systems. As more and more companies take their businesses to the web, they are finding that their customers are demanding highly responsive and highly available systems. So developers are expected to build those responsive distributed systems more than anytime in the past. This means that in certain situations you as developers have to let go of strong consistency or distributed transactions. Even in other cases m...

Not All “Microservices Frameworks” Are Made The Same - NDC Sydney 2020

3 minute read

Last October I spoke at NDC Sydney about the pitfalls associated with microservices frameworks and how you can still leverage libraries and runtimes to help with distributed system complexities. In my experience, microservices frameworks tend to give diminishing results as your project evolves and even makes your team less agile and productive. Microservices are an architectural style and frameworks tie you down to a lot of opinions that do not age well. This is my first time speaking at NDC and due to ...

Building Distributed Systems on the Shoulders of Giants - API Days Live, Australia 2020

2 minute read

I recently spoke about building distributed systems at API Days Australia conference. My talk is titled Building distributed systems on the shoulders of giants. It’s a reference to the popular metaphor about leveraging the knowledge on people who have been here before us. About API Days Live Australia On the website it says APIdays is the leading industry tech and business series of conferences in APIs and the programmable economy. As APIs become mainstream, our world becomes more connected, more au...

Upcoming talk @ API Days, Melbourne 2019

19 minute read

I’ll be speaking about some of my Microservices scars at the upcoming API Days conference to be held at Melbourne convention & exhibition centre. My talk is titled A Game of Snake And Ladders Called Microservices. It’s a reference to the popular board game and hopeful to carry the theme throughout my talk.

Speaking @ DDD Melbourne 2019

1 minute read

Last weekend I spoke at @DDDMelbourne and it was my first time doing so. The event attracted close to 900 people and had 5 concurrent tracks. I spoke at the @JuniorDev channel about Modern Authentication.

Speaking @LevelsConf 2018

1 minute read

I recently got a chance to speak at Levels Conference and it was my first time speaking in front of such a large audience. There were around 400 very keen junior developers there.

Back to top ↑

.net

Converting a Visual Studio database project to use DbUp migrations

10 minute read

Database projects in Visual Studio have been a very popular way to develop and manage the database schema and logic in the past. With more and more applications now preferring to have the data tier logic and validation within the bounds of the application and use the database just for persistence, I’ve come across clients who want to convert their database projects to a more CI/CD friendly database migrations. So I decided to share an approach used to convert existing database project to use database mi...

Preventing fat/bloated/god controllers by following a simple endpoint pattern

5 minute read

I’ve been working with ASP.NET/CORE MVC and WebApi for a while now and there is a problem I often run in to. It’s the case of the fat/bloated/god controller. This is a fairly simple problem to diagnose and most developers I speak to understand why this is an anti pattern. But why does it keep happening and how do we prevent it? What makes good developers fall into this trap? The library referenced in this post SimpleEndpoints is hosted at https://github.com/dasiths/SimpleEndpoints. The Why Typical...

Integration Testing an AspNet Core API That is Protected With CSRF/XSRF Tokens

5 minute read

I was working on writing integrations tests for an AspNet Core Web API project recently (I blogged about how to write integration tests here). The front end was developed using Angular and we had CSRF protection enabled. If you haven’t done this before, the Microsoft documentation is a good place to start. How It Works On the first request to the server, it returns a cookie with a special name (i.e. XSRF-TOKEN). The SPA is expected to extract the value from the cookie and reattach that in the subseque...

Protecting Assets Without Using Authorization Headers (i.e. Bearer Tokens)

6 minute read

tl;dr; If you want to access an api endpoint but don’t have a way to append the authorization info to your request, you need to create a magic url that is short lived and has limited use. Go directly here for code samples. Consider this scenario. You have developed a SPA (Single Page Application) that uses some form of OAuth to retrieve an access/bearer token. You now append that to your http request header when you call your backend REST API. The backend inspects the token and processes the request....

Setting Up AzureAD Multi-tenant Authentication With ASP NET Core And Angular

6 minute read

Using Azure AD to implement a multi-tenant application is fairly straight forward. It requires turning on a few knobs and switches from the portal and you’re most of the way there. In this post we will look at how to setup an multi-tenant app registration and implement the logic in the front end to direct the user to a common sign-in endpoint. We will also look at how to control access to a pre determined set of tenants. App Registration This is the easy part. Create an app registration from the Azure ...

Requesting Additional Claims From AzureAD

1 minute read

I am currently working on a project that uses EasyAuth to protect a web app hosted on Azure App Services. Think of it as a layer that operates above your web app that handles authentication and then inserts some special headers with the logged in users information. Your backend web application can read these special headers and extract claims about the user. The Problem Out of the box it includes things like name, oid and upn of the logged in user. One thing very noticeably was missing was the email cl...

