Authentication in native and web applications. Scenarios and tools

Transcript

1. Authentication in native and web applications Scenarios and tools

2. ORGANIZATION PLATINUM SPONSORS Thank you! COLLABORATORS

3. @hbiarge [email protected] Developer Mountain lover Hugo Biarge Software Development Engineer

4. Authentication is hard!

5. Scenarios 1. Local website Users: Local database Application: Server side

   and SPA web apps External Api: No external api’s 2. Applications using an Active Directory Users: Directory Application: Server side and SPA web apps, native apps External Api: Yes 3. Applications using a OIDP acting as a Federation Gateway Users: Local and directory Applications: Server side and SPA web apps, native apps External Api: Yes https://github.com/hbiarge/authentication-samples

6. Scenario 1 Local website

7. Asp.Net Identity • Local users stored in database • Hashed

   passwords • Deeply integrated with cookies • Support MFA • TOTP: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm • Support for external indentity providers • Officially supported: Facebook, Google, Twitter, Microsoft Account, Oauth, OpenIdConnect and WSFederation • Community: https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers Starting with Asp.Net Core 3.0 we will have a new template for SPA´s

8. Scenario 2 Applications using an Active Directory

9. Azure Active Directory • Single Sign On • Support for

   different authentication protocols • WS-Federation • OAuth2 • OpenId.Connect (v2.0 endpoints) https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc • Can authenticate client applications and API’s

10. But what’s OpenId.Connect? • Authentication layer over OAuth2 • Oauth2

    is a delegating authentication protocol • Support interactive and non interactive flows • Three types of tokens • id_token • access_token • refresh_token • Standarises the use of JWT tokens (Json Web Token) • Json representation of claims • Digitally signed for integrity protection Acheve.Authentication.Events https://github.com/hbiarge/Acheve.Authentication.Events

11. Active Directory Authentication Libraries • Azure Active Directory Authentication Libraries

    • https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries • Microsoft identity platform authentication libraries • https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries • SDK’s for multiple languajes • .Net and .Net Core • Python • Java • iOS • Android

12. Scenario 3 Applications using a OIDP acting as a Federation

    Gateway

13. IdentityServer • OpenID Foundation certified implementation of an OpenId Provider

    • Interoperable and spec compliant • Open source and part of the .Net Foundation • Flexible and configurable https://github.com/IdentityServer/IdentityServer4

14. What’s a Federation Gateway? • Consolidates different Identity Providers for

    a group of applications • Single point of truth regarding applications authentication • Applications doesn’t care about where the user is authenticated • They only know the one who acts as the Gateway • Decouples identity and applications management Azure AD B2C is another option https://docs.microsoft.com/en-in/azure/active-directory-b2c/active-directory-b2c-overview

15. IdentityModel • IdentityModel https://github.com/IdentityModel/IdentityModel • Helper library (.Net Standards 2.0)

    for claims-based identity, OAuth2 and OpenId.Connect • IdentityModel.OidcClient2 https://github.com/IdentityModel/IdentityModel.OidcClient2 • C#/NetStandard OpenID Connect Client Library for native Applications • oidc-client-js https://github.com/IdentityModel/oidc-client-js • Support for client-side, browser-based JavaScript client applications.

16. Questions & Answers

17. Thanks and … See you soon! Thanks also to the

    sponsors. Without whom this would not have been posible.