.NET Core, ASP.NET Core & MVC Security Overview Dominick Baier [email protected] http://leastprivilege.com @leastprivilege

2 @leastprivilege Me • Independent Consultant – Specializing in Identity & Access Control – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – Certified OpenID Connect & OAuth 2.0 Implementation for ASP.NET – https://identityserver.io [email protected] http://leastprivilege.com slides: https://speakerdeck.com/leastprivilege

3 @leastprivilege The new .NET

4 @leastprivilege

5 @leastprivilege Platform specific Implementation where needed AES.Create() OpenSSL Windows CNG Apple Crypto .NET API Surface Platform Abstraction Layer

Modern Application Architecture Browser Native App Server App/Thing Web App Service Service Service

7 @leastprivilege Initial Design public interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } public interface IPrincipal { IIdentity Identity { get; } bool IsInRole(string roleName); }

8 @leastprivilege Dealing with identity (old school) Plumbing code / Infrastructure / Runtime Application logic Thread.CurrentPrincipal set get TLS Application

9 @leastprivilege Updates to Identity over Time 2002 .NET 1.0 ASP.NET 1.0 2006 .NET 3.0 WCF (#fail) 2009 WIF 2012 .NET 4.5 2013 Katana 2.0 2014 Katana 3.0 2016 .NET Core ASP.NET Core Claims + Security Token Support = External Authentication

10 @leastprivilege ASP.NET Core Architecture • ASP.NET Core is the HTTP runtime • MVC is Microsoft's primary application framework – combines web UI & API Console Application .NET (Core) ASP.NET Core Middleware Middleware User Agent MVC DI

11 @leastprivilege Security Architecture in ASP.NET Core • Everything is based on ClaimsPrincipal – no more custom IPrincipal • Authentication is implemented as middleware – cookies – external authentication • Other security related services – CORS, logging, encoding, anti-forgery • New data protection API • New authorization API

12 @leastprivilege Authentication in ASP.NET Core • Various middleware provide authentication features – Cookies for browser based authentication – Google, Facebook, and other social authentication – OpenId Connect for external authentication – JSON web token (JWT) for token-based authentication

13 @leastprivilege AuthenticationManager • Central API for coordinating authentication middleware – availabe via HttpContext public abstract class AuthenticationManager { public abstract IEnumerable GetAuthenticationSchemes(); public virtual Task SignInAsync(string authenticationScheme, ClaimsPrincipal principal); public virtual Task SignOutAsync(string authenticationScheme); public virtual Task AuthenticateAsync(string authenticationScheme); public virtual Task ChallengeAsync(string authenticationScheme); public virtual Task ForbidAsync(); // ... }

14 @leastprivilege Cookie Authentication Middleware • Forms / Session authentication replacement public void Configure(IApplicationBuilder app) { app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Cookies", AutomaticAuthenticate = true, AutomaticChallenge = true, LoginPath = new PathString("/Account/Login"), AccessDeniedPath = new PathString("/Account/AccessDenied") }); }

15 @leastprivilege Cookies: Logging in • SignInAsync issues cookie – Authentication scheme parameter indicates which middleware var claims = new Claim[] { new Claim("sub", "37734"), new Claim("name", "Dominick Baier") }; var ci = new ClaimsIdentity(claims, "password"); var cp = new ClaimsPrincipal(ci); await HttpContext.Authentication.SignInAsync("Cookies", cp);

16 @leastprivilege Cookies: Logging out • SignOutAsync removes cookie – Authentication scheme parameter indicates which middleware await HttpContext.Authentication.SignOutAsync("Cookies");

17 @leastprivilege Data Protection • Who thought this would be a good idea?? For giggles: "https://www.google.com/#q=

