Claims-based Identity & Access Control for .NET 4.5 Applications

Transcript

1. Identity & Access Control for .NET 4.5 Applications Dominick Baier

   think mobile!

2. 2 @leastprivilege Dominick Baier •  Solution architect and security consultant

   at thinktecture •  Focus on –  security in distributed applications –  identity management –  Windows/.NET security –  cloud computing •  Microsoft MVP for Developer Security •  http://www.leastprivilege.com •  [email protected] •  @leastprivilege think mobile!

3. 3 @leastprivilege Objectives •  IPrincipal & IIdentity •  Security tokens

   and claims •  Claims based identity •  Claims transformation •  Claims based authorization •  Federation and external authentication •  ASP.NET 4.5 OpenID integration •  Tooling

4. 4 @leastprivilege Once upon a time… 2002 .NET 1.0 ASP.NET

   1.0 interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } interface IPrincipal { IIdentity Identity { get; } bool IsInRole(string roleName); }

5. 5 @leastprivilege Since .NET v1.0 Plumbing code / Infrastructure /

   Runtime Application logic Thread.CurrentPrincipal set get TLS Application

6. 6 @leastprivilege WindowsPrincipal & WindowsIdentity •  Wraps a Windows security

   token –  Windows account of the current process (desktop apps) –  Windows account of the current client (server apps) //  current  process  identity   WindowsIdentity  user  =  WindowsIdentity.GetCurrent();   WindowsPrincipal  p  =  new  WindowsPrincipal(user);     Thread.CurrentPrincipal  =  p;  

7. 7 @leastprivilege GenericPrincipal & GenericIdentity •  Represents a user backed

   by your own custom credential store –  allows to attach roles to that user var  roles  =  new  string[]  {  "Sales",  "Marketing"  };       var  user  =  new  GenericPrincipal(            new  GenericIdentity("bob"),            roles);  

8. 8 @leastprivilege 2002 to present Trusted Subsystem Basic-, Digest-, Forms-,

   Windows- Authentication, Client Certificates WS-Security Tokens, SecureID, Custom Corporate Network Partners, Customers Cloud

9. 9 @leastprivilege Claims •  Many security systems out there – 

   groups, roles –  permissions, capabilities –  specialized (e.g. Bell LaPadula) •  Claim examples –  Bob is an administrator –  Jim‘s email address is [email protected] –  Alice is allowed to add new customers –  Dave is allowed to write documents up to ‚confidential‘

10. 10 @leastprivilege Claim •  Statement about an entity made by

    someone else public class Claim { public virtual string Type { get; } public virtual string Value { get; } public virtual string Issuer { get; } // rest omitted }

11. 11 @leastprivilege ClaimsPrincipal & ClaimsIdentity class ClaimsPrincipal : IPrincipal {

    ReadOnlyCollection<ClaimsIdentity> Identities { get; } } class ClaimsIdentity : IIdentity { IEnumerable<Claim> Claims { get; } } interface IPrincipal { IIdentity Identity { get; } bool IsInRole(string roleName); } interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } }

12. 12 @leastprivilege New inheritance structure I IPrincipal   ClaimsPrincipal  

    GenericPrincipal   WindowsPrincipal   RolePrincipal   IPrincipal   GenericPrincipal   WindowsPrincipal   RolePrincipal   before after

13. 13 @leastprivilege New inheritance structure II IIden0ty   ClaimsIden0ty  

    FormsIden5ty   WindowsIden5ty   GenericIden5ty   IIden0ty   FormsIden5ty   WindowsIden5ty   GenericIden5ty   before after

14. 14 @leastprivilege 2002 .NET 1.0 ASP.NET 1.0 IIDentity & IPrincipal

    Thread.CurrentPrincipal 2006 WCF System.IdentityModel SecurityToken Claim ServiceSecurityContext 2009 WIF Microsoft.IdentityModel IClaimsIdentity & IClaimsPrincipal Thread.CurrentPrincipal 2012 .NET 4.5 System.IdentityModel System.Security.Claims All Principals derive from ClaimsPrincipal Thread.CurrentPrincipal .NET 4.5

