TOKEN AUTHENTICATION in ASP.NET Core Nate Barbettini @nbarbettini 

Welcome! • Agenda • Stormpath 101 (5 mins) • Get Started with iOS (40 mins) • Q&A (10 mins) • Remy Champion Marketing • Nate Barbettini .NET Developer Evangelist 

Speed to Market & Cost Reduction • Complete Identity solution out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance 

Stormpath User Management 

Overview ● How Sessions Work (And Why They Suck) ● How Token Authentication Works ● Tokens + ASP.NET Core 

How Sessions Work Browser ASP.NET (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; Log In: [email protected] MySecretPassword123! Open Profile Page Profit! Session Store 

Drawbacks of Sessions ● Scaling is hard ● Doesn’t work with mobile 

How Token Authentication Works Browser ASP.NET (1) POST /login (2) 200 OK eyJ0eXAiOiJKV... Stored token: eyJ0eXAiOiJKV... (3) GET /profile (4) 200 OK Authorization: Bearer eyJ0eXAiOiJKV... Log In: [email protected] MySecretPassword123! Open Profile View Profit! 

Advantages of Tokens Stateless! Works on both web and mobile Flexible 

● A JWT is a JSON object that’s been stringified and base64-encoded: Anatomy of JSON Web Tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpb mUgSldUIEJ1aWxkZXIiLCJpYXQiOjE0NjU1ODAwNzEsImV4cCI6MTQ 5NzExNjA3NywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoib mF0ZUBleGFtcGxlLmNvbSIsImlzQXdlc29tZSI6InRydWUiLCJwcm9 2aWRlcyI6WyJzdGF0ZWxlc3MiLCJhdXRoZW50aWNhdGlvbiJdfQ.VX rLbyQeJfDmwTAg-JnRsyD23RYMQJshTx79z2STu0U Red = Header Blue = Payload (“claims”) Green = Cryptographic signature (JWS) 

Anatomy of JSON Web Tokens { typ: "JWT", alg: "HS256" } { iss: "Online JWT Builder", iat: 1465580071, exp: 1497116077, aud: "www.example.com", sub: "[email protected]", isAwesome: "true", provides: [ "stateless", "authentication" ] } Header Body 

● Cryptographically signed by the server ● Signature guarantees it hasn’t been forged or altered Token Security 

● Token expiration (exp claim) and not-before (nbf claim) ● Optional token revocation using a nonce (jti claim) ● Use HTTPS (TLS) everywhere! ● Store tokens securely Token Security 

Where to Store Tokens? ● On mobile: local device storage, sent via HTTP headers ● On the web: cookies, or HTML5 web storage (via HTTP headers) 

Where to Store Tokens? ● HTML5 web storage: vulnerable to XSS (cross-site scripting) ● Cookies: not vulnerable to XSS ○ Set the HttpOnly and Secure flags ○ Still need to protect against CSRF ● More info: Stormpath blog https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage 

Generating Tokens in ASP.NET Core ● This functionality was included in ASP.NET, but was removed from ASP.NET Core. ● The community has stepped up to build this functionality: ○ Stormpath ASP.NET Core plugin ○ Thinktecture IdentityServer4 ○ AspNet.Security.OpenIdConnect.Server ○ OpenIddict 

● Basic JWT creation: JwtSecurityTokenHandler Generating Tokens in ASP.NET Core using System.IdentityModel.Tokens.Jwt; var claims = new Claim[] { new Claim(JwtRegisteredClaimNames.Sub, username), new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), }; // Create the JWT and write it to a string var jwt = new JwtSecurityToken( issuer: _options.Issuer, audience: _options.Audience, claims: claims, notBefore: now, expires: now.Add(TimeSpan.FromMinutes(5)), signingCredentials: _options.SigningCredentials); var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt); 

● Nate’s simple example on Github: https://github.com/nbarbettini/SimpleTokenProvider Generating Tokens in ASP.NET Core 

Validating Tokens in ASP.NET Core ● Validating incoming Bearer (HTTP header) tokens is easy! var mySecretKey = new SymmetricSecurityKey( Encoding.ASCII.GetBytes("mysupersecret_secretKey!123")); app.UseJwtBearerAuthentication(new JwtBearerOptions() { AutomaticAuthenticate = true, TokenValidationParameters = new TokenValidationParameters() { IssuerSigningKey = mySecretKey, ValidateLifetime = true, ValidIssuer = "MyApplication", ValidAudience = "https://app.example.com", } }); 

Validating Tokens in ASP.NET Core ● JWTs in cookies? See SimpleTokenProvider on Github. 

● Hosted user identity and authentication/authorization API ● Token generation and authentication ● Single Sign-On across multiple applications ● Multi-tenant support for SaaS applications ● Free (forever) developer tier About Stormpath 

Token authentication in ASP.NET Core tutorial https://stormpath.com/blog/token-authentication-asp-net-core Stormpath + ASP.NET Core quickstart https://docs.stormpath.com/dotnet/aspnetcore/latest/quickstart.html Web storage vs. cookies https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage Nate’s SimpleTokenProvider sample https://github.com/nbarbettini/SimpleTokenProvider Q&A 

Thank you! Nate Barbettini @nbarbettini recaffeinate.co .ws