Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Web Applications and APIs with ASP.NET Core 2.2 and 3.0

75681814fbbb90c9224ea5ed0f8324ee?s=47 Dominick Baier
January 25, 2019
Programming
6
1.1k

Securing Web Applications and APIs with ASP.NET Core 2.2 and 3.0

75681814fbbb90c9224ea5ed0f8324ee?s=128

Dominick Baier

January 25, 2019
Tweet

More Decks by Dominick Baier

See All by Dominick Baier
OAuth - the Good Parts
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
0
86
OAuth in 2021. What's new?
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
0
240
Part 1 - OAuth 2.0 Security Best Practices
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
5
1.5k
Part 2 - Beyond OAuth 2.1
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
5
660
OAuth and OpenID Connect: Security Best Practices
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
2
2.1k
Designing OpenID Connect and OAuth-based Systems
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
3
440
Securing Web Applications and APIs with ASP.NET Core 3
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
2
690
Building Clients for OpenID Connect/OAuth 2.0-based Systems
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
0
400
Building Clients for OpenID Connect/OAuth 2-based Systems
75681814fbbb90c9224ea5ed0f8324ee?s=48 leastprivilege
5
380

Other Decks in Programming

See All in Programming
ESM移行は無理だけどおれもSindreのライブラリが使いたい!
208355d7af69fa84a78048f78077048a?s=48 sosukesuzuki
2
540
Rに管理されてみる
154699a2e3d8b497494a5ee118f211a5?s=48 kazutan
0
250
プロダクトの成長とSREと
5a9fb3b80c517e51e4e95a27b63c6a67?s=48 takuyatezuka
0
120
Amazon Lookout for Visionで 筆跡鑑定してみた
B3cc0e7ba8e6c941f08a2e6f69d3e4c2?s=48 cmnakamurashogo
0
160
「困りごと」から始める個人開発
4a0e3afe85259f2973dbc9386b6a4bb3?s=48 ikumatadokoro
4
250
Better Angular Architectures: Architectures with Standalone Components @DWX2022
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
1
410
Amazon SageMakerでImagenを動かして猫画像生成してみた
5426a03f740cd61fa5e0d4bfdb7a6cc8?s=48 hotoke_neko
0
110
サーバーレスパターンから学ぶデータ分析基盤構築 / devio2022
82d6167c4d14393c2e20b37a74b363c5?s=48 kasacchiful
0
490
ECサイトの脆弱性診断をいい感じにやりたい/OWASPKansaiNight_LT1_220727
341ac9f717b3904d6674784c0fcd9cf2?s=48 owaspkansai
0
290
Pluggable Storage in PostgreSQL
62f5ee39e37ba4f8a22acc714781c879?s=48 sira
1
190
FullStack eXchange, July 2022
6f3ec7315ad0715ae2a5f89a52877218?s=48 brucel
0
200
これからのスクラムマスターのキャリアプランの話をしよう - スクラムマスターの前に広がる世界
93b2f8445b4096456c336ec2ea5dd0e7?s=48 psj59129
0
200

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
181
15k
YesSQL, Process and Tooling at Scale
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
157
12k
KATA
E9221b172e78e888355fa2fe4541b595?s=48 mclloyd
7
8.8k
Fontdeck: Realign not Redesign
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
4.1k
Fight the Zombie Pattern Library - RWD Summit 2016
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
226
15k
For a Future-Friendly Web
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
166
7.5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
107
16k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
Making the Leap to Tech Lead
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
113
7.4k
Building a Scalable Design System with Sketch
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
448
30k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
6k
Building Adaptive Systems
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
1.2k

Transcript

  1. Securing Web Applications and APIs with ASP.NET Core 2.2 and

    3.0 Dominick Baier @leastprivilege

  2. 2 @leastprivilege / @brocklallen Me • Independent Consultant – Specializing

    on Application Security Architectures – Working with Software Development Teams (ISVs and in-house) • Co-Creator of IdentityServer & IdentityModel OSS Project – Certified OpenID Connect & OAuth 2.0 Implementation for .NET – https://identityserver.io • Co-Creator of PolicyServer – Modern Authorization Solution – https://policyserver.io email dominick.baier@leastprivilege.com blog http://leastprivilege.com twitter @leastprivilege slides https://speakerdeck.com/leastprivilege

  3. 3 @leastprivilege / @brocklallen The dark ages…

  4. 4 @leastprivilege / @brocklallen

  5. Modern Application Architecture Browser Native App Server App/Thing Web App

    Service Service Service Identity Provider Authorization Policy Provider

  6. 6 @leastprivilege / @brocklallen Agenda • Hosting • Data Protection

    • Authentication • Authorization • Identity • IdentityServer integration https://github.com/leastprivilege/AspNetCoreSecuritySamples

  7. 7 @leastprivilege / @brocklallen Hosting HTTPS HTTPS HTTP/HTTPS Using a

    reverse proxy Edge Kestrel Kestrel

  8. 8 @leastprivilege / @brocklallen Kestrel Security • HTTPS by default

    – static configuration or dynamic selection (SNI) – dotnet dev-certs tool for local development • Need to fine-tune transport parameters when doing edge hosting – Keep-Alive timeouts – Request Header limits – Request/Response buffer sizes – Request line size – Request header limits – Request header count limits – Request/Response body timeouts & data rates – Total client connections – Handshake timeous – …