15. 15 @leastprivilege APIs built on top of ClaimsPrincipal •  Credential

    type support •  Claims transformation •  Claims-based authorization •  Session management •  Support for federation protocols •  Extensions to ASP.NET and WCF

16. 16 @leastprivilege Credential type support •  Unification of various credential

    formats to common ClaimsPrincipal representation –  Windows / Kerberos –  Forms Authentication –  HTTP basic authentication –  SSL client certificates –  WS-Security tokens –  SAML –  extensible credential ClaimsPrincipal ClaimsIdentity Claim Claim …

17. 17 @leastprivilege Security token handler standard implementations read token validate

    token write token token type

18. 18 @leastprivilege Claims Transformation & Validation •  Abstraction layer between

    authentication process and application code –  to validate incoming identity data –  allows adding application specific claims to the principal Authentication Claims Transformation Application Code

19. 19 @leastprivilege Claims transformation •  ClaimsAuthenticationManager derived class –  establish

    application identity for client public class ClaimsAuthNManager : ClaimsAuthenticationManager { public override ClaimsPrincipal Authenticate( string resourceName, ClaimsPrincipal incomingPrincipal) { if (incomingPrincipal.Identity.IsAuthenticated) { return TranformClaims(incomingPrincipal); } return incomingPrincipal; } }

20. 20 @leastprivilege Authentication Sessions •  Claims transformation is triggered on

    every request –  might be OK, but might be also expensive •  Outcome of claims transformation can be „cached“ in a session Authentication Transformation Application Cache Principal Authentication Application Load cached Principal First Request Subsequest Requests

21. 21 @leastprivilege Session management •  Session management is a mechanism

    to preserve a ClaimsPrincipal across round trips –  cookies for ASP.NET (SessionAuthenticationHttpModule) –  WS-SecureConversation for WCF •  Extensible mechanism –  session token protection –  web farm support –  round trip optimization var  sessionToken  =  new  SessionSecurityToken(      principal,  TimeSpan.FromHours(8));     FederatedAuthentication      .SessionAuthenticationModule      .WriteSessionTokenToCookie(sessionToken);  

22. 22 @leastprivilege Authorization Pipeline Authorization Intra-app Authorization - Coarse grained

    - URL-based - Fine grained - Facade/Business Logic based

23. 23 @leastprivilege PrincipalPermission •  Ships with the .NET Framework (since

    version 1) –  „the old way“ –  based on code access security –  invoked by the CLR –  typically clashes with unit testing –  throws a SecurityException –  limited to roles –  encourages you to mix authorization & business logic [PrincipalPermission(SecurityAction.Demand,          Roles  =  "Marketing"]   public  ActionResult  AddCustomer()   {  ...  }

24. 24 @leastprivilege ClaimsPrincipalPermission •  Ships with the .NET Framework (since

    version 4.5) –  same underlying implementation as PrincipalPermission –  based on ClaimsAuthorizationManager [ClaimsPrincipalPermission(SecurityAction.Demand,          Resource  =  "Customer",  Operation  =  "Add")]   public  ActionResult  AddCustomer()   {  ...  }

25. 25 @leastprivilege Claims authorization •  ClaimsAuthorizationManager provides central extensibility point

    for –  loading/parsing authorization policy –  mapping operations/resources to required claims •  Application code should not check for claims directly public class ClaimAuthZManager : ClaimsAuthorizationManager { public override bool CheckAccess(AuthorizationContext context) { // inspect context and make authorization decision } }