Mediator Pattern Implemented In .NET/C#

9 minute read

The mediator pattern or the “domain whisperer” as I like to call it has been around for a long time and the main selling point of it is the reduction of coupling and enforcing clear separation of the domain logic from UI/Top layers. Let’s look at the Wikipedia definition. Usually a program is made up of a large number of classes. Logic and computation are distributed among these classes. However, as more classes are added to a program, especially during maintenance and/or refactoring, the problem of...

Back to top ↑

Microservices

Propagating context and tracing across your distributed process boundaries using OpenTelemetry - API Days Australia 2021

3 minute read

I spoke at API Days Australia about my experiences building distributed systems and some challenges I’ve faced. We are amidst the 2nd wave of cloud migrations. This means it’s no longer enough just to have a presence on the web if you need a competitive advantage. You need to be able to thrive. We are building more and more cloud native solutions with an emphasis on distributed systems more than any other time in the past. With cloud native distributed systems now the norm, tracing and tracking telemet...

The Shell Game Called Eventual Consistency - API Days Jakarta 2021

3 minute read

A few weeks ago I spoke at API Days Jakarta about some of experiences building distributed systems. As more and more companies take their businesses to the web, they are finding that their customers are demanding highly responsive and highly available systems. So developers are expected to build those responsive distributed systems more than anytime in the past. This means that in certain situations you as developers have to let go of strong consistency or distributed transactions. Even in other cases m...

Not All “Microservices Frameworks” Are Made The Same - NDC Sydney 2020

3 minute read

Last October I spoke at NDC Sydney about the pitfalls associated with microservices frameworks and how you can still leverage libraries and runtimes to help with distributed system complexities. In my experience, microservices frameworks tend to give diminishing results as your project evolves and even makes your team less agile and productive. Microservices are an architectural style and frameworks tie you down to a lot of opinions that do not age well. This is my first time speaking at NDC and due to ...

Building Distributed Systems on the Shoulders of Giants - API Days Live, Australia 2020

2 minute read

I recently spoke about building distributed systems at API Days Australia conference. My talk is titled Building distributed systems on the shoulders of giants. It’s a reference to the popular metaphor about leveraging the knowledge on people who have been here before us. About API Days Live Australia On the website it says APIdays is the leading industry tech and business series of conferences in APIs and the programmable economy. As APIs become mainstream, our world becomes more connected, more au...

Upcoming talk @ API Days, Melbourne 2019

19 minute read

I’ll be speaking about some of my Microservices scars at the upcoming API Days conference to be held at Melbourne convention & exhibition centre. My talk is titled A Game of Snake And Ladders Called Microservices. It’s a reference to the popular board game and hopeful to carry the theme throughout my talk.

Back to top ↑

Distributed Systems

Lessons learned from doing EdgeDevOps (GitOps) in the bush, air and underwater - API Days Australia 2022

1 minute read

I recently spoke at API Days Australia about my experiences building distributed systems and some challenges my team faced deploying and running them on the edge. It is not an exaggeration to say that most modern systems that teams build are running on the cloud in a distributed architecture. There are some well-known successful practices around DevOps for these cloud native solutions as well. But what happens when you want to use the same workflows to deploy and run on the edge where connectivity might...

Propagating context and tracing across your distributed process boundaries using OpenTelemetry - API Days Australia 2021

3 minute read

I spoke at API Days Australia about my experiences building distributed systems and some challenges I’ve faced. We are amidst the 2nd wave of cloud migrations. This means it’s no longer enough just to have a presence on the web if you need a competitive advantage. You need to be able to thrive. We are building more and more cloud native solutions with an emphasis on distributed systems more than any other time in the past. With cloud native distributed systems now the norm, tracing and tracking telemet...

The Shell Game Called Eventual Consistency - API Days Jakarta 2021

3 minute read

A few weeks ago I spoke at API Days Jakarta about some of experiences building distributed systems. As more and more companies take their businesses to the web, they are finding that their customers are demanding highly responsive and highly available systems. So developers are expected to build those responsive distributed systems more than anytime in the past. This means that in certain situations you as developers have to let go of strong consistency or distributed transactions. Even in other cases m...

Not All “Microservices Frameworks” Are Made The Same - NDC Sydney 2020

3 minute read

Last October I spoke at NDC Sydney about the pitfalls associated with microservices frameworks and how you can still leverage libraries and runtimes to help with distributed system complexities. In my experience, microservices frameworks tend to give diminishing results as your project evolves and even makes your team less agile and productive. Microservices are an architectural style and frameworks tie you down to a lot of opinions that do not age well. This is my first time speaking at NDC and due to ...