18 @leastprivilege Key Container Locations • On Azure Web Apps (no encryption) – %HOME%\ASP.NET\DataProtection-Keys • If user profile is loaded (encrypted) – %LOCALAPPDATA%\ASP.NET\DataProtection-Keys • IIS / no profile (encrypted) – Registry HKLM • In-Memory • Manual configuration 2015-05-02T08:20:38.6577127Z 2015-05-02T08:20:38.6424674Z 2015-07-31T08:20:38.6424674Z AQ...g==

19 @leastprivilege Claims Transformation • Per-request manipulation of principal & claims app.UseClaimsTransformation(context => { if (context.Principal.Identity.IsAuthenticated) { CreateApplicationPrincipal(context); } return Task.FromResult(context.Principal); });

20 @leastprivilege External Authentication • In the box – Google, Twitter, Facebook, Microsoft Account – OpenID Connect & JSON Web Tokens • New generic OAuth 2.0 middleware makes on-boarding other proprietary providers easier – LinkedIn, Slack, Spotify, WordPress, Yahoo, Github, Instragram, BattleNet, Dropbox, Paypal, Vimeo… https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers

21 @leastprivilege Social Identity Providers • Enabled with UseGoogleAuthentication, et al. – Rely upon cookie authentication middleware app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Cookies", AutomaticAuthenticate = true, }); app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Cookies", ClientId = "998042782978...", ClientSecret = "HsnwJri_53zn7..." });

22 @leastprivilege Social Identity Providers • ChallengeAsync triggers redirect for login – Control URL user returns to with AuthenticationProperties – MVC ChallengeResult works with action result architecture var props = new AuthenticationProperties { RedirectUri = "/Home/Secure" }; await HttpContext.Authentication.ChallengeAsync("Google", props); // or if using MVC: return new ChallengeResult("Google", props);

23 @leastprivilege Mixing local and external Authentication • Typically need registration logic for users from social providers – Use additional cookie middleware for processing registration app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Temp", AutomaticAuthenticate = false, AutomaticChallenge = false }); app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Temp", ClientId = "998042782978...", ClientSecret = "HsnwJri_53zn7..." });

24 @leastprivilege Mixing local and external Authentication • Redirect page performs local account registration logic – AuthenticateAsync triggers cookie middleware – Create local account or load existing account – Use primary cookie middleware to log user in (and remove temp cookie) var tempUser = await HttpContext.Authentication.AuthenticateAsync("Temp"); var userIdClaim = tempUser.FindFirst(ClaimTypes.NameIdentifier); var provider = userIdClaim.Issuer; var userId = userIdClaim.Value; // create local account if new, or load existing local account var user = new ClaimsPrincipal(...); await HttpContext.Authentication.SignInAsync("Cookies", user); await HttpContext.Authentication.SignOutAsync("Temp");

25 @leastprivilege The way forward… Browser Native App Server App "Thing" Web App Web API Web API Web API Security Token Service Authentication, SSO, account linking, federation, social logins…

26 @leastprivilege Security Protocols Browser Native App Server App "Thing" Web App Web API Web API Web API OpenID Connect OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Security Token Service OpenID Connect OpenID Connect

27 @leastprivilege http://openid.net/connect/

28 @leastprivilege Libraries & Implementations

29 @leastprivilege OpenID Connect Certification

30 @leastprivilege

31 @leastprivilege Authentication for Web Applications GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb &response_type=id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid profile email

32 @leastprivilege Authentication

33 @leastprivilege Consent

34 @leastprivilege Response POST /callback set cookie

35 @leastprivilege Identity Token { "typ": "JWT", "alg": "RS256", "kid": "mj399j…" } { "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "nonce": "j1y…a23", "sub": "182jmm199", "email": "[email protected]", "name": "Alice", "amr": [ "password" ], "auth_time": 12340819300 } Header Payload eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Payload Signature

36 @leastprivilege OpenID Connect Middleware • Much improved – support for implicit, code and hybrid flow – support for userinfo endpoint & better token management app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "OIDC", SignInScheme = "Cookies", Authority = "https://demo.identityserver.io", ClientId = "mvc", ClientSecret = "secret" ResponseType = "code id_token", SaveTokens = true });