26. 26 @leastprivilege Authorization context •  Allows complex description of resource

    access –  resource / action pair –  can be claims [ClaimsPrincipalPermission(SecurityAction.Demand, Operation = "Add", Resource = "Customer")] public void AddCustomer(Customer customer) { … } void Print(Document document) { if (ClaimsPrincipalPermission.CheckAccess( document.Printer, "Print")) { … } }

27. 27 @leastprivilege External authentication Client Relying Party Security Token Service

    1 2 Token External/Cloud

28. 28 @leastprivilege SAML (Security Assertion Markup Language) token <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

    <saml:AttributeStatement> <saml:Attribute AttributeName="userid" AttributeNamespace="http://..."> <saml:AttributeValue>42</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="name" AttributeNamespace="http://... "> <saml:AttributeValue>Bob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="department" AttributeNamespace="http://... "> <saml:AttributeValue>Research</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /> </saml:Assertion>

29. 29 @leastprivilege Protocols and tokens •  Web applications –  WS-Federation

    •  SOAP services –  WS-Security, WS-Trust •  REST services –  OAuth2 •  Tokens –  SAML 1.1 / 2.0 –  SWT / JWT

30. 30 @leastprivilege WS-Federation Client Relying Party Security Token Service GET

    /wsfed GET /default.aspx <form  method="POST"  action="address_of_rp">      <input  name="wresult"  value="<saml:Assertion…"  />      …      <script  >              window.setTimeout('document.forms[0].submit()',  0);      </script>   </form>   wsfed?wa=wsignin1.0&wtrealm=address_of_rp POST /default.aspx

31. 31 @leastprivilege WS-Trust & WS-Security Client Relying Party Identity Provider

    <RequestSecurityToken>      <RequestType>Issue</RequestType>        <TokenType>SAML#1.1</TokenType>        <AppliesTo>          <EndpointReference>                  <Address>address_of_rp</Address>                    <Identity>cert_of_rp</Identity>          </EndpointReference>      </AppliesTo>   <RequestSecurityToken>   RST/ RSTR <RequestSecurityTokenResponse>      <saml:Assertion>          …      </saml:Assertion>   <RequestSecurityTokenResponse>   SOAP w/ security header

32. 32 @leastprivilege REST based services •  Integrate with HTTP-based services

    (e.g. ASP.NET Web API) –  http://thinktecture.github.com/Thinktecture.IdentityModel.45/ Authorization: bearer <token> GET /service

33. 33 @leastprivilege Security Token Services •  Commercial products –  Microsoft

    Active Directory Federation Service 2 –  IBM Tivoli Federation Manager –  Oracle Identity Manager –  Ping Federate •  .NET 4.5 contains base-classes to build you own STS –  be aware you are building critical security infrastructure –  http://thinktecture.github.com/Thinktecture.IdentityServer.v2/

34. 34 @leastprivilege ASP.NET 4.5 OpenID Integration & Tooling •  ASP.NET

    4.5 templates make it easy to integrate OpenID logins –  Google, LinkedIn, Facebook, LiveID... –  no direct claims integration –  http://brockallen.com/2012/09/05/integrating-claims-and- oauthwebsecurity/ •  Tooling –  „Identity & Access“ extension for Visual Studio –  Development STS –  http://goo.gl/cTChL

35. 35 @leastprivilege Migrating to .NET 4.5 •  From plain .NET

    –  nothing to do for the built-in principals/identities –  if you are using custom principals, you should change the base classes –  can make gradual use of new features •  From WIF –  lots of breaking changes from WIF to the 4.5 model –  mechanics stay the same –  WIF is part of Windows, so it will be available side by side

36. 36 @leastprivilege Summary •  Claims-based identity is the new .NET

    security model –  by changing the base class, all apps are now claims-based –  ASP.NET and WCF are specifically aware of this •  Three essential concepts –  turning security tokens into claims (and vice versa) –  claims transformation –  claims-based authorization •  Token and protocol support –  federated and external authentication •  Should be transparent in most cases –  needs some rework for custom identities –  needs some rework for WIF based applications