Building Distributed Systems on the Shoulders of Giants - API Days Live, Australia 2020

2 minute read

I recently spoke about building distributed systems at API Days Australia conference. My talk is titled Building distributed systems on the shoulders of giants. It’s a reference to the popular metaphor about leveraging the knowledge on people who have been here before us. About API Days Live Australia On the website it says APIdays is the leading industry tech and business series of conferences in APIs and the programmable economy. As APIs become mainstream, our world becomes more connected, more au...

Back to top ↑

Event Sourcing

Speaking @LevelsConf 2018

1 minute read

I recently got a chance to speak at Levels Conference and it was my first time speaking in front of such a large audience. There were around 400 very keen junior developers there.

Event Sourcing Examined Part 3 Of 3

7 minute read

In this 3 part series we will look at what event sourcing is and why enterprise software for many established industries use this pattern. Index Part One Introduction to Event Sourcing Why Use Event Sourcing? Some Common Pitfalls Part Two  Getting Familiar With Aggregates Event Sourcing Workflow Commands Domain Event Internal Event Handler Repository Storage & Snapshots Event Publisher Part Three (Thi...

Event Sourcing Examined Part 2 Of 3

9 minute read

In this 3 part series we will look at what event sourcing is and why enterprise software for many established industries use this pattern.

Event Sourcing Examined Part 1 of 3

7 minute read

In this 3 part series we will look at what event sourcing is and why enterprise software for many established industries use this pattern. Index Part One (This one) Introduction to Event Sourcing Why Use Event Sourcing? Some Common Pitfalls Part Two Getting Familiar With Aggregates Event Sourcing Workflow Commands Domain Event Internal Event Handler Repository Storage & Snapshots Event Publisher Part ...

Back to top ↑

testing

Integration Testing an AspNet Core API That is Protected With CSRF/XSRF Tokens

5 minute read

I was working on writing integrations tests for an AspNet Core Web API project recently (I blogged about how to write integration tests here). The front end was developed using Angular and we had CSRF protection enabled. If you haven’t done this before, the Microsoft documentation is a good place to start. How It Works On the first request to the server, it returns a cookie with a special name (i.e. XSRF-TOKEN). The SPA is expected to extract the value from the cookie and reattach that in the subseque...

OAuth Client Credentials Flow With AzureAD

6 minute read

Navigating through the various authentication and authorization flows in AzureAD can sometimes be confusing. The Microsoft documentation on app types is a good place to start. Today we will be looking at the client credentials grant flow. The Microsoft documentation around the flow with regards to AzureAD can be found here. They have named the document Service to service calls using client credentials which is what the client credentials grant is used for. It is a prerequisite of this post that you ...

Integration Testing ASP.NET Core WebApi

4 minute read

If you’re a decent .NET developer and lucky enough to work in a good team then most of your work would be unit testable. But there is always a case to write some integration tests to make sure things work end to end. I was in such a situation recently. I had to write integration tests for a ASP.NET core 2.2 project which had external dependencies I had to mock during the test. The Microsoft documentation was very good but it doesn’t (at the time of writting this post) cover all scenarios when mocking is...

Back to top ↑

azure ad

Setting Up AzureAD Multi-tenant Authentication With ASP NET Core And Angular

6 minute read

Using Azure AD to implement a multi-tenant application is fairly straight forward. It requires turning on a few knobs and switches from the portal and you’re most of the way there. In this post we will look at how to setup an multi-tenant app registration and implement the logic in the front end to direct the user to a common sign-in endpoint. We will also look at how to control access to a pre determined set of tenants. App Registration This is the easy part. Create an app registration from the Azure ...

Requesting Additional Claims From AzureAD

1 minute read

I am currently working on a project that uses EasyAuth to protect a web app hosted on Azure App Services. Think of it as a layer that operates above your web app that handles authentication and then inserts some special headers with the logged in users information. Your backend web application can read these special headers and extract claims about the user. The Problem Out of the box it includes things like name, oid and upn of the logged in user. One thing very noticeably was missing was the email cl...

OAuth Client Credentials Flow With AzureAD

6 minute read

Navigating through the various authentication and authorization flows in AzureAD can sometimes be confusing. The Microsoft documentation on app types is a good place to start. Today we will be looking at the client credentials grant flow. The Microsoft documentation around the flow with regards to AzureAD can be found here. They have named the document Service to service calls using client credentials which is what the client credentials grant is used for. It is a prerequisite of this post that you ...

Back to top ↑

aspnet core

Preventing fat/bloated/god controllers by following a simple endpoint pattern

5 minute read

I’ve been working with ASP.NET/CORE MVC and WebApi for a while now and there is a problem I often run in to. It’s the case of the fat/bloated/god controller. This is a fairly simple problem to diagnose and most developers I speak to understand why this is an anti pattern. But why does it keep happening and how do we prevent it? What makes good developers fall into this trap? The library referenced in this post SimpleEndpoints is hosted at https://github.com/dasiths/SimpleEndpoints. The Why Typical...

