Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
.NET Day 19 - Authentication and Authorization in ASP.NET Core by Damien Bowden
Search
dotnetday
May 28, 2019
Technology
0
270
.NET Day 19 - Authentication and Authorization in ASP.NET Core by Damien Bowden
dotnetday
May 28, 2019
Tweet
Share
More Decks by dotnetday
See All by dotnetday
.NET Day 2023: Don't Trust the Browser: Secure SPAs with BFF
dotnetday
0
58
.NET Day 2023: Clean as you Code: use Roslyn analyzers to focus on the code you modify
dotnetday
0
140
.NET Day 2023: The symbiosis of Continuous Deployment and Stability
dotnetday
0
27
.NET Day 2023: Architecture aspects - evolutionary architecture development
dotnetday
1
120
.NET Day 2023: Messaging: The fine line between awesome and awful (and how to stay on the right side of it)
dotnetday
0
120
.NET Day 2023: Bringing the Power of Deep Learning to .NET with ONNX and ML.NET
dotnetday
0
55
.NET Day 2023: Your code is just a detail
dotnetday
0
100
.NET Day 2023: The state of the .NET Auth, Cloud Security
dotnetday
0
40
.NET Day 2023: Beyond simple benchmarks—A practical guide to optimizing code with BenchmarkDotNet
dotnetday
0
36
Other Decks in Technology
See All in Technology
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
530
DMM.com アルファ室採用案内資料
hsugita
1
160
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
770
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
350
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
290
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
本当のAWS基礎
toru_kubota
0
520
データベース02: データベースの概念
trycycle
0
160
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
260
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
16k
Featured
See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Debugging Ruby Performance
tmm1
70
11k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Design by the Numbers
sachag
274
18k
What's new in Ruby 2.0
geeforr
337
31k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
4 Signs Your Business is Dying
shpigford
175
21k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k
How GitHub (no longer) Works
holman
304
140k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.6k
Transcript
ASP.NET Core Security • Damien Bowden Microsoft MVP • https://damienbod.com
• @damien_bod
https://github.com/damienbod ASP.NET Core, OpenID Connect, OAuth, Identity, Azure Angular, angular-auth-oidc-client
npm
Security & Applications today OpenID Connect, OAuth2 Authorization: ASP.NET Core
Policies
Security & Applications today
Application
Application Authentication Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
None
None
HTTPS everywhere, Certs
WAF HTTPS everywhere, Certs Protected Zone
WAF HTTPS everywhere, Certs Protected Zone
Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certs TLS
1.2, 1.3 WAF Web Application Firewall
Authentication Authorization Signout Session
USE Standards Don’t implement this yourself, use certified libs, packages,
tested
None
OAuth2 OpenID Connect Authentication Authorization Delegated
OpenID Connect http://openid.net/connect/ • Standard, Specification • Authentication and Authorization
• built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint
Open ID Connect (OIDC) is supported by almost all systems
. Azure AD, Azure B2C, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider
Authentication Authorization Signout Session
OpenID Connect Flows OAuth2 Flows http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner
Credentials Flow OpenID Connect Code flow OpenID Connect Hybrid flow OpenID Connect PKCE Authorization Code Flow RFC 7636 OAuth Device Flow
id token token (access token) reference / self contained token
refresh token scope Back-Channel Front-Channel User Agent
OAuth2 Resource Owner Credentials Flow • MC to MC applications
• trusted client • grant_type=client_cred ential&client_id=xxxxx xxxxx&client_secret=xx xxxxxxxx • Limited user cases
OAuth2 Resource Owner Credentials Flow
OpenID Connect Authorization Code flow • Server to server applications
with User • Can keep secrets, is trusted • Client is authenticated • response_type = code
OIDC Authorization Code flow
OIDC Hybrid flow • Mix of the Code and Implicit
Flow • Can be used for Web applications with server side rendering. • response_type = code id_token | code id_token token | code token
OIDC Hybrid flow
Native App PKCE Authorization Code Flow RFC 7636 https://tools.ietf.org/html/rfc 7636
None
Single Page Applications Cookies OIDC Code Flow with PKCE OIDC
Implicit Flow
OpenID Connect Code flow with PKCE • For browser applications,
SPAs • Client is not authenticated, or trusted • response_type = code • NO SECRET
OAuth Device Flow RFC 7636 https://tools.ietf.org/html/dra ft-ietf-oauth-device-flow-12
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OpenID Connect Hybrid Flow / Code Flow Code
examples
None
None
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OAuth2 Resource Owner Credentials Flow Code examples
None
None
None
None
Authorization: ASP.NET Core Policies
Authorization is the responsibility of the Application / API, not
the STS. This can be implemented in an separate library.
Standard Requirements Complex Requirements Policies uses Requirements Authorization Handlers
Create a Requirement
Make a Handler
Create a Policy
Apply the Policy (Controller)
Apply the Policy (Razor Page)
Apply a Requirement directly
Handler with Resource
ASP.NET Core Policies, Handlers and Requirements makes it easy to
focus on Authorization
Thank you @damienbod
https://openid.net/developers/specs/ https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 https://www.npmjs.com/package/angular-auth-oidc-client https://openid.net https://auth0.com/blog/cookies-vs-tokens-definitive-guide https://www.npmjs.com/package/angular-auth-oidc-client https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate https://scotthelme.co.uk/say-hello-to-security-txt https://csp-evaluator.withgoogle.com/