Slide 1

Slide 1 text

ASP.NET Core & ASP.NET Core MVC What's new in Security? Dominick Baier [email protected] http://leastprivilege.com @leastprivilege

Slide 2

Slide 2 text

2 @leastprivilege Dominick Baier • Independent Consultant – Specializing in Identity & Access Control – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – OpenID Connect & OAuth 2.0 Implementation ASP.NET – https://identityserver.io [email protected] http://leastprivilege.com slides: https://speakerdeck.com/leastprivilege

Slide 3

Slide 3 text

3 @leastprivilege The new .NET

Slide 4

Slide 4 text

4 @leastprivilege Console Application ASP.NET Core Architecture • ASP.NET Core is the HTTP runtime • MVC is Microsoft's primary application framework – combines web UI & API .NET (Core) ASP.NET Core Middleware Middleware User Agent MVC DI

Slide 5

Slide 5 text

5 @leastprivilege How ASP.NET Core Applications start dotnet run Application.dll ASP.NET Core Module IIS Startup.cs ConfigureServices(… ) Configure(…) start process

Slide 6

Slide 6 text

6 @leastprivilege Security Architecture in ASP.NET Core • Everything is based on ClaimsPrincipal – no more custom IPrincipal • Authentication is implemented as middleware – cookies – external authentication • Other security related services – CORS, logging, encoding, anti-forgery • New data protection API • New authorization API

Slide 7

Slide 7 text

7 @leastprivilege Identity & Authentication APIs • The new HttpContext – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/HttpContext.cs • AuthenticationManager – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/Authentication/ AuthenticationManager.cs

Slide 8

Slide 8 text

8 @leastprivilege Cookie Authentication Middleware • Triggered with HttpContext.Authentication.SignInAsync app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Cookies", LoginPath = new PathString("/account/login"), AccessDeniedPath = new PathString("/account/forbidden") });

Slide 9

Slide 9 text

9 @leastprivilege Claims Transformation • Per-request manipulation of principal & claims app.UseClaimsTransformation(context => { if (context.Principal.Identity.IsAuthenticated) { CreateApplicationPrincipal(context); } return Task.FromResult(context.Principal); });

Slide 10

Slide 10 text

10 @leastprivilege External Authentication • In the box – Google, Twitter, Facebook, Microsoft Account – OpenID Connect & JSON Web Tokens • New generic OAuth 2.0 middleware makes on-boarding other proprietary providers easier – LinkedIn, Slack, Spotify, WordPress, Yahoo, Github, Instragram, BattleNet, Dropbox, Paypal, Vimeo… https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers

Slide 11

Slide 11 text

11 @leastprivilege External Authentication • Triggered with HttpContext.Authentication.ChallengeAsync app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Cookies", ClientId = "43…43", ClientSecret = "3g…Wo" }); * turns external identity automatically into a trusted application cookie

Slide 12

Slide 12 text

12 @leastprivilege External Authentication w/ Callback • HttpContext.Authentication.ChallengeAsync • HttpContext.Authentication.AuthenticateAsync app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Temp", AutomaticAuthenticate = false }); app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Temp" });

Slide 13

Slide 13 text

13 @leastprivilege The way forward… Browser Native App Server App "Thing" Web App Web API Web API Web API Security Token Service Authentication, SSO, account linking, federation, social logins…

Slide 14

Slide 14 text

14 @leastprivilege Security Protocols Browser Native App Server App "Thing" Web App Web API Web API Web API OpenID Connect* OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Security Token Service * *

Slide 15

Slide 15 text

15 @leastprivilege OpenID Connect Middleware • Much improved – support for implicit, code and hybrid flow – support for userinfo endpoint & better token management app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "OIDC", SignInScheme = "Cookies", Authority = "https://demo.identityserver.io", ClientId = "mvc", ClientSecret = "secret" ResponseType = "code id_token", SaveTokens = true });

Slide 16

Slide 16 text

16 @leastprivilege Web API Authentication • Middleware for JWT access tokens built-in – cookies not recommended app.UseJwtBearerAuthentication(new JwtBearerOptions { Authority = "https://localhost:44300", Audience = "my.api", options.AutomaticAuthenticate = true; });

Slide 17

Slide 17 text

17 @leastprivilege Issuing Tokens • No built-in token issuance middleware anymore • IdentityServer is the recommended replacement – OpenID Connect and OAuth 2.0 token service http://github.com/identityserver