Integration Testing an AspNet Core API That is Protected With CSRF/XSRF Tokens

5 minute read

I was working on writing integrations tests for an AspNet Core Web API project recently (I blogged about how to write integration tests here). The front end was developed using Angular and we had CSRF protection enabled. If you haven’t done this before, the Microsoft documentation is a good place to start. How It Works On the first request to the server, it returns a cookie with a special name (i.e. XSRF-TOKEN). The SPA is expected to extract the value from the cookie and reattach that in the subseque...

Protecting Assets Without Using Authorization Headers (i.e. Bearer Tokens)

6 minute read

tl;dr; If you want to access an api endpoint but don’t have a way to append the authorization info to your request, you need to create a magic url that is short lived and has limited use. Go directly here for code samples. Consider this scenario. You have developed a SPA (Single Page Application) that uses some form of OAuth to retrieve an access/bearer token. You now append that to your http request header when you call your backend REST API. The backend inspects the token and processes the request....

Back to top ↑

serverless

What Does Durable Azure Functions Solve?

4 minute read

Azure Functions are the way serverless compute is implemented in Azure. Amazon Web Services equivalent is called AWS Lambda. I won’t go into detail about what serverless is and what advantages it provides in this post. You can find my learnings from a project where I implemented my web api using Azure Functions here.

Using Azure Functions HttpTrigger As Web API

11 minute read

If you haven’t lived under a rock for the last 18 months you would know ‘Serverless’ is the new cool kid in town. Microsoft’s offer is called Azure Functions while Amazon calls it AWS Lambda.

Back to top ↑

asp.net core

OAuth Client Credentials Flow With AzureAD

6 minute read

Navigating through the various authentication and authorization flows in AzureAD can sometimes be confusing. The Microsoft documentation on app types is a good place to start. Today we will be looking at the client credentials grant flow. The Microsoft documentation around the flow with regards to AzureAD can be found here. They have named the document Service to service calls using client credentials which is what the client credentials grant is used for. It is a prerequisite of this post that you ...

Integration Testing ASP.NET Core WebApi

4 minute read

If you’re a decent .NET developer and lucky enough to work in a good team then most of your work would be unit testable. But there is always a case to write some integration tests to make sure things work end to end. I was in such a situation recently. I had to write integration tests for a ASP.NET core 2.2 project which had external dependencies I had to mock during the test. The Microsoft documentation was very good but it doesn’t (at the time of writting this post) cover all scenarios when mocking is...

Back to top ↑

oauth

Requesting Additional Claims From AzureAD

1 minute read

I am currently working on a project that uses EasyAuth to protect a web app hosted on Azure App Services. Think of it as a layer that operates above your web app that handles authentication and then inserts some special headers with the logged in users information. Your backend web application can read these special headers and extract claims about the user. The Problem Out of the box it includes things like name, oid and upn of the logged in user. One thing very noticeably was missing was the email cl...

OAuth Client Credentials Flow With AzureAD

6 minute read

Navigating through the various authentication and authorization flows in AzureAD can sometimes be confusing. The Microsoft documentation on app types is a good place to start. Today we will be looking at the client credentials grant flow. The Microsoft documentation around the flow with regards to AzureAD can be found here. They have named the document Service to service calls using client credentials which is what the client credentials grant is used for. It is a prerequisite of this post that you ...

Back to top ↑

OpenTelemetry

Instrument MQTT based python messaging app using Open Telemetry

9 minute read

Some time back I did a bit of an intro to OpenTelemetry and in there I covered some basics like what Signals and Context Propagation are. I also spoke about how concepts like Tracing, Spans and Instrumentation interrelate to one another. I even put some code samples up at GitHub to demo this. Most if not all of those code samples are in .NET and they demo tracing and baggage. Since I did that talk in 2021 the OpenTelemetry community have decided to add logs as a signal. Logs Are a Signal There are 4 t...

Propagating context and tracing across your distributed process boundaries using OpenTelemetry - API Days Australia 2021

3 minute read

I spoke at API Days Australia about my experiences building distributed systems and some challenges I’ve faced. We are amidst the 2nd wave of cloud migrations. This means it’s no longer enough just to have a presence on the web if you need a competitive advantage. You need to be able to thrive. We are building more and more cloud native solutions with an emphasis on distributed systems more than any other time in the past. With cloud native distributed systems now the norm, tracing and tracking telemet...

