Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
.NET Day 19 - Authentication and Authorization ...
Search
dotnetday
May 28, 2019
Technology
0
320
.NET Day 19 - Authentication and Authorization in ASP.NET Core by Damien Bowden
dotnetday
May 28, 2019
Tweet
Share
More Decks by dotnetday
See All by dotnetday
.NET Day 2024: Mastering Integration Testing for .Net Web Apis With Webapplicationfactory and Testcontainers
dotnetday
0
64
.NET Day 2024: Backend for Frontend as a Gateway to the World of Microservices
dotnetday
0
57
.NET Day 2024: Implementing the planet's largest e-commerce site using service boundaries
dotnetday
0
44
.NET Day 2024: Sitting in meetings all day long
dotnetday
0
44
.NET Day 2024: Evolutionary Architecture. The What. The Why. The How
dotnetday
0
53
.NET Day 2024: Onion, Hexagonal, Clean or Fractal Architecture? All of them, and more!!
dotnetday
0
63
.NET Day 2024: 100% Unit Test Coverage and beyond
dotnetday
0
50
.NET Day 2024: Five common mistakes with distributed systems
dotnetday
0
60
.NET Day 2024: Curious Code and Where to Find it
dotnetday
0
54
Other Decks in Technology
See All in Technology
あなたの声を届けよう! 女性エンジニア登壇の意義とアウトプット実践ガイド #wttjp / Call for Your Voice
kondoyuko
4
510
PHPでWebブラウザのレンダリングエンジンを実装する
dip_tech
PRO
0
220
Fabric + Databricks 2025.6 の最新情報ピックアップ
ryomaru0825
1
160
Amazon Bedrockで実現する 新たな学習体験
kzkmaeda
2
680
ネットワーク保護はどう変わるのか?re:Inforce 2025最新アップデート解説
tokushun
0
150
Node-RED × MCP 勉強会 vol.1
1ftseabass
PRO
0
180
Oracle Cloud Infrastructure:2025年6月度サービス・アップデート
oracle4engineer
PRO
2
310
OPENLOGI Company Profile for engineer
hr01
1
33k
さくらのIaaS基盤のモニタリングとOpenTelemetry/OSC Hokkaido 2025
fujiwara3
2
260
React開発にStorybookとCopilotを導入して、爆速でUIを編集・確認する方法
yu_kod
1
110
ハッカソン by 生成AIハッカソンvol.05
1ftseabass
PRO
0
150
250627 関西Ruby会議08 前夜祭 RejectKaigi「DJ on Ruby Ver.0.1」
msykd
PRO
2
370
Featured
See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Balancing Empowerment & Direction
lara
1
390
Code Review Best Practice
trishagee
69
18k
Building Adaptive Systems
keathley
43
2.6k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Building an army of robots
kneath
306
45k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
Being A Developer After 40
akosma
90
590k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
720
The World Runs on Bad Software
bkeepers
PRO
69
11k
Transcript
ASP.NET Core Security • Damien Bowden Microsoft MVP • https://damienbod.com
• @damien_bod
https://github.com/damienbod ASP.NET Core, OpenID Connect, OAuth, Identity, Azure Angular, angular-auth-oidc-client
npm
Security & Applications today OpenID Connect, OAuth2 Authorization: ASP.NET Core
Policies
Security & Applications today
Application
Application Authentication Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
None
None
HTTPS everywhere, Certs
WAF HTTPS everywhere, Certs Protected Zone
WAF HTTPS everywhere, Certs Protected Zone
Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certs TLS
1.2, 1.3 WAF Web Application Firewall
Authentication Authorization Signout Session
USE Standards Don’t implement this yourself, use certified libs, packages,
tested
None
OAuth2 OpenID Connect Authentication Authorization Delegated
OpenID Connect http://openid.net/connect/ • Standard, Specification • Authentication and Authorization
• built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint
Open ID Connect (OIDC) is supported by almost all systems
. Azure AD, Azure B2C, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider
Authentication Authorization Signout Session
OpenID Connect Flows OAuth2 Flows http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner
Credentials Flow OpenID Connect Code flow OpenID Connect Hybrid flow OpenID Connect PKCE Authorization Code Flow RFC 7636 OAuth Device Flow
id token token (access token) reference / self contained token
refresh token scope Back-Channel Front-Channel User Agent
OAuth2 Resource Owner Credentials Flow • MC to MC applications
• trusted client • grant_type=client_cred ential&client_id=xxxxx xxxxx&client_secret=xx xxxxxxxx • Limited user cases
OAuth2 Resource Owner Credentials Flow
OpenID Connect Authorization Code flow • Server to server applications
with User • Can keep secrets, is trusted • Client is authenticated • response_type = code
OIDC Authorization Code flow
OIDC Hybrid flow • Mix of the Code and Implicit
Flow • Can be used for Web applications with server side rendering. • response_type = code id_token | code id_token token | code token
OIDC Hybrid flow
Native App PKCE Authorization Code Flow RFC 7636 https://tools.ietf.org/html/rfc 7636
None
Single Page Applications Cookies OIDC Code Flow with PKCE OIDC
Implicit Flow
OpenID Connect Code flow with PKCE • For browser applications,
SPAs • Client is not authenticated, or trusted • response_type = code • NO SECRET
OAuth Device Flow RFC 7636 https://tools.ietf.org/html/dra ft-ietf-oauth-device-flow-12
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OpenID Connect Hybrid Flow / Code Flow Code
examples
None
None
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OAuth2 Resource Owner Credentials Flow Code examples
None
None
None
None
Authorization: ASP.NET Core Policies
Authorization is the responsibility of the Application / API, not
the STS. This can be implemented in an separate library.
Standard Requirements Complex Requirements Policies uses Requirements Authorization Handlers
Create a Requirement
Make a Handler
Create a Policy
Apply the Policy (Controller)
Apply the Policy (Razor Page)
Apply a Requirement directly
Handler with Resource
ASP.NET Core Policies, Handlers and Requirements makes it easy to
focus on Authorization
Thank you @damienbod
https://openid.net/developers/specs/ https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 https://www.npmjs.com/package/angular-auth-oidc-client https://openid.net https://auth0.com/blog/cookies-vs-tokens-definitive-guide https://www.npmjs.com/package/angular-auth-oidc-client https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate https://scotthelme.co.uk/say-hello-to-security-txt https://csp-evaluator.withgoogle.com/