Upgrade to Pro — share decks privately, control downloads, hide ads and more …

.NET Day 2022 - Building an auth microservice with ASP.NET Core Identity and Duende IdentityServer by Miroslav Popovic

dotnetday
September 06, 2022
Technology
0
710

.NET Day 2022 - Building an auth microservice with ASP.NET Core Identity and Duende IdentityServer by Miroslav Popovic

In today's microservice-based software solutions, we have a growing need for centralized authentication and authorization systems. We could use third-party systems like Azure AD or Auth0, or build our own. But, "security is hard"! There are a bunch of different standards, tricks, and ways of implementation. Even the smallest mistake can make your solution vulnerable. To avoid that, when building our own auth system, we could use frameworks and tools like ASP.NET Core Identity and Duende IdentityServer. With Identity, we are getting a membership system with a login. IdentityServer gets us the full implementation of OAuth 2.0 and OpenID Connect standards. We'll take a look at one possible implementation, the things we should take care of, and how to fit that solution with the rest of the system – with different APIs, SPA apps, native apps, etc.

dotnetday

September 06, 2022
Tweet

More Decks by dotnetday

See All by dotnetday
.NET Day 2023: Don't Trust the Browser: Secure SPAs with BFF
dotnetday
0
59
.NET Day 2023: Clean as you Code: use Roslyn analyzers to focus on the code you modify
dotnetday
0
140
.NET Day 2023: The symbiosis of Continuous Deployment and Stability
dotnetday
0
27
.NET Day 2023: Architecture aspects - evolutionary architecture development
dotnetday
1
120
.NET Day 2023: Messaging: The fine line between awesome and awful (and how to stay on the right side of it)
dotnetday
0
120
.NET Day 2023: Bringing the Power of Deep Learning to .NET with ONNX and ML.NET
dotnetday
0
55
.NET Day 2023: Your code is just a detail
dotnetday
0
100
.NET Day 2023: The state of the .NET Auth, Cloud Security
dotnetday
0
40
.NET Day 2023: Beyond simple benchmarks—A practical guide to optimizing code with BenchmarkDotNet
dotnetday
0
37

Other Decks in Technology

See All in Technology
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
4
890
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
1k
Handling focus in 2024
tahia910
0
230
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
150
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
5
710
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
3
410
成長をサポートするピープルマネジメントのやり方
sioncojp
9
1.2k
DMM.com アルファ室採用案内資料
hsugita
1
230
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
35k
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
4
610
Android Target SDK 35 (Android 15) 対応の概要
akkie76
0
160
Azureの基本的な権限管理の勉強会
yhana
1
2.1k

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
43
6.8k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
Music & Morning Musume
bryan
41
5.6k
How to train your dragon (web standard)
notwaldorf
75
5.2k
Making the Leap to Tech Lead
cromwellryan
125
8.5k
Happy Clients
brianwarren
92
6.4k
Fantastic passwords and where to find them - at NoRuKo
philnash
39
2.5k
Git: the NoSQL Database
bkeepers
PRO
423
63k
4 Signs Your Business is Dying
shpigford
176
21k
Embracing the Ebb and Flow
colly
80
4.2k
Atom: Resistance is Futile
akmur
260
25k
Designing for Performance
lara
601
67k

Transcript

  1. Building an auth microservice with ASP.NET Core Identity and Duende

    IdentityServer Miroslav Popović @miroslavpopovic
  2. None

  3. Introduction What are we building? 1

  4. What modern apps look like? 4 Image taken from Duende

    IdentityServer documentation

  5. Why an auth service? ▸ Problems to solve: ▹ Authentication

    ▹ Authorization ▹ Resource protection ▸ Centralized solution ▸ Auth service = Security Token Service 5

  6. The big picture 6 Image taken from Duende IdentityServer documentation

  7. Solution ▸ OAuth 2.0 ▸ OpenID Connect ▸ .NET 6

    ▸ ASP.NET Core Identity ▸ Duende IdentityServer 6 7

  8. OAuth 2.0 & OpenID Connect ▸ OAuth 2.0 ▹ Authorization

    ▹ Granting access to data and features from one application to another ▸ OpenID Connect ▹ Authentication ▹ Login and profile information 8

  9. ASP.NET Core Identity ▸ Managing users, passwords, profile data, roles,

    … ▸ DB persistence with EF Core ▸ Predefined UI for login, register, forgot password, 2FA, … ▸ UI Scaffolding ▸ Support for external logins 9

  10. Duende IdentityServer ▸ Protect your resources ▸ Authenticate users using

    a local account store or via an external identity provider ▸ Provide session management and single sign-on ▸ Manage and authenticate clients ▸ Issue identity and access tokens to clients ▸ Validate tokens 10

  11. ASP.NET Core Identity + Terminology 2

  12. Resources ▸ Identity resources ▸ API resources 12

  13. Clients ▸ Accesses to resources ▸ Need to be authorized

    13

  14. Resource owners ▸ In most cases, users 14

  15. Authentication ▸ Confirming user identity 15

  16. Authorization ▸ Allowing the access to a specific functionality or

    resource 16

  17. Other terms ▸ Claim ▹ One piece of information ▸

    Scopes ▹ Something you want to protect and client wants to access ▸ Grant types / flows ▹ Non-interactive – client credentials flow ▹ Interactive – authorization code flow with PKCE ▹ Older flows are considered obsolete 17 ▸ Tokens ▹ Access token – JWT ▹ Refresh token ▹ Identity token – JWT ▹ Reference tokens (instead of JWT)