Back to top ↑

Security

LLM Prompt Injection Considerations With Tool Use

8 minute read

My team at Microsoft Industry Solutions Engineering have recently been building heaps of LLM based solutions for customers of varying sizes across industries. There are some patterns that are emerging from these solutions and today I wanted to write about a pattern we used at a customer to prevent a class of prompt injection attacks with regards to tool use. Some of it may seem trivial or just common sense from purely a security sense but remember that most teams building these solutions are cross functi...

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools - API Days Australia 2023

3 minute read

I presented some my learnings around modern software supply chain security tools and landscape at API Days Australia 2023 and K8SUG Meetup in November. I had my team co-present the topic with me this time. My team in Microsoft Industry Solution Engineering have been building solutions to enable government and defence customer teams in Australia and secure software supply chains have been the main focus. With the renewed focus supply chains attacks and with the supply chain security endorsement by the W...

Back to top ↑

LLM

Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective - Apidays Australia 2024

2 minute read

I, along with my colleagues Jason Goodsell and Juan Burckhardt, had the opportunity to present our key insights and learnings from the rapidly evolving world of Large Language Models (LLMs) at Apidays Australia 2024 in October. The talk, titled “Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective,” shared our experiences from the front lines of developing LLM-powered solutions. Our team has been deeply immersed in creating and integrating LLM solutions, observing firsthand the industr...

LLM Prompt Injection Considerations With Tool Use

8 minute read

My team at Microsoft Industry Solutions Engineering have recently been building heaps of LLM based solutions for customers of varying sizes across industries. There are some patterns that are emerging from these solutions and today I wanted to write about a pattern we used at a customer to prevent a class of prompt injection attacks with regards to tool use. Some of it may seem trivial or just common sense from purely a security sense but remember that most teams building these solutions are cross functi...

Back to top ↑

AI

Structured workflows for coding with AI agents using the Breadcrumb Protocol

7 minute read

I’ve been exploring hypervelocity engineering workflows with AI agents like GitHub Copilot, and one fundamental challenge continues to surface: maintaining shared context alignment between developers and AI. While AI excels at generating code, it lacks inherent “memory” of past interactions and the nuanced understanding that humans naturally build over time. This alignment gap grows wider as projects become more complex, yet having a structured approach to bridge this divide is often overlooked. How can ...

Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective - Apidays Australia 2024

2 minute read

I, along with my colleagues Jason Goodsell and Juan Burckhardt, had the opportunity to present our key insights and learnings from the rapidly evolving world of Large Language Models (LLMs) at Apidays Australia 2024 in October. The talk, titled “Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective,” shared our experiences from the front lines of developing LLM-powered solutions. Our team has been deeply immersed in creating and integrating LLM solutions, observing firsthand the industr...

Back to top ↑

Early Days

Where My Journey Began

4 minute read

This story begins in Colombo, Sri Lanka. Before computers sparked my interest I used to be an avid reader and loved novels by the likes of Martin Wickramasinghe and R.L.Spittel. I loved playing and watching cricket, still do. When my father bought an IBM 386 (Early 90s) it had Windows 3.1 and one of the very first memories I have is of using the copy command to copy games from a 3.5” floppy disk  to the hard drive. For some reason I found using the command prompt easier than the GUI. Maybe this was the ...

Back to top ↑

Angular

Back to top ↑

Web API

Back to top ↑

web api

Using Azure Functions HttpTrigger As Web API

11 minute read

If you haven’t lived under a rock for the last 18 months you would know ‘Serverless’ is the new cool kid in town. Microsoft’s offer is called Azure Functions while Amazon calls it AWS Lambda.

Back to top ↑

NimbleConfig

NimbleConfig - A Simple Config Injector For .Net

4 minute read

I recently started an open sourced project called NimbleConfig (hosted in GitHub). It is a simple, unambitious, convention-based configuration injector for .NET using IConfiguration (Microsoft.Extensions.Configuration) with full support for AspNetCore.

Back to top ↑

Open Source

NimbleConfig - A Simple Config Injector For .Net

4 minute read

I recently started an open sourced project called NimbleConfig (hosted in GitHub). It is a simple, unambitious, convention-based configuration injector for .NET using IConfiguration (Microsoft.Extensions.Configuration) with full support for AspNetCore.

Back to top ↑

open source

Mediator Pattern Implemented In .NET/C#

9 minute read

The mediator pattern or the “domain whisperer” as I like to call it has been around for a long time and the main selling point of it is the reduction of coupling and enforcing clear separation of the domain logic from UI/Top layers. Let’s look at the Wikipedia definition. Usually a program is made up of a large number of classes. Logic and computation are distributed among these classes. However, as more classes are added to a program, especially during maintenance and/or refactoring, the problem of...