Slide 18

Slide 18 text

18 @leastprivilege Data Protection • Who thought this would be a good idea?? For giggles: "https://www.google.com/#q=

Slide 19

Slide 19 text

19 @leastprivilege Key Container Locations • On Azure Web Apps (no encryption) – %HOME%\ASP.NET\DataProtection-Keys • If user profile is loaded (encrypted) – %LOCALAPPDATA%\ASP.NET\DataProtection-Keys • IIS / no profile (encrypted) – Registry HKLM • In-Memory • Manual configuration 2015-05-02T08:20:38.6577127Z 2015-05-02T08:20:38.6424674Z 2015-07-31T08:20:38.6424674Z AQ...g==

Slide 20

Slide 20 text

20 @leastprivilege Authorization • Complete re-write – support for unauthorized vs forbidden – better separation of business code and authorization logic – re-usable policies – resource/action based authorization – DI enabled

Slide 21

Slide 21 text

21 @leastprivilege [Authorize] • Similar syntax – roles still supported* [Authorize] public class HomeController : Controller { [AllowAnonymous] public IActionResult Index() { return View(); } [Authorize(Roles = "Sales")] public IActionResult About() { return View(User); } } * …and who thought that would be a good idea?

Slide 22

Slide 22 text

22 @leastprivilege Authorization policies services.AddAuthorization(options => { options.AddPolicy("ManageCustomers", policy => { policy.RequireAuthenticatedUser(); policy.RequireClaim("department", "sales"); policy.RequireClaim("status", "senior"); }); }; [Authorize("ManageCustomers")] public IActionResult Manage() { // stuff } Startup Controller

Slide 23

Slide 23 text

23 @leastprivilege Programmatically using policies public class CustomerController : Controller { private readonly IAuthorizationService _authz; public CustomerController(IAuthorizationService authz) { _authz = authz; } public async Task Manage() { var allowed = await _authz.AuthorizeAsync(User, "ManageCustomers"); if (!allowed) return Challenge(); return View(); } }

Slide 24

Slide 24 text

24 @leastprivilege …or from a View @using Microsoft.AspNetCore.Authorization @inject IAuthorizationService _authz @if (await _authz.AuthorizeAsync(User, "ManageCustomers")) { }

Slide 25

Slide 25 text

25 @leastprivilege Custom Requirements public class JobLevelRequirement : IAuthorizationRequirement { public JobLevel Level { get; } public JobLevelRequirement(JobLevel level) { Level = level; } } public static class StatusPolicyBuilderExtensions { public static AuthorizationPolicyBuilder RequireJobLevel( this AuthorizationPolicyBuilder builder, JobLevel level) { builder.AddRequirements(new JobLevelRequirement(level)); return builder; } }

Slide 26

Slide 26 text

26 @leastprivilege Handling Requirements public class JobLevelRequirementHandler : AuthorizationHandler { private readonly IOrganizationService _service; public JobLevelRequirementHandler(IOrganizationService service) { _service = service; } protected override void Handle( AuthorizationContext context, JobLevelRequirement requirement) { var currentLevel = _service.GetJobLevel(context.User); if (currentLevel == requirement.Level) { context.Succeed(requirement); } } }

Slide 27

Slide 27 text

27 @leastprivilege Resource-based Authorization Subject Object Operation - client ID - subject ID - scopes - more claims + DI - read - write - send via email - ... - ID - owner - more properties + DI

Slide 28

Slide 28 text

28 @leastprivilege Example: Document resource public class DocumentAuthorizationHandler : AuthorizationHandler { public override Task HandleRequirementAsync( AuthorizationHandlerContext context, OperationAuthorizationRequirement operation, Document resource) { // authorization logic } } services.AddTransient(); Add handler in DI:

Slide 29

Slide 29 text

29 @leastprivilege Invoking the authorization handler public class DocumentController : Controller { private readonly IAuthorizationService _authz; public DocumentController(IAuthorizationService authz) { _authz = authz; } public async Task Update(Document doc) { if (!await _authz.AuthorizeAsync(User, doc, Operations.Update)) { // forbidden return new ChallengeResult(); } // do stuff } }

Slide 30

Slide 30 text

30 @leastprivilege Resources • https://github.com/leastprivilege/ – AspNetCoreSecuritySamples • https://github.com/aspnet – home – security – announcements • http://docs.asp.net

Slide 31

Slide 31 text

31 @leastprivilege thank you!