ASP.NET Core & ASP.NET Core MVC What's new in Security? Dominick Baier [email protected] http://leastprivilege.com @leastprivilege

2 @leastprivilege Dominick Baier • Independent Consultant – Specializing in Identity & Access Control – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – OpenID Connect & OAuth 2.0 Implementation ASP.NET – https://identityserver.io [email protected] http://leastprivilege.com slides: https://speakerdeck.com/leastprivilege

3 @leastprivilege The new .NET

4 @leastprivilege Console Application ASP.NET Core Architecture • ASP.NET Core is the HTTP runtime • MVC is Microsoft's primary application framework – combines web UI & API .NET (Core) ASP.NET Core Middleware Middleware User Agent MVC DI

5 @leastprivilege How ASP.NET Core Applications start dotnet run Application.dll ASP.NET Core Module IIS Startup.cs ConfigureServices(… ) Configure(…) start process

6 @leastprivilege Security Architecture in ASP.NET Core • Everything is based on ClaimsPrincipal – no more custom IPrincipal • Authentication is implemented as middleware – cookies – external authentication • Other security related services – CORS, logging, encoding, anti-forgery • New data protection API • New authorization API

7 @leastprivilege Identity & Authentication APIs • The new HttpContext – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/HttpContext.cs • AuthenticationManager – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/Authentication/ AuthenticationManager.cs

8 @leastprivilege Cookie Authentication Middleware • Triggered with HttpContext.Authentication.SignInAsync app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Cookies", LoginPath = new PathString("/account/login"), AccessDeniedPath = new PathString("/account/forbidden") });

9 @leastprivilege Claims Transformation • Per-request manipulation of principal & claims app.UseClaimsTransformation(context => { if (context.Principal.Identity.IsAuthenticated) { CreateApplicationPrincipal(context); } return Task.FromResult(context.Principal); });

10 @leastprivilege External Authentication • In the box – Google, Twitter, Facebook, Microsoft Account – OpenID Connect & JSON Web Tokens • New generic OAuth 2.0 middleware makes on-boarding other proprietary providers easier – LinkedIn, Slack, Spotify, WordPress, Yahoo, Github, Instragram, BattleNet, Dropbox, Paypal, Vimeo… https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers

11 @leastprivilege External Authentication • Triggered with HttpContext.Authentication.ChallengeAsync app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Cookies", ClientId = "43…43", ClientSecret = "3g…Wo" }); * turns external identity automatically into a trusted application cookie

12 @leastprivilege External Authentication w/ Callback • HttpContext.Authentication.ChallengeAsync • HttpContext.Authentication.AuthenticateAsync app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Temp", AutomaticAuthenticate = false }); app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Temp" });

13 @leastprivilege The way forward… Browser Native App Server App "Thing" Web App Web API Web API Web API Security Token Service Authentication, SSO, account linking, federation, social logins…

14 @leastprivilege Security Protocols Browser Native App Server App "Thing" Web App Web API Web API Web API OpenID Connect* OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Security Token Service * *

15 @leastprivilege OpenID Connect Middleware • Much improved – support for implicit, code and hybrid flow – support for userinfo endpoint & better token management app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "OIDC", SignInScheme = "Cookies", Authority = "https://demo.identityserver.io", ClientId = "mvc", ClientSecret = "secret" ResponseType = "code id_token", SaveTokens = true });

16 @leastprivilege Web API Authentication • Middleware for JWT access tokens built-in – cookies not recommended app.UseJwtBearerAuthentication(new JwtBearerOptions { Authority = "https://localhost:44300", Audience = "my.api", options.AutomaticAuthenticate = true; });

17 @leastprivilege Issuing Tokens • No built-in token issuance middleware anymore • IdentityServer is the recommended replacement – OpenID Connect and OAuth 2.0 token service http://github.com/identityserver

18 @leastprivilege Data Protection • Who thought this would be a good idea?? For giggles: "https://www.google.com/#q=

19 @leastprivilege Key Container Locations • On Azure Web Apps (no encryption) – %HOME%\ASP.NET\DataProtection-Keys • If user profile is loaded (encrypted) – %LOCALAPPDATA%\ASP.NET\DataProtection-Keys • IIS / no profile (encrypted) – Registry HKLM • In-Memory • Manual configuration 2015-05-02T08:20:38.6577127Z 2015-05-02T08:20:38.6424674Z 2015-07-31T08:20:38.6424674Z AQ...g==

20 @leastprivilege Authorization • Complete re-write – support for unauthorized vs forbidden – better separation of business code and authorization logic – re-usable policies – resource/action based authorization – DI enabled

21 @leastprivilege [Authorize] • Similar syntax – roles still supported* [Authorize] public class HomeController : Controller { [AllowAnonymous] public IActionResult Index() { return View(); } [Authorize(Roles = "Sales")] public IActionResult About() { return View(User); } } * …and who thought that would be a good idea?

22 @leastprivilege Authorization policies services.AddAuthorization(options => { options.AddPolicy("ManageCustomers", policy => { policy.RequireAuthenticatedUser(); policy.RequireClaim("department", "sales"); policy.RequireClaim("status", "senior"); }); }; [Authorize("ManageCustomers")] public IActionResult Manage() { // stuff } Startup Controller

23 @leastprivilege Programmatically using policies public class CustomerController : Controller { private readonly IAuthorizationService _authz; public CustomerController(IAuthorizationService authz) { _authz = authz; } public async Task Manage() { var allowed = await _authz.AuthorizeAsync(User, "ManageCustomers"); if (!allowed) return Challenge(); return View(); } }

24 @leastprivilege …or from a View @using Microsoft.AspNetCore.Authorization @inject IAuthorizationService _authz @if (await _authz.AuthorizeAsync(User, "ManageCustomers")) { }

25 @leastprivilege Custom Requirements public class JobLevelRequirement : IAuthorizationRequirement { public JobLevel Level { get; } public JobLevelRequirement(JobLevel level) { Level = level; } } public static class StatusPolicyBuilderExtensions { public static AuthorizationPolicyBuilder RequireJobLevel( this AuthorizationPolicyBuilder builder, JobLevel level) { builder.AddRequirements(new JobLevelRequirement(level)); return builder; } }

26 @leastprivilege Handling Requirements public class JobLevelRequirementHandler : AuthorizationHandler { private readonly IOrganizationService _service; public JobLevelRequirementHandler(IOrganizationService service) { _service = service; } protected override void Handle( AuthorizationContext context, JobLevelRequirement requirement) { var currentLevel = _service.GetJobLevel(context.User); if (currentLevel == requirement.Level) { context.Succeed(requirement); } } }

27 @leastprivilege Resource-based Authorization Subject Object Operation - client ID - subject ID - scopes - more claims + DI - read - write - send via email - ... - ID - owner - more properties + DI

28 @leastprivilege Example: Document resource public class DocumentAuthorizationHandler : AuthorizationHandler { public override Task HandleRequirementAsync( AuthorizationHandlerContext context, OperationAuthorizationRequirement operation, Document resource) { // authorization logic } } services.AddTransient(); Add handler in DI:

29 @leastprivilege Invoking the authorization handler public class DocumentController : Controller { private readonly IAuthorizationService _authz; public DocumentController(IAuthorizationService authz) { _authz = authz; } public async Task Update(Document doc) { if (!await _authz.AuthorizeAsync(User, doc, Operations.Update)) { // forbidden return new ChallengeResult(); } // do stuff } }

30 @leastprivilege Resources • https://github.com/leastprivilege/ – AspNetCoreSecuritySamples • https://github.com/aspnet – home – security – announcements • http://docs.asp.net

31 @leastprivilege thank you!