Back to top ↑

mediator

Mediator Pattern Implemented In .NET/C#

9 minute read

The mediator pattern or the “domain whisperer” as I like to call it has been around for a long time and the main selling point of it is the reduction of coupling and enforcing clear separation of the domain logic from UI/Top layers. Let’s look at the Wikipedia definition. Usually a program is made up of a large number of classes. Logic and computation are distributed among these classes. However, as more classes are added to a program, especially during maintenance and/or refactoring, the problem of...

Back to top ↑

openidconnect

Requesting Additional Claims From AzureAD

1 minute read

I am currently working on a project that uses EasyAuth to protect a web app hosted on Azure App Services. Think of it as a layer that operates above your web app that handles authentication and then inserts some special headers with the logged in users information. Your backend web application can read these special headers and extract claims about the user. The Problem Out of the box it includes things like name, oid and upn of the logged in user. One thing very noticeably was missing was the email cl...

Back to top ↑

multi-tenant

Setting Up AzureAD Multi-tenant Authentication With ASP NET Core And Angular

6 minute read

Using Azure AD to implement a multi-tenant application is fairly straight forward. It requires turning on a few knobs and switches from the portal and you’re most of the way there. In this post we will look at how to setup an multi-tenant app registration and implement the logic in the front end to direct the user to a common sign-in endpoint. We will also look at how to control access to a pre determined set of tenants. App Registration This is the easy part. Create an app registration from the Azure ...

Back to top ↑

security

Protecting Assets Without Using Authorization Headers (i.e. Bearer Tokens)

6 minute read

tl;dr; If you want to access an api endpoint but don’t have a way to append the authorization info to your request, you need to create a magic url that is short lived and has limited use. Go directly here for code samples. Consider this scenario. You have developed a SPA (Single Page Application) that uses some form of OAuth to retrieve an access/bearer token. You now append that to your http request header when you call your backend REST API. The backend inspects the token and processes the request....

Back to top ↑

Authentication

Speaking @ DDD Melbourne 2019

1 minute read

Last weekend I spoke at @DDDMelbourne and it was my first time doing so. The event attracted close to 900 people and had 5 concurrent tracks. I spoke at the @JuniorDev channel about Modern Authentication.

Back to top ↑

sql

Converting a Visual Studio database project to use DbUp migrations

10 minute read

Database projects in Visual Studio have been a very popular way to develop and manage the database schema and logic in the past. With more and more applications now preferring to have the data tier logic and validation within the bounds of the application and use the database just for persistence, I’ve come across clients who want to convert their database projects to a more CI/CD friendly database migrations. So I decided to share an approach used to convert existing database project to use database mi...

Back to top ↑

database

Converting a Visual Studio database project to use DbUp migrations

10 minute read

Database projects in Visual Studio have been a very popular way to develop and manage the database schema and logic in the past. With more and more applications now preferring to have the data tier logic and validation within the bounds of the application and use the database just for persistence, I’ve come across clients who want to convert their database projects to a more CI/CD friendly database migrations. So I decided to share an approach used to convert existing database project to use database mi...

Back to top ↑

visual studio

Converting a Visual Studio database project to use DbUp migrations

10 minute read

Database projects in Visual Studio have been a very popular way to develop and manage the database schema and logic in the past. With more and more applications now preferring to have the data tier logic and validation within the bounds of the application and use the database just for persistence, I’ve come across clients who want to convert their database projects to a more CI/CD friendly database migrations. So I decided to share an approach used to convert existing database project to use database mi...

Back to top ↑

Design Patterns

Object Capability Model And Mapping

7 minute read

Almost any type of software development work requires some sort mapping in the logic. Either from the persistence models to domain model or from the domain models to view models. In my experience dealing with a lot of brownfield projects, I’ve seen some practices that age poorly and make it difficult to understand intent. Most mapping approaches age gracefully like beer. Although my aim is not to kick a dead horse and rant about AutoMapper, I agree with the sentiments provided in that linked post. I reco...

Back to top ↑

Object Oriented Programming

Object Capability Model And Mapping

7 minute read

Almost any type of software development work requires some sort mapping in the logic. Either from the persistence models to domain model or from the domain models to view models. In my experience dealing with a lot of brownfield projects, I’ve seen some practices that age poorly and make it difficult to understand intent. Most mapping approaches age gracefully like beer. Although my aim is not to kick a dead horse and rant about AutoMapper, I agree with the sentiments provided in that linked post. I reco...

Back to top ↑

.NET

Going down the rabbit hole of EF Core and converting strings to dates

7 minute read

I am working on a greenfield project that uses EF Core 6 with AspNetCore 6 at the moment. The project involves exposing a set of legacy data through an API. Simple enough right? The underlying data is stored in SQL Server 2019 but it is not very well designed. There are varchar columns for storing boolean, numeric and date/time values. It’s not uncommon to see these types of data stores though. As developers we have to deal with them often. Dapper or EF Core When choosing the data access layer for the...

