Upgrade to Pro — share decks privately, control downloads, hide ads and more …

.NET Day 19 - Authentication and Authorization in ASP.NET Core by Damien Bowden

E6cffbf3b7a5fbfee4707033ef1636f5?s=47 dotnetday
May 28, 2019
Technology
0
180

.NET Day 19 - Authentication and Authorization in ASP.NET Core by Damien Bowden

E6cffbf3b7a5fbfee4707033ef1636f5?s=128

dotnetday

May 28, 2019
Tweet

More Decks by dotnetday

See All by dotnetday
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
120
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
93
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
76
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
87
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
100
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
42
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
1
130
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
110
E6cffbf3b7a5fbfee4707033ef1636f5?s=48 dotnetday
0
49

Other Decks in Technology

See All in Technology
297a42b94a1bda236982ec1cd81089b6?s=48 mottox2
0
180
7cd783377515bdf8207062840b7b2f4e?s=48 soracom
PRO
0
250
494defe9442c2c5f72296544b04db4f7?s=48 kusumicorp
0
340
Fb69af32a1d6d3ea3bc002b7718a7166?s=48 tomotaka_yamasaki
1
820
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
5
790
62e4420c2fcfd5ad8f7b4188821e8b00?s=48 35d
1
160
D8e3492ad16d2087b7cb8b2f6c4d3eb9?s=48 iseki
1
160
Cd823abda454a7a2065fe6fe273ae84b?s=48 viva_tweet_x
1
300
252e6c31a6452aa80deb9ad0107975c7?s=48 attakei
0
180
Ea29e2b19d11b48f867ae71d6a6de5df?s=48 opelab
4
540
97b3cca999b52cb5296675ac0a5c12cd?s=48 emiki
2
210
1ec68e792f99c958b8ffbd0aadaa182a?s=48 ikkou
0
150

Featured

See All Featured
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
147
20k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
189
14k
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
203
9.9k
245cee81a9c424266e5e401d844ea881?s=48 lara
26
3.2k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
349
20k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1351
200k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
29
1.5k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
161
6.7k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
300
40k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
14
610
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
73
7.6k
7fa6101cd43067653cf4ac6c7ca54305?s=48 akmur
254
19k

Transcript

  1. ASP.NET Core Security • Damien Bowden Microsoft MVP • https://damienbod.com

    • @damien_bod

  2. https://github.com/damienbod ASP.NET Core, OpenID Connect, OAuth, Identity, Azure Angular, angular-auth-oidc-client

    npm

  3. Security & Applications today OpenID Connect, OAuth2 Authorization: ASP.NET Core

    Policies

  4. Security & Applications today

  5. Application

  6. Application Authentication Business Data Access Authorization Identity

  7. Application Authentication Business Data Access Authorization Identity Application 2 Authentication

    Business Data Access Authorization Identity

  8. Application Authentication Business Data Access Authorization Identity Application 2 Authentication

    Business Data Access Authorization Identity
  9. None
  10. None

  11. HTTPS everywhere, Certs

  12. WAF HTTPS everywhere, Certs Protected Zone

  13. WAF HTTPS everywhere, Certs Protected Zone

  14. Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certs TLS

    1.2, 1.3 WAF Web Application Firewall

  15. Authentication Authorization Signout Session

  16. USE Standards Don’t implement this yourself, use certified libs, packages,

    tested
  17. None

  18. OAuth2 OpenID Connect Authentication Authorization Delegated

  19. OpenID Connect http://openid.net/connect/ • Standard, Specification • Authentication and Authorization

    • built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint

  20. Open ID Connect (OIDC) is supported by almost all systems

    . Azure AD, Azure B2C, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider

  21. Authentication Authorization Signout Session

  22. OpenID Connect Flows OAuth2 Flows http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner

    Credentials Flow OpenID Connect Code flow OpenID Connect Hybrid flow OpenID Connect PKCE Authorization Code Flow RFC 7636 OAuth Device Flow

  23. id token token (access token) reference / self contained token

    refresh token scope Back-Channel Front-Channel User Agent

  24. OAuth2 Resource Owner Credentials Flow • MC to MC applications

    • trusted client • grant_type=client_cred ential&client_id=xxxxx xxxxx&client_secret=xx xxxxxxxx • Limited user cases

  25. OAuth2 Resource Owner Credentials Flow

  26. OpenID Connect Authorization Code flow • Server to server applications

    with User • Can keep secrets, is trusted • Client is authenticated • response_type = code

  27. OIDC Authorization Code flow

  28. OIDC Hybrid flow • Mix of the Code and Implicit

    Flow • Can be used for Web applications with server side rendering. • response_type = code id_token | code id_token token | code token

  29. OIDC Hybrid flow

  30. Native App PKCE Authorization Code Flow RFC 7636 https://tools.ietf.org/html/rfc 7636

  31. None

  32. Single Page Applications Cookies OIDC Code Flow with PKCE OIDC

    Implicit Flow

  33. OpenID Connect Code flow with PKCE • For browser applications,

    SPAs • Client is not authenticated, or trusted • response_type = code • NO SECRET

  34. OAuth Device Flow RFC 7636 https://tools.ietf.org/html/dra ft-ietf-oauth-device-flow-12

  35. None

  36. https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OpenID Connect Hybrid Flow / Code Flow Code

    examples
  37. None
  38. None
  39. None

  40. https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OAuth2 Resource Owner Credentials Flow Code examples

  41. None
  42. None
  43. None
  44. None

  45. Authorization: ASP.NET Core Policies

  46. Authorization is the responsibility of the Application / API, not

    the STS. This can be implemented in an separate library.

  47. Standard Requirements Complex Requirements Policies uses Requirements Authorization Handlers

  48. Create a Requirement

  49. Make a Handler

  50. Create a Policy

  51. Apply the Policy (Controller)

  52. Apply the Policy (Razor Page)

  53. Apply a Requirement directly

  54. Handler with Resource

  55. ASP.NET Core Policies, Handlers and Requirements makes it easy to

    focus on Authorization

  56. Thank you @damienbod

  57. https://openid.net/developers/specs/ https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 https://www.npmjs.com/package/angular-auth-oidc-client https://openid.net https://auth0.com/blog/cookies-vs-tokens-definitive-guide https://www.npmjs.com/package/angular-auth-oidc-client https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate https://scotthelme.co.uk/say-hello-to-security-txt https://csp-evaluator.withgoogle.com/