Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Novedades en la autenticación de .Net 8

Hugo Biarge
November 20, 2023
0
90

Novedades en la autenticación de .Net 8

Hugo Biarge

November 20, 2023
Tweet

More Decks by Hugo Biarge

See All by Hugo Biarge
Authentication in .Net 8. What's new?
hbiarge
0
300
DotNetMalaga-Autorización en Asp.Net Core
hbiarge
1
120
Authentication in native and web applications. Scenarios and tools
hbiarge
0
100
Authentication and authorization in Asp.Net Core
hbiarge
0
200
Authorization in Asp.Net Core
hbiarge
0
130

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
A better future with KSS
kneath
238
17k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Bash Introduction
62gerente
610
210k
It's Worth the Effort
3n
184
28k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
11
910
Thoughts on Productivity
jonyablonski
69
4.4k
BBQ
matthewcrist
86
9.4k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Designing on Purpose - Digital PM Summit 2013
jponch
117
7.1k

Transcript

  1. Novedades en la autenticación .Net 8 Hugo Biarge 2023

  2. #netcoreconf Sponsors

  3. Agenda #netcoreconf 01 Api endpoints in Asp.Net Identity 02 SPAs

    authentication Agenda

  4. #netcoreconf Asp.Net Identity – Main features • Password hashing •

    User and password validation • Password reset and email confirmation • User lookout • Multi-factor authentication • External identities

  5. #netcoreconf Asp.Net Identity – General architecture Font: https://devblogs.microsoft.com/dotnet/improvements-auth-identity-aspnetcore-8

  6. #netcoreconf Asp.Net Identity – Usage • Default UI • Included

    in the Microsoft.AspNetCore.Identity.UI nuget package • Can be customized via scaffolding • Build your own UI/Api • New Api endpoints • Allow interacting with Asp.Net Identity via HTTP API • Focused on SPAs and Blazor apps authentication • Why now? • It’s the consequence of another .Net drama (https://devblogs.microsoft.com/dotnet/improvem ents-auth-identity-aspnetcore-8)

  7. #netcoreconf Asp.Net Identity Api endpoints • Only for managing local

    user • With local or remote authentication • Caveats: • Non-compliant with OpenId.Connect/OAuth2 standards • Custom token format • Unable to customize the default behavior • Other opinions: • https://andrewlock.net/should-you-use-the-dotnet-8-identity-api- endpoints

  8. #netcoreconf SPA Authentication in 2023 • Authentication code flow +

    PKCE • Was the main recommendation several years ago • Problems • User agents phasing out third party cookies affect some OpenId/OAuth2 specs • Silent renew (token renew via iframe) • Session management (spec) • Front channel logout (spec) • No tokens-in-the-browser policy

  9. #netcoreconf Third party cookies phase out • It’s now! •

    Check your sites for future compatibility • More info: https://developer.chrome.com/docs/privacy-sandbox/third- party-cookie-phase-out • Roadmap • 1% of Chrome users by Q1 2024 • 100% by Q3 2024 • More info: https://developer.chrome.com/blog/cookie-countdown- 2023oct • You can test the impact now • chrome://flags/#test-third-party-cookie-phaseout • edge://flags/#test-third-party-cookie-phaseout

  10. #netcoreconf Current recommended architecture • BFF pattern • One of

    the recommendations in the draft https://oauth.net/2/browser- based-apps • Benefits • No tokens in the browser • Use cookies with sameSite=Strict and CSRF header • All the tokens managed in the server == SECURE • Easy management of user logout • Revoking refresh_tokens on SPA logout • Back-channel logout when federated sign-out • Reference implementation in .Net • https://docs.duendesoftware.com/identityserver/v6/bff • Future new standard? • FedCM (https://developer.chrome.com/docs/privacy-sandbox/fedcm)

  11. #netcoreconf Sponsors

  12. More information: [email protected] @Netcoreconf Visit on: netcoreconf.com