Back to top ↑

EF Core

Going down the rabbit hole of EF Core and converting strings to dates

7 minute read

I am working on a greenfield project that uses EF Core 6 with AspNetCore 6 at the moment. The project involves exposing a set of legacy data through an API. Simple enough right? The underlying data is stored in SQL Server 2019 but it is not very well designed. There are varchar columns for storing boolean, numeric and date/time values. It’s not uncommon to see these types of data stores though. As developers we have to deal with them often. Dapper or EF Core When choosing the data access layer for the...

Back to top ↑

SQL Server

Going down the rabbit hole of EF Core and converting strings to dates

7 minute read

I am working on a greenfield project that uses EF Core 6 with AspNetCore 6 at the moment. The project involves exposing a set of legacy data through an API. Simple enough right? The underlying data is stored in SQL Server 2019 but it is not very well designed. There are varchar columns for storing boolean, numeric and date/time values. It’s not uncommon to see these types of data stores though. As developers we have to deal with them often. Dapper or EF Core When choosing the data access layer for the...

Back to top ↑

Edge

Lessons learned from doing EdgeDevOps (GitOps) in the bush, air and underwater - API Days Australia 2022

1 minute read

I recently spoke at API Days Australia about my experiences building distributed systems and some challenges my team faced deploying and running them on the edge. It is not an exaggeration to say that most modern systems that teams build are running on the cloud in a distributed architecture. There are some well-known successful practices around DevOps for these cloud native solutions as well. But what happens when you want to use the same workflows to deploy and run on the edge where connectivity might...

Back to top ↑

DevOps

Lessons learned from doing EdgeDevOps (GitOps) in the bush, air and underwater - API Days Australia 2022

1 minute read

I recently spoke at API Days Australia about my experiences building distributed systems and some challenges my team faced deploying and running them on the edge. It is not an exaggeration to say that most modern systems that teams build are running on the cloud in a distributed architecture. There are some well-known successful practices around DevOps for these cloud native solutions as well. But what happens when you want to use the same workflows to deploy and run on the edge where connectivity might...

Back to top ↑

Distributed Tracing

Instrument MQTT based python messaging app using Open Telemetry

9 minute read

Some time back I did a bit of an intro to OpenTelemetry and in there I covered some basics like what Signals and Context Propagation are. I also spoke about how concepts like Tracing, Spans and Instrumentation interrelate to one another. I even put some code samples up at GitHub to demo this. Most if not all of those code samples are in .NET and they demo tracing and baggage. Since I did that talk in 2021 the OpenTelemetry community have decided to add logs as a signal. Logs Are a Signal There are 4 t...

Back to top ↑

MQTT

Instrument MQTT based python messaging app using Open Telemetry

9 minute read

Some time back I did a bit of an intro to OpenTelemetry and in there I covered some basics like what Signals and Context Propagation are. I also spoke about how concepts like Tracing, Spans and Instrumentation interrelate to one another. I even put some code samples up at GitHub to demo this. Most if not all of those code samples are in .NET and they demo tracing and baggage. Since I did that talk in 2021 the OpenTelemetry community have decided to add logs as a signal. Logs Are a Signal There are 4 t...

Back to top ↑

Python

Instrument MQTT based python messaging app using Open Telemetry

9 minute read

Some time back I did a bit of an intro to OpenTelemetry and in there I covered some basics like what Signals and Context Propagation are. I also spoke about how concepts like Tracing, Spans and Instrumentation interrelate to one another. I even put some code samples up at GitHub to demo this. Most if not all of those code samples are in .NET and they demo tracing and baggage. Since I did that talk in 2021 the OpenTelemetry community have decided to add logs as a signal. Logs Are a Signal There are 4 t...

Back to top ↑

Containers

What is ORAS and why should you care?

11 minute read

Most systems we build today are delivered as containers. Container registries and associated technologies are an important cog in this ecosystem. As the container ecosystem matures, there is an increased need to consume associated artefacts like Helm packages, software bill of materials, evidence of provenance, machine learning data sets etc from the same storage. There are even upcoming use cases like WebAssembly libraries that need a home. Container registries have evolved to become more than their ini...

Back to top ↑

Kubernetes

What is ORAS and why should you care?

11 minute read

Most systems we build today are delivered as containers. Container registries and associated technologies are an important cog in this ecosystem. As the container ecosystem matures, there is an increased need to consume associated artefacts like Helm packages, software bill of materials, evidence of provenance, machine learning data sets etc from the same storage. There are even upcoming use cases like WebAssembly libraries that need a home. Container registries have evolved to become more than their ini...

Back to top ↑

OCI

What is ORAS and why should you care?

