Asp.Net 8 includes the new Api endpoints to interact with Asp.Net Identity.
Let's review what those endpoints include and talk a little bit about web authentication in 2023.
endpoints • Recommended authentication flows https://github.com/hbiarge/Identity-Samples Disclaimer! We are going to talk mostly about web environments
use the configured methods to read it and create an instance of ClaimsPrincipal with the ClaimsIdentity and Claims of the requester Authorization Based on the requester Claims, the resource state, and potentially other information, allow or disallow action execution or filter resource information
an IAuthenticationService • AuthenticationHandlers registered as services allow different authentication strategies • IAuthenticationSchemesProvider and IAuthenticationHandlerProvider as services to manage apps with different schemes
uses an AuthenticationHandler with its AuthenticatinSchemeOptions • Scheme names MUST be unique • Different Schemes can use the same AuthenticationHandler type
Try to get authentication information from the request and create the AuthenticationTicket • Challenge • What to do when no authentication information can be found in the request • Forbid • What to do when authentication is found but authorization is not satisfied
to store authentication information for future use • For example, CookiesAuthenticationHandler stores the authentication information in a cookie • SignOut • When a handler knows how to remove the stored authentication information • For example, CookiesAuthenticationHandler removes the authentication cookie
external resources to perform authentication • For example, CookiesAuthenticationHandler or JwtBearerHandler • Remote • These handlers interact with external resources to perform authentication flows • They need to handle request to special endpoints to complete those authentication flows (Request handling schemes) • Delegates SigIn to another configured local authentication handler • For example, the OpenIdConnectHandler interacts with an external OpenId Provider to perform the authentication flow
Included in the Microsoft.AspNetCore.Identity.UI nuget package • Can be customized • Scaffolding the Identity pages • NEW in .Net 8: Identity API Endpoints • Allow interacting with Asp.Net Identity via HTTP API • Focused on SPAs and Blazor apps authentication • Why now? • It’s the consequence of another .Net drama (https://devblogs.microsoft.com/dotnet/improvements-auth-identity-aspnetcore-8)
depends 😎 • Highly recommended: https://andrewlock.net/should-you-use-the-dotnet-8- identity-api-endpoints • The landscape is evolving fast and is not yet stable for auth • User agents are phasing out third-party cookies (https://developer.chrome.com/docs/privacy-sandbox/third-party-cookie- phase-out) • This affects some base OAuth2 specifications • No-tokens-in-the-browser policy • User agent initiatives to solve federated identity without third-party cookies • FedCM (https://developer.chrome.com/docs/privacy-sandbox/fedcm)
SameSite=Strict and CSRF • BFF authentication pattern • Valid for local and federated users • Authentication flows remain in the server • Reference implementation: https://docs.duendesoftware.com/ identityserver/v6/bff Public faced • Token based authentication • JWT recommended https://oauth.net/2/browser-based-apps
hbiarge
ueponx
abap34
muryoimpl
mkeeda
tkikuc
fukubaka0825
ymd65536
nao_randd
oguemon
taiseiue
yotahada3
ryopeko
chriscoyier
erikaheidi
keavy
bkeepers
3n
chrisshort
eileencodes
speakerdeck
bermonpainter
mclloyd
samanthasiow
soudai
![Hugo Biarge Developer [email protected] @hbiarge](https://files.speakerdeck.com/presentations/2487385233f64f96b3d021656f81b7d5/slide_1.jpg){kind=link}