37 @leastprivilege Web API Authentication • Middleware for JWT access tokens built-in – cookies not recommended app.UseJwtBearerAuthentication(new JwtBearerOptions { Authority = "https://localhost:44300", Audience = "my.api", options.AutomaticAuthenticate = true; });

38 @leastprivilege Issuing Tokens • No built-in token issuance middleware anymore – "Azure B2C Emulator" soon • IdentityServer is a full featured & certified token service – OpenID Connect and OAuth 2.0 (+ related specifications) http://github.com/identityserver

39 @leastprivilege Authorization • Complete re-write – support for unauthorized vs forbidden – better separation of business code and authorization logic – re-usable policies – resource/action based authorization – DI enabled

40 @leastprivilege [Authorize] • Similar syntax – roles still supported* [Authorize] public class HomeController : Controller { [AllowAnonymous] public IActionResult Index() { return View(); } [Authorize(Roles = "Sales")] public IActionResult About() { return View(User); } } * …and who thought that would be a good idea?

41 @leastprivilege Authorization policies services.AddAuthorization(options => { options.AddPolicy("ManageCustomers", policy => { policy.RequireAuthenticatedUser(); policy.RequireClaim("department", "sales"); policy.RequireClaim("status", "senior"); }); }; [Authorize("ManageCustomers")] public IActionResult Manage() { // stuff } Startup Controller

42 @leastprivilege Programmatically using policies public class CustomerController : Controller { private readonly IAuthorizationService _authz; public CustomerController(IAuthorizationService authz) { _authz = authz; } public async Task Manage() { var allowed = await _authz.AuthorizeAsync(User, "ManageCustomers"); if (!allowed) return Challenge(); return View(); } }

43 @leastprivilege …or from a View @using Microsoft.AspNetCore.Authorization @inject IAuthorizationService _authz @if (await _authz.AuthorizeAsync(User, "ManageCustomers")) { }

44 @leastprivilege Custom Requirements public class JobLevelRequirement : IAuthorizationRequirement { public JobLevel Level { get; } public JobLevelRequirement(JobLevel level) { Level = level; } } public static class StatusPolicyBuilderExtensions { public static AuthorizationPolicyBuilder RequireJobLevel( this AuthorizationPolicyBuilder builder, JobLevel level) { builder.AddRequirements(new JobLevelRequirement(level)); return builder; } }

45 @leastprivilege Handling Requirements public class JobLevelRequirementHandler : AuthorizationHandler { private readonly IOrganizationService _service; public JobLevelRequirementHandler(IOrganizationService service) { _service = service; } protected override void Handle( AuthorizationContext context, JobLevelRequirement requirement) { var currentLevel = _service.GetJobLevel(context.User); if (currentLevel == requirement.Level) { context.Succeed(requirement); } } }

46 @leastprivilege Resource-based Authorization Subject Object Operation - client ID - subject ID - scopes - more claims + DI - read - write - send via email - ... - ID - owner - more properties + DI

47 @leastprivilege Example: Document resource public class DocumentAuthorizationHandler : AuthorizationHandler { public override Task HandleRequirementAsync( AuthorizationHandlerContext context, OperationAuthorizationRequirement operation, Document resource) { // authorization logic } } services.AddTransient(); Add handler in DI:

48 @leastprivilege Invoking the authorization handler public class DocumentController : Controller { private readonly IAuthorizationService _authz; public DocumentController(IAuthorizationService authz) { _authz = authz; } public async Task Update(Document doc) { if (!await _authz.AuthorizeAsync(User, doc, Operations.Update)) { // forbidden return Challenge(); } // do stuff } }

49 @leastprivilege Resources • https://github.com/leastprivilege/ – AspNetCoreSecuritySamples • https://github.com/dotnet – corefx – coreclr • https://github.com/aspnet – home – security – announcements • http://docs.asp.net

50 @leastprivilege thank you!