Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
.NET Day 19 - Authentication and Authorization ...
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
.NET Day
May 28, 2019
Technology
0
330
.NET Day 19 - Authentication and Authorization in ASP.NET Core by Damien Bowden
.NET Day
May 28, 2019
Tweet
Share
More Decks by .NET Day
See All by .NET Day
.NET Day 2025: How to Lie with AI: Understanding Bias, Ethics, and the Hidden Risks in Machine Learning
dotnetday
0
18
.NET Day 2025: Most Expensive Design Mistakes (Ever) and how to avoid them
dotnetday
0
18
.NET Day 2025: Turbocharged: Writing High-Performance C# and .NET Code
dotnetday
0
28
.NET Day 2025: Developing ASP.NET Core Microservices with Dapr: A practical guide
dotnetday
0
25
.NET Day 2025: Enhancing Legal Document Analysis with Reflection Agents, Semantic Kernel, and Azure AI Search
dotnetday
0
21
.NET Day 2025: Future-Proof Your Blazor Apps with bUnit
dotnetday
0
15
.NET Day 2025: .NET Core Testing: pushing the limits
dotnetday
0
25
.NET Day 2025: The best ways to use the latest OpenAPI features in .NET 9!
dotnetday
0
24
.NET Day 2025: Supercharged Search with Semantic Search and Vector Embeddings
dotnetday
0
19
Other Decks in Technology
See All in Technology
会社紹介資料 / Sansan Company Profile
sansan33
PRO
15
400k
22nd ACRi Webinar - NTT Kawahara-san's slide
nao_sumikawa
0
100
Codex 5.3 と Opus 4.6 にコーポレートサイトを作らせてみた / Codex 5.3 vs Opus 4.6
ama_ch
0
200
Red Hat OpenStack Services on OpenShift
tamemiya
0
130
SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント
rvirus0817
0
350
FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE
maaaato
0
130
マネージャー視点で考えるプロダクトエンジニアの評価 / Evaluating Product Engineers from a Manager's Perspective
hiro_torii
0
180
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
15
93k
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
soudai
PRO
12
5.6k
Tebiki Engineering Team Deck
tebiki
0
24k
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
sansantech
PRO
3
2.6k
Oracle AI Database 移行・アップグレード勉強会 - RAT活用編
oracle4engineer
PRO
0
110
Featured
See All Featured
The SEO identity crisis: Don't let AI make you average
varn
0
330
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
250
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
57
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
sarafernandez
1
1.3k
We Have a Design System, Now What?
morganepeng
54
8k
The Limits of Empathy - UXLibs8
cassininazir
1
220
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
0
2.4k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
7.9k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
9.9k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
8.7k
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
97
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
99
Transcript
ASP.NET Core Security • Damien Bowden Microsoft MVP • https://damienbod.com
• @damien_bod
https://github.com/damienbod ASP.NET Core, OpenID Connect, OAuth, Identity, Azure Angular, angular-auth-oidc-client
npm
Security & Applications today OpenID Connect, OAuth2 Authorization: ASP.NET Core
Policies
Security & Applications today
Application
Application Authentication Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
Application Authentication Business Data Access Authorization Identity Application 2 Authentication
Business Data Access Authorization Identity
None
None
HTTPS everywhere, Certs
WAF HTTPS everywhere, Certs Protected Zone
WAF HTTPS everywhere, Certs Protected Zone
Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certs TLS
1.2, 1.3 WAF Web Application Firewall
Authentication Authorization Signout Session
USE Standards Don’t implement this yourself, use certified libs, packages,
tested
None
OAuth2 OpenID Connect Authentication Authorization Delegated
OpenID Connect http://openid.net/connect/ • Standard, Specification • Authentication and Authorization
• built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint
Open ID Connect (OIDC) is supported by almost all systems
. Azure AD, Azure B2C, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider
Authentication Authorization Signout Session
OpenID Connect Flows OAuth2 Flows http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner
Credentials Flow OpenID Connect Code flow OpenID Connect Hybrid flow OpenID Connect PKCE Authorization Code Flow RFC 7636 OAuth Device Flow
id token token (access token) reference / self contained token
refresh token scope Back-Channel Front-Channel User Agent
OAuth2 Resource Owner Credentials Flow • MC to MC applications
• trusted client • grant_type=client_cred ential&client_id=xxxxx xxxxx&client_secret=xx xxxxxxxx • Limited user cases
OAuth2 Resource Owner Credentials Flow
OpenID Connect Authorization Code flow • Server to server applications
with User • Can keep secrets, is trusted • Client is authenticated • response_type = code
OIDC Authorization Code flow
OIDC Hybrid flow • Mix of the Code and Implicit
Flow • Can be used for Web applications with server side rendering. • response_type = code id_token | code id_token token | code token
OIDC Hybrid flow
Native App PKCE Authorization Code Flow RFC 7636 https://tools.ietf.org/html/rfc 7636
None
Single Page Applications Cookies OIDC Code Flow with PKCE OIDC
Implicit Flow
OpenID Connect Code flow with PKCE • For browser applications,
SPAs • Client is not authenticated, or trusted • response_type = code • NO SECRET
OAuth Device Flow RFC 7636 https://tools.ietf.org/html/dra ft-ietf-oauth-device-flow-12
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OpenID Connect Hybrid Flow / Code Flow Code
examples
None
None
None
https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OAuth2 Resource Owner Credentials Flow Code examples
None
None
None
None
Authorization: ASP.NET Core Policies
Authorization is the responsibility of the Application / API, not
the STS. This can be implemented in an separate library.
Standard Requirements Complex Requirements Policies uses Requirements Authorization Handlers
Create a Requirement
Make a Handler
Create a Policy
Apply the Policy (Controller)
Apply the Policy (Razor Page)
Apply a Requirement directly
Handler with Resource
ASP.NET Core Policies, Handlers and Requirements makes it easy to
focus on Authorization
Thank you @damienbod
https://openid.net/developers/specs/ https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 https://www.npmjs.com/package/angular-auth-oidc-client https://openid.net https://auth0.com/blog/cookies-vs-tokens-definitive-guide https://www.npmjs.com/package/angular-auth-oidc-client https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate https://scotthelme.co.uk/say-hello-to-security-txt https://csp-evaluator.withgoogle.com/
dotnetday
sansan33
nao_sumikawa
ama_ch
tamemiya
rvirus0817
maaaato
.jpg){kind=avatar}
hiro_torii
oracle4engineer
soudai
tebiki
sansantech
varn
skipperchong
marketingsoph
sarafernandez
morganepeng
cassininazir
lindahogenes
eileencodes
mongodb
aleyda
codingconduct
tmiket