  9. 9 @leastprivilege / @brocklallen ASP.NET Core Architecture • Host •

    Pipeline & middleware • Services Console Application .NET (Core) ASP.NET Core Middleware Middleware User Agent MVC DI

  10. 10 @leastprivilege / @brocklallen Data Protection • Remember this? <system.web>

    <!– copied from the 90ies --> <machineKey decryptionKey="656E7...617365206865726547A5" validationKey="07C1493415E4405F08...6EF8B1F" /> </system.web> For giggles: "https://www.google.com/#q=<machineKey filetype:config"

  11. 11 @leastprivilege / @brocklallen Data Protection in ASP.NET Core •

    Keys are stored outside of application directory – profile – registry – Azure web apps magic – Redis – manual • Automatic key management – 512 bit master key / AES-256 CBC / HMACSHA256 – rotated every 90 days – automatic application isolation • Key protection – DPAPI, X509, Azure KeyVault

  12. 12 @leastprivilege / @brocklallen

  13. 13 @leastprivilege / @brocklallen Who uses Data Protection? • ASP.NET

    Core – protecting cookies – anti-forgery – protecting OpenID Connect/OAuth state – [TempData] • You – IDataProtectionProvider service – can be also used with non-ephemeral data • if key ring is properly stored / backed-up

  14. 14 @leastprivilege / @brocklallen Authentication in ASP.NET Core • Authenticating

    users/clients – local – Google, Facebook, and other proprietary providers* – OpenID Connect, WS-Federation & SAML** for standards-based external authentication – JSON web token (JWT) for token-based API authentication • Session Management – cookies * 40+ more https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers ** https://github.com/Sustainsys/Saml2

  15. 15 @leastprivilege / @brocklallen Setting up authentication public void ConfigureServices(IServiceCollection

    services) { services.AddAuthentication(defaultScheme: "cookies") .AddCookies(scheme: "cookies") .AddGoogle(scheme: "google") .AddOpenIdConnect(scheme: "idsrv"); } public void Configure(IApplicationBuilder app) { app.UseAuthentication(); }

  16. 16 @leastprivilege / @brocklallen Interacting with the authentication system public

    interface IAuthenticationService { // authenticate the specified scheme. Task<AuthenticateResult> AuthenticateAsync(HttpContext context, string scheme); // session management Task SignInAsync(HttpContext context, string scheme, ClaimsPrincipal principal, AuthenticationProperties properties); Task SignOutAsync(HttpContext context, string scheme, AuthenticationProperties properties); // signal that authentication is required Task ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties); // signal that access is denied Task ForbidAsync(HttpContext context, string scheme, AuthenticationProperties properties); }

  17. 17 @leastprivilege / @brocklallen Interacting with the authentication system (2)

    • Convenience extension methods public static class AuthenticationHttpContextExtensions { public static Task SignInAsync(this HttpContext context, ClaimsPrincipal principal) { } public static Task SignInAsync(this HttpContext context, string scheme, ClaimsPrincipal principal) { } public static Task SignOutAsync(this HttpContext context) { } public static Task SignOutAsync(this HttpContext context, string scheme) { } public static Task ChallengeAsync(this HttpContext context) { } public static Task ChallengeAsync(this HttpContext context, string scheme) { } public static Task ForbidAsync(this HttpContext context) { } public static Task ForbidAsync(this HttpContext context, string scheme) { } public static Task<AuthenticateResult> AuthenticateAsync(this HttpContext context) { } public static Task<AuthenticateResult> AuthenticateAsync(this HttpContext context, string scheme) { } }

  18. 18 @leastprivilege / @brocklallen Session Management (1) public void ConfigureServices(IServiceCollection

    services) { services.AddAuthentication(defaultScheme: "Cookies") .AddCookie("Cookies", options => { options.LoginPath = "/account/login"; options.AccessDeniedPath = "/account/denied"; options.Cookie.Name = "myapp"; options.Cookie.Expiration = TimeSpan.FromHours(8); options.SlidingExpiration = false; options.Cookie.SameSite = SameSiteMode.Lax; }); }

  19. 19 @leastprivilege / @brocklallen Session Management (2) • Cookie contains

    – claims – metadata var claims = new List<Claim> { new Claim("sub", "123"), new Claim("name", "Bob") }; var ci = new ClaimsIdentity(claims, "password", "name", "role"); var props = new AuthenticationProperties { Items = { { "token", "abc" } } }; await HttpContext.SignInAsync(new ClaimsPrincipal(ci), props); await HttpContext.SignOutAsync();

  20. 20 @leastprivilege / @brocklallen Advanced Features • The cookie handler

    has an eventing model – additional validation on incoming cookie – redirect/sign-in/sign-out interception – sign-out cleanup • Session storage mechanism can be replaced – e.g. server-side (Redis, Cosmos DB..) – keeps cookies small – allows for server-side revocation https://leastprivilege.com/2019/01/14/automatic-oauth-2-0-token-management-in-asp-net-core/