  18. Authorization code flow with PKCE ▸ code_verifier = random ▸

    code_challenge = hash 18

  19. Demo 3

  20. Auth service ▸ New ASP.NET Core project with Identity ▹

    2FA ▹ MailKit email service ▹ IdentityUser extended 20

  21. Auth service (cont.) ▸ Duende.IdentityServer.AspNetIdentity ▸ Middleware configuration ▸ Resource

    and client definition ▸ Consent and Device Auth page ▸ /.well-known/openid-configuration 21

  22. Console / worker client ▸ IdentityModel library 22

  23. MVC client ▸ Scenarios: ▹ Same token for MVC app

    and API ▹ Getting new token for API ▹ Calling API through another API 23

  24. JavaScript BFF client ▸ Backend for Frontend ▸ Duende.BFF ▹

    part of Business Edition or higher 24

  25. SPA client ▸ Uses oidc-client library ▸ Not recommended when

    working with sensitive data 25

  26. Device client ▸ Intended for devices without easy input ▹

    i.e. smart TVs, gaming consoles… ▸ Simulated with WPF ▸ RFC 8628 26

  27. Auth admin ▸ Switching to DB resources / clients 27

  28. Containerization ▸ Docker ▸ Docker Compose ▸ Project Tye ▹

    https://github.com/dotnet/tye 28

  29. Tips & tricks 4

  30. Tips & tricks ▸ Don’t add many claims to access

    tokens ▸ Don’t include sensitive data to JWT tokens ▸ Don’t store tokens to localStorage in browser-based apps if you are working with sensitive data ▸ Use BFF architecture for browser-based apps ▸ Use authorization code flow with PKCE for native apps too ▸ Use rotation for refresh tokens (default behavior) and prevent reply attacks 30

  31. Tips & tricks (cont.) ▸ Handle new users in external

    auth callback ▹ i.e. ask them to fill in the data, don’t trust that provider will return it ▸ Use IdentityModel library for .NET clients ▸ Use IdentityServer as Federation Gateway ▸ Create the strategy for encryption key rotation ▹ implemented by default in Duende IdentityServer ▸ Look into IdentityServer log output when resolving issues 31

  32. Advanced concepts 5

  33. Advanced ▸ Single-sign on ▸ Single-sign out ▹ Complicated –

    front-channel, back-channel ▹ Not all external providers support it ▸ New server-side Session Management ▹ Added in IS 6.1 ▹ Can be used instead of cookies 33

  34. Advanced (cont.) ▸ Key material ▹ AddSigningCredentials, AddDeveloperSigningCredential, AddValidationKey ▸

    Proof of possession tokens ▸ Bound to client that requested the token 34

  35. Closing words 5

  36. What comes in future? ▸ OAuth 2.1 ▸ .NET 7

    ▸ Duende ▹ Duende.AccessTokenManagement (in preview) instead of IdentityModel.AspNetCore ▹ Duende IdentityServer 7? 36

  37. Tools ▸ Admin interfaces ▹ https://www.identityserver.com/products/adminui ▹ https://github.com/skoruba/Duende.IdentityServer.Admin ▹ https://github.com/Aguafrommars/TheIdServer

    ▸ Policy / permission servers ▹ https://policyserver.io/ ▹ https://github.com/Xabaril/Balea 37

  38. Alternatives ▸ Cloud based ▹ Auth0 / Okta ▹ Azure

    AD B2C ▸ Self-hosted ▹ https://www.keycloak.org/ ▹ https://www.ory.sh/ ▹ https://gluu.org/ 38 ▸ Middleware ▹ https://github.com/openiddict/openiddict-core ▹ https://github.com/miroslavpopovic/auth- sample-openiddict ▸ Custom / built from scratch ▹ ?

  39. Summary ▸ Auth as a service ▸ ASP.NET Core &

    Duende IdentityServer integration ▸ Auth flows with IdentityServer ▸ Various client types ▸ Tips & tricks ▸ Future ▸ Tools and alternatives 39

  40. References ▸ ASP.NET Core Identity documentation ▸ Duende IdentityServer documentation

    ▹ Duende Software Blog - https://blog.duendesoftware.com/ ▹ Dominick Baier’s blog - https://leastprivilege.com/ ▹ Brock Allen’s blog - https://brockallen.com/ ▹ IdentityServer workshops - https://duendesoftware.com/training/identityaccesscontrol ▸ NDC Conferences YouTube channel ▹ Search for “IdentityServer”, or “Dominick Baier”, or “Brock Allen” 40

  41. 41 THANKS! Any questions? You can find me at: ▸

    @miroslavpopovic ▸ https://miroslavpopovic.com/ https://github.com/miroslavpopovic/auth-microservice-sample-dotnet6
  42. None