ASP.NET Core & MVC 1.0 - What's new in Security

Slide 1

Slide 1 text

ASP.NET Core 1.0 ASP.NET Core 1.0 MVC What's new in Security? Dominick Baier [email protected] http://leastprivilege.com @leastprivilege

Slide 2

Slide 2 text

2 @leastprivilege Dominick Baier • Independent Consultant – Specializing in Identity & Access Control – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – OpenID Connect & OAuth 2.0 Implementation ASP.NET – http://identityserver.io [email protected] http://leastprivilege.com slides: https://speakerdeck.com/leastprivilege

Slide 3

Slide 3 text

3 @leastprivilege Where are we? ASP.NET <= 4.5 ASP.NET 4.5 + Katana ASP.NET Core 1.0 System.Web.dll Modules & Handlers ASP.NET WebForms ASP.NET MVC ASP.NET Web API ASP.NET SignalR (Simple) Membership

Slide 4

Slide 4 text

4 @leastprivilege Where are we? ASP.NET =< 4.5 ASP.NET 4.5 + Katana ASP.NET Core 1.0 "System.Web.dll" Modules & Handlers ASP.NET WebForms ASP.NET MVC (Simple) Membership "System.Web.dll" Modules & Handlers ASP.NET WebForms ASP.NET MVC OWIN & Katana ASP.NET Web API ASP.NET SignalR ASP.NET Identity 1/2

Slide 5

Slide 5 text

5 @leastprivilege Middleware Architecture • Middleware are linked components that process requests • Application code targeting a framework (e.g. Web API) Host OWIN Server Some Middleware Some Other Middleware User Agent Application

Slide 6

Slide 6 text

6 @leastprivilege Where are we? ASP.NET =< 4.5 ASP.NET 4.5 + Katana ASP.NET Core 1.0 "System.Web.dll" Modules & Handlers ASP.NET WebForms ASP.NET MVC (Simple) Membership "System.Web.dll" Modules & Handlers ASP.NET WebForms ASP.NET MVC OWIN & Katana ASP.NET Web API ASP.NET SignalR ASP.NET Identity 1/2 .NET Core Re-design X-Plat Inspired by OWIN MVC + Web APIs ASP.NET Identity 3

Slide 7

Slide 7 text

7 @leastprivilege Host ASP.NET Core Architecture • ASP.NET Core is the runtime (hosted by .NET Core) • MVC is Microsoft's primary application framework – combines web UI & API .NET Core ASP.NET Core Middleware Middleware User Agent MVC DI

Slide 8

Slide 8 text

8 @leastprivilege Security Architecture in ASP.NET Core • Everything is based on ClaimsPrincipal – no more custom IPrincipal • Authentication is implemented as middleware – cookies – external authentication • Other security related services – CORS, logging, encoding, anti-forgery • New data protection API • New authorization API

Slide 9

Slide 9 text

9 @leastprivilege Identity & Authentication APIs • The new HttpContext – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/HttpContext.cs • AuthenticationManager – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/Authentication/ AuthenticationManager.cs

Slide 10

Slide 10 text

10 @leastprivilege Cookie Authentication Middleware • Triggered with HttpContext.Authentication.SignInAsync app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Cookies", AutomaticAuthenticate = true, AutomaticChallenge = true, LoginPath = new PathString("/account/login"), AccessDeniedPath = new PathString("/account/forbidden") });

Slide 11

Slide 11 text

11 @leastprivilege Claims Transformation • Per-request manipulation of principal & claims app.UseClaimsTransformation(context => { if (context.Principal.Identity.IsAuthenticated) { CreateApplicationPrincipal(context); } return Task.FromResult(context.Principal); });

Slide 12

Slide 12 text

12 @leastprivilege External Authentication • Triggered with HttpContext.Authentication.ChallengeAsync app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Cookies", ClientId = "43…43", ClientSecret = "3g…Wo" }); * turns external identity automatically into a trusted application cookie

Slide 13

Slide 13 text

13 @leastprivilege External Authentication w/ Callback • HttpContext.Authentication.ChallengeAsync • HttpContext.Authentication.AuthenticateAsync app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Temp", AutomaticAuthenticate = false }); app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Temp" });

Slide 14

Slide 14 text

14 @leastprivilege Generic OAuth 2.0 Middleware • Many "social" providers abuse OAuth 2.0 for login – many incompatible dialects (but similar) • New generic OAuth 2.0 base-middleware makes implementation easier – https://github.com/aspnet- contrib/AspNet.Security.OAuth.Providers • Community provided middleware – LinkedIn, Slack, Spotify, WordPress, Yahoo, Github, Instragram, BattleNet, Dropbox, Paypