MVC  5.1,  Web  API  2.1,     Visual  Studio  2013.1     What's  new  in  Security?   Dominick  Baier   hGp://leastprivilege.com   @leastprivilege   think mobile!

2   @leastprivilege   Dominick  Baier   •  Security  consultant  at  thinktecture   •  Focus  on   –  security  in  distributed  applica9ons   –  iden9ty  management   –  access  control   –  Windows/.NET  security   –  mobile  app  security     •  MicrosoO  MVP  for  Developer  Security   •  ASP.NET  Web  API  Advisor   •  dominick.baier@thinktecture.com   •  hGp://leastprivilege.com   think mobile!

3   @leastprivilege   Where  are  we?   Visual  Studio  <=  2012   Visual  Studio  2013   Visual  Studio  >=  2014/15   ASP.NET  WebForms   ASP.NET  MVC     ASP.NET  Web  API   ASP.NET  SignalR     (Simple)  Membership   "One  ASP.NET"     WebForms  &  MVC   Web  API  &  SignalR     OWIN/Katana   ASP.NET  Iden9ty   One  ASP.NET     OWIN/Katana     MVC   Web  API   SignalR     ???  

4   @leastprivilege   OWIN  Mo9va9on   •  System.Web.dll  (aka  ASP.NET)   –  12+  year  old  web  framework   –  Unnamed  MicrosoX  employee  on  System.Web:   •  “We  fix  one  bug  and  open  seven  new  ones”   –  Always  executes  lots  of  ASP.NET-­‐specific  code   hGps://twiGer.com/aeinbu/status/407816285058514944  

5   @leastprivilege   OWIN  Mo9va9on  

6   @leastprivilege   What  is  OWIN?  

7   @leastprivilege   OWIN  Specifica9on   •  Environment  models  HTTP  request/response   –  IDic%onary   •  All  .NET  primi9ves  so  no  framework  dependencies   –  Standard  set  of  key/value  pairs   Key   Type   owin.RequestScheme   string   owin.RequestMethod   string   owin.RequestPath   string   owin.RequestBody   Stream   owin.RequestHeaders   IDic9onary   owin.ResponseStatusCode   int   owin.ResponseHeaders   IDic9onary   owin.ResponseBody   Stream  

8   @leastprivilege   OWIN  Architecture   •  Host  manages  process  lifeame   •  Server  hosts  HTTP  and  implements  OWIN  API   •  Middleware  are  linked  components  that  process  requests   •  Applicaaon  code  targeang  a  framework  (e.g.  Web  API)   Host   OWIN  Server   Some   Middleware   Some  Other   Middleware   User  Agent   Applica9on  

9   @leastprivilege   What  is  Katana?   •  MicrosoO’s  OWIN  implementaaon   –  hkps://katanaproject.codeplex.com/   •  Set  of  hosts  and  servers   –  IIS  or  self-­‐hos9ng   •  Set  of  convenience  classes   –  OwinContext,  OwinRequest,  OwinResponse,  etc.   –  AppBuilderUseExtensions   –  Authen%ca%onManager   •  Set  of  middleware  for  common  features   –  Authen9ca9on   –  Hos9ng  content  (e.g.  sta9c  files)   –  CORS  

10   @leastprivilege   Katana  ==  MicrosoX.Owin.*  

11   @leastprivilege   Framework  Support   •  Many  applica9on  frameworks  support  OWIN/Katana   –  Web  API   –  SignalR   –  Nancy   –  ServiceStack   –  FubuMVC   –  Simple.Web   –  RavenDB   –  Thinktecture  Iden9tyServer  v3   –  (MVC  &  WebForms)  

12   @leastprivilege   Hos9ng  Op9ons   IIS   System.Web   e.g.  Web  API   Self  Host   HkpListener   e.g.  Web  API   IIS   Helios   e.g.  Web  API   Host   Server   Applicaaon   IIS  today   Self  Host   IIS  tomorrow  

13   @leastprivilege   Katana  Authen9ca9on   •  Katana  provides  a  uniform  authenacaaon  API   –  availabe  via  OwinContext   public  interface  IAuthenticationManager   {          ClaimsPrincipal  User  {  get;  set;  }              void  SignIn(params  ClaimsIdentity[]  identities);          void  SignOut(params  string[]  authenticationTypes);              Task  AuthenticateAsync(string  authenticationType);                  void  Challenge(params  string[]  authenticationTypes);          IEnumerable  GetAuthenticationTypes();   }  

14   @leastprivilege   Cookie  Middleware   •  Forms  Authenacaaon  replacement   public  void  Configuration(IAppBuilder  app)   {          var  options  =  new  CookieAuthenticationOptions          {                  AuthenticationType  =  "Cookies",                  LoginPath  =  new  PathString("/account/login"),                                                    ExpireTimeSpan  =  TimeSpan.FromHours(4),                  CookieSecure  =  CookieSecureOption.Always          };            app.UseCookieAuthentication(options);   }  

15   @leastprivilege   External  Authen9ca9on   Name   Descripaon   Google   Both  OpenID  and  OAuth2/OpenID  Connect   Twiker   OAuth1   Facebook   OAuth2   MicrosoX  Account   OAuth2   JWT   Bearer  (JSON  web  token)   Ac9veDirectory   Bearer  (JWTs  from  Azure/ADFS3)   Federa9on*   WS-­‐Federa9on   OIDC*   OpenID  Connect   Yahook,  LinkedIn,  Steam,  GitHub  (hkps://github.com/owin-­‐middleware/OwinOAuthProviders)   FourSquare,  Instagram,  Dropbox,  Flickr,  StackExchange  (hkps://github.com/KatanaContrib)  

16   @leastprivilege   ASP.NET  Iden9ty   •  Successor  to  the  dreaded  ASP.NET  (simple)  Membership   –  supports  claims   –  supports  external  sign-­‐ins  and  account  linking   –  supports  two-­‐factor  authen9ca9on   –  no  dependencies  on  ASP.NET   –  more  control  over  user/profile  data  and  persistence   –  separate  nuget  package  /  release  cycle   •  Sall  room  for  improvement   –  hkp://brockallen.com/2014/02/11/introducing-­‐ iden9tyreboot/  

17   @leastprivilege   Packaging   •  MicrosoO.AspNet.Idenaty   –  .Core   –  .En9tyFramework   –  .Owin   –  .Samples   •  Implementaaons  for  RavenDB,  Redis,  CouchDB,  Mongo,   Azure  Table  Storage   –  hkp://odetocode.com/blogs/scok/archive/2014/01/20/ implemen9ng-­‐asp-­‐net-­‐iden9ty.aspx  

18   @leastprivilege   Web  API  v2.1   •  Built-­‐in  support  for  OAuth2  paGerns   –  producing  &  consuming  access  tokens   –  as  a  replacement  for  cookie-­‐based  authen9ca9on   •  More  plumbing   –  authen9ca9on  filters   –  integra9on  with  Katana  authen9ca9on  middleware   –  CORS  

19   @leastprivilege   From  Cookies  to  Tokens   •  Web  API  prefers  to  avoid  cookie  authenacaaon   –  Prevents  XSRF  akacks   •  Special  message  handler  to  block  host  authenacaaon   –  SuppressDefaultHostAuthen%ca%on   •  Web  API  must  ask  for  authenacaaon  when  needed   –  HostAuthen%ca%on  authen9ca9on  filter   –  Bearer  authen9ca9on  middleware  configured  as  passive   public static void Register(HttpConfiguration config) { config.SuppressDefaultHostAuthentication(); config.Filters.Add(new HostAuthenticationFilter(“Bearer”)); }

20   @leastprivilege   „Embedded“  OAuth2  Token  Service   •  OAuth2  authorizaaon  server  middleware  can  emit  token   –  Supports  the  protocols  of  all  OAuth2  flows   •  OAuth2  bearer  token  middleware  consumes  tokens   –  Similar  to  cookie  middleware   User  Agent OWIN  Host Bearer  MW Application Authorization   Server  MW

21   @leastprivilege   Switching  to  a  real  OAuth2   Authoriza9on  Server   User  Agent   OWIN  Host   JWT  MW   Applica9on   Authorizaaon   Server   (1)   (2)   1…n  

22   @leastprivilege   Thinktecture  Authoriza9onServer   •  hGp://thinktecture.github.io  

23   @leastprivilege   thank  you!