11 minute read

Most systems we build today are delivered as containers. Container registries and associated technologies are an important cog in this ecosystem. As the container ecosystem matures, there is an increased need to consume associated artefacts like Helm packages, software bill of materials, evidence of provenance, machine learning data sets etc from the same storage. There are even upcoming use cases like WebAssembly libraries that need a home. Container registries have evolved to become more than their ini...

Back to top ↑

Secure Supply Chain

What is ORAS and why should you care?

11 minute read

Most systems we build today are delivered as containers. Container registries and associated technologies are an important cog in this ecosystem. As the container ecosystem matures, there is an increased need to consume associated artefacts like Helm packages, software bill of materials, evidence of provenance, machine learning data sets etc from the same storage. There are even upcoming use cases like WebAssembly libraries that need a home. Container registries have evolved to become more than their ini...

Back to top ↑

Secure Software Supply Chain

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools - API Days Australia 2023

3 minute read

I presented some my learnings around modern software supply chain security tools and landscape at API Days Australia 2023 and K8SUG Meetup in November. I had my team co-present the topic with me this time. My team in Microsoft Industry Solution Engineering have been building solutions to enable government and defence customer teams in Australia and secure software supply chains have been the main focus. With the renewed focus supply chains attacks and with the supply chain security endorsement by the W...

Back to top ↑

Container

Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools - API Days Australia 2023

3 minute read

I presented some my learnings around modern software supply chain security tools and landscape at API Days Australia 2023 and K8SUG Meetup in November. I had my team co-present the topic with me this time. My team in Microsoft Industry Solution Engineering have been building solutions to enable government and defence customer teams in Australia and secure software supply chains have been the main focus. With the renewed focus supply chains attacks and with the supply chain security endorsement by the W...

Back to top ↑

Prompt Injection

LLM Prompt Injection Considerations With Tool Use

8 minute read

My team at Microsoft Industry Solutions Engineering have recently been building heaps of LLM based solutions for customers of varying sizes across industries. There are some patterns that are emerging from these solutions and today I wanted to write about a pattern we used at a customer to prevent a class of prompt injection attacks with regards to tool use. Some of it may seem trivial or just common sense from purely a security sense but remember that most teams building these solutions are cross functi...

Back to top ↑

Software Engineering

Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective - Apidays Australia 2024

2 minute read

I, along with my colleagues Jason Goodsell and Juan Burckhardt, had the opportunity to present our key insights and learnings from the rapidly evolving world of Large Language Models (LLMs) at Apidays Australia 2024 in October. The talk, titled “Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective,” shared our experiences from the front lines of developing LLM-powered solutions. Our team has been deeply immersed in creating and integrating LLM solutions, observing firsthand the industr...

Back to top ↑

Generative AI

Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective - Apidays Australia 2024

2 minute read

I, along with my colleagues Jason Goodsell and Juan Burckhardt, had the opportunity to present our key insights and learnings from the rapidly evolving world of Large Language Models (LLMs) at Apidays Australia 2024 in October. The talk, titled “Lessons from the Trenches in a LLM Frontier: An Engineer’s Perspective,” shared our experiences from the front lines of developing LLM-powered solutions. Our team has been deeply immersed in creating and integrating LLM solutions, observing firsthand the industr...

Back to top ↑

software development

Structured workflows for coding with AI agents using the Breadcrumb Protocol

7 minute read

I’ve been exploring hypervelocity engineering workflows with AI agents like GitHub Copilot, and one fundamental challenge continues to surface: maintaining shared context alignment between developers and AI. While AI excels at generating code, it lacks inherent “memory” of past interactions and the nuanced understanding that humans naturally build over time. This alignment gap grows wider as projects become more complex, yet having a structured approach to bridge this divide is often overlooked. How can ...

Back to top ↑

agents

Structured workflows for coding with AI agents using the Breadcrumb Protocol

7 minute read

I’ve been exploring hypervelocity engineering workflows with AI agents like GitHub Copilot, and one fundamental challenge continues to surface: maintaining shared context alignment between developers and AI. While AI excels at generating code, it lacks inherent “memory” of past interactions and the nuanced understanding that humans naturally build over time. This alignment gap grows wider as projects become more complex, yet having a structured approach to bridge this divide is often overlooked. How can ...

Back to top ↑

vice coding

Structured workflows for coding with AI agents using the Breadcrumb Protocol

7 minute read

I’ve been exploring hypervelocity engineering workflows with AI agents like GitHub Copilot, and one fundamental challenge continues to surface: maintaining shared context alignment between developers and AI. While AI excels at generating code, it lacks inherent “memory” of past interactions and the nuanced understanding that humans naturally build over time. This alignment gap grows wider as projects become more complex, yet having a structured approach to bridge this divide is often overlooked. How can ...

Back to top ↑