  21. 21 @leastprivilege / @brocklallen External Authentication • Special type of

    authentication handler – RemoteAuthenticationHandler – ChallengeAsync sends authentication/token request – SignOutAsync sends sign-out request – provides callback endpoints to process protocol responses Challenge(scheme) Handler's ChallengeAsync method gets invoked Redirect to external provider External provider Authentication middleware asks handlers who wants to process request callback Handlers does the protocol post- processing Call sign-in handler (sets cookie containing external identity) Redirect to final URL

  22. 22 @leastprivilege / @brocklallen Example: Sign-in & Token Request w/

    OpenID Connect services.AddAuthentication(options => { options.DefaultScheme = "cookies"; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("cookies") .AddOpenIdConnect("oidc", options => { options.Authority = "https://demo.identityserver.io"; options.ClientId = "server.hybrid"; options.ClientSecret = "secret"; options.ResponseType = "code id_token"; options.Scope.Clear(); options.Scope.Add("openid"); options.Scope.Add("api"); });

  23. 23 @leastprivilege / @brocklallen API Authentication • Built-in support for

    JWT bearer tokens – see https://github.com/IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection for RFC 7662 support public void ConfigureServices(IServiceCollection services) { services.AddAuthentication("jwt") .AddJwtBearer("jwt", options => { options.Authority = "https://demo.identityserver.com"; options.Audience = "api" }); }

  24. 24 @leastprivilege / @brocklallen Authorization • Policy-based authorization – based

    on properties of the caller/user • Resource-based authorization – takes the resource that is being manipulated into account as well • Authorization is a service – DI based – extensible – testable • Will be also available as middleware in 3.0 https://github.com/blowdart/AspNetAuthorizationWorkshop

  25. 25 @leastprivilege / @brocklallen Example Authorization Policy services.AddAuthorization(options => {

    options.AddPolicy("ManageCustomers", policy => { policy.RequireAuthenticatedUser(); policy.RequireClaim("department", "sales"); policy.RequireClaim("status", "senior"); }); }); [Authorize("ManageCustomers")] public IActionResult Manage() { // stuff } Startup Controller

  26. 26 @leastprivilege / @brocklallen Programmatically using policies public class CustomerController

    : Controller { private readonly IAuthorizationService _authz; public CustomerController(IAuthorizationService authz) { _authz = authz; } public async Task<IActionResult> Manage() { var result = await _authz.AuthorizeAsync(User, "ManageCustomers"); if (result.Succeeded) return View(); return Forbid(); } }

  27. 27 @leastprivilege / @brocklallen Custom Authorization Handler public class JobLevelRequirementHandler

    : AuthorizationHandler<JobLevelRequirement> { private readonly IOrganizationService _service; public JobLevelRequirementHandler(IOrganizationService service) { _service = service; } protected override void Handle( AuthorizationContext context, JobLevelRequirement requirement) { var currentLevel = _service.GetJobLevel(context.User); if (currentLevel == requirement.Level) { context.Succeed(requirement); } } }

  28. 28 @leastprivilege / @brocklallen Resource-based Authorization Subject Object Operation -

    client ID - subject ID - scopes - more claims + DI - read - write - send via email - ... - ID - owner - more properties + DI

  29. 29 @leastprivilege / @brocklallen Example: Document resource public class DocumentAuthorizationHandler

    : AuthorizationHandler<OperationAuthorizationRequirement, Document> { public override Task HandleRequirementAsync( AuthorizationHandlerContext context, OperationAuthorizationRequirement operation, Document resource) { // authz logic } }

  30. 30 @leastprivilege / @brocklallen Invoking the authorization handler public class

    DocumentController : Controller { private readonly IAuthorizationService _authz; public DocumentController(IAuthorizationService authz) { _authz = authz; } public async Task<IActionResult> Update(Document doc) { if ((await _authz.AuthorizeAsync(User, doc, Operations.Update)).Failure) { return Forbid(); } // do stuff } }

  31. 31 @leastprivilege / @brocklallen ASP.NET Identity • Library for managing

    identity data for users – manages credentials (e.g. passwords, complexity) – lockout for brute force prevention – mapping external authentication • Stores this data in database – can be used to maintain additional user attributes/claims • Provides primitives for email confirmation, password reset, and MFA workflows • Abstraction on cookie authentication handler – sign-in/sign-out

  32. 32 @leastprivilege / @brocklallen The missing link • ASP.NET Identity

    templates are geared towards local authentication • IdentityServer adds OpenID Connect & OAuth 2.0 for remote authentication • ASP.NET Core 2.2 + ships with an IdentityServer integration library – "zero config" IdentityServer using ASP.NET Identity & local APIs – Web API and SPA template • Will be expanded to more advanced scenarios in 3.0 – separating IdentityServer from APIs – dynamic client registration

  33. 33 @leastprivilege / @brocklallen Thanks! …and (because I always forget)

    - we have stickers!