Novedades en la autenticación de .Net 8

Transcript

1. Novedades en la autenticación .Net 8 Hugo Biarge 2023

2. #netcoreconf Sponsors

3. Agenda #netcoreconf 01 Api endpoints in Asp.Net Identity 02 SPAs

   authentication Agenda

4. #netcoreconf Asp.Net Identity – Main features • Password hashing •

   User and password validation • Password reset and email confirmation • User lookout • Multi-factor authentication • External identities

5. #netcoreconf Asp.Net Identity – General architecture Font: https://devblogs.microsoft.com/dotnet/improvements-auth-identity-aspnetcore-8

6. #netcoreconf Asp.Net Identity – Usage • Default UI • Included

   in the Microsoft.AspNetCore.Identity.UI nuget package • Can be customized via scaffolding • Build your own UI/Api • New Api endpoints • Allow interacting with Asp.Net Identity via HTTP API • Focused on SPAs and Blazor apps authentication • Why now? • It’s the consequence of another .Net drama (https://devblogs.microsoft.com/dotnet/improvem ents-auth-identity-aspnetcore-8)

7. #netcoreconf Asp.Net Identity Api endpoints • Only for managing local

   user • With local or remote authentication • Caveats: • Non-compliant with OpenId.Connect/OAuth2 standards • Custom token format • Unable to customize the default behavior • Other opinions: • https://andrewlock.net/should-you-use-the-dotnet-8-identity-api- endpoints

8. #netcoreconf SPA Authentication in 2023 • Authentication code flow +

   PKCE • Was the main recommendation several years ago • Problems • User agents phasing out third party cookies affect some OpenId/OAuth2 specs • Silent renew (token renew via iframe) • Session management (spec) • Front channel logout (spec) • No tokens-in-the-browser policy

9. #netcoreconf Third party cookies phase out • It’s now! •

   Check your sites for future compatibility • More info: https://developer.chrome.com/docs/privacy-sandbox/third- party-cookie-phase-out • Roadmap • 1% of Chrome users by Q1 2024 • 100% by Q3 2024 • More info: https://developer.chrome.com/blog/cookie-countdown- 2023oct • You can test the impact now • chrome://flags/#test-third-party-cookie-phaseout • edge://flags/#test-third-party-cookie-phaseout

10. #netcoreconf Current recommended architecture • BFF pattern • One of

    the recommendations in the draft https://oauth.net/2/browser- based-apps • Benefits • No tokens in the browser • Use cookies with sameSite=Strict and CSRF header • All the tokens managed in the server == SECURE • Easy management of user logout • Revoking refresh_tokens on SPA logout • Back-channel logout when federated sign-out • Reference implementation in .Net • https://docs.duendesoftware.com/identityserver/v6/bff • Future new standard? • FedCM (https://developer.chrome.com/docs/privacy-sandbox/fedcm)

11. #netcoreconf Sponsors

12. More information: [email protected] @Netcoreconf Visit on: netcoreconf.com