Authentication in .Net 8 What’s new? Zaragoza - 26/10/2023 Hugo Biarge 

Hugo Biarge Developer [email protected] @hbiarge 

Agenda • Authentication in .Net • Asp.Net Identity: New Api endpoints • Recommended authentication flows https://github.com/hbiarge/Identity-Samples Disclaimer! We are going to talk mostly about web environments 

Authentication in .Net Nothing changed here, just a refresher… 

Authentication vs Authorization Authentication Identify authentication information in the request, use the configured methods to read it and create an instance of ClaimsPrincipal with the ClaimsIdentity and Claims of the requester Authorization Based on the requester Claims, the resource state, and potentially other information, allow or disallow action execution or filter resource information 

Authentication in Asp.Net Core • One unique middleware that uses an IAuthenticationService • AuthenticationHandlers registered as services allow different authentication strategies • IAuthenticationSchemesProvider and IAuthenticationHandlerProvider as services to manage apps with different schemes 

Configuration • Add authentication services to the DI container • Configure default schemes • Add as many authentication handlers as you need • Use the authentication middleware 

Schemes, handlers and options • You register a Scheme that uses an AuthenticationHandler with its AuthenticatinSchemeOptions • Scheme names MUST be unique • Different Schemes can use the same AuthenticationHandler type 

IAuthenticationService (I) • Authenticate • Executed in every request • Try to get authentication information from the request and create the AuthenticationTicket • Challenge • What to do when no authentication information can be found in the request • Forbid • What to do when authentication is found but authorization is not satisfied 

IAuthenticationService (II) • SignIn • When a handler knows how to store authentication information for future use • For example, CookiesAuthenticationHandler stores the authentication information in a cookie • SignOut • When a handler knows how to remove the stored authentication information • For example, CookiesAuthenticationHandler removes the authentication cookie 

Local vs Remote authentication handlers • Local • Don´t use external resources to perform authentication • For example, CookiesAuthenticationHandler or JwtBearerHandler • Remote • These handlers interact with external resources to perform authentication flows • They need to handle request to special endpoints to complete those authentication flows (Request handling schemes) • Delegates SigIn to another configured local authentication handler • For example, the OpenIdConnectHandler interacts with an external OpenId Provider to perform the authentication flow 

Asp.Net Identity New Api endpoints 

Main features • Password hashing • User and password validation • Password reset and email confirmation • User lookout • Multi-factor authentication • External identities 

General architecture Font: https://devblogs.microsoft.com/dotnet/improvements-auth-identity-aspnetcore-8 

How to interact with Asp.Net Identity? • Default UI • Included in the Microsoft.AspNetCore.Identity.UI nuget package • Can be customized • Scaffolding the Identity pages • NEW in .Net 8: Identity API Endpoints • Allow interacting with Asp.Net Identity via HTTP API • Focused on SPAs and Blazor apps authentication • Why now? • It’s the consequence of another .Net drama (https://devblogs.microsoft.com/dotnet/improvements-auth-identity-aspnetcore-8) 

Should we use the new endpoints? • As always… it depends 😎 • Highly recommended: https://andrewlock.net/should-you-use-the-dotnet-8- identity-api-endpoints • The landscape is evolving fast and is not yet stable for auth • User agents are phasing out third-party cookies (https://developer.chrome.com/docs/privacy-sandbox/third-party-cookie- phase-out) • This affects some base OAuth2 specifications • No-tokens-in-the-browser policy • User agent initiatives to solve federated identity without third-party cookies • FedCM (https://developer.chrome.com/docs/privacy-sandbox/fedcm) 

Recommended authentication flows For different types of applications 

Web apps (Server side rendered) Local users • Cookie based authentication • Asp.Net Identity • Support for external IdP Federated • Cookie based authentication • Remote handler + local cookie • OAuth • OpenIdConnect • WsFederation 

Web APIs Serving SPAs • Cookie based authentication • With SameSite=Strict and CSRF • BFF authentication pattern • Valid for local and federated users • Authentication flows remain in the server • Reference implementation: https://docs.duendesoftware.com/ identityserver/v6/bff Public faced • Token based authentication • JWT recommended https://oauth.net/2/browser-based-apps 

Mobile and native apps • OpenId Conect • Authorization Code flow with PKCE https://oauth.net/2/native-apps 

Other interesting techonologies • Passkeys • WebAuthn + FIDO2 • Passwordless authentication + MFA • The future of user authentication 

Thanks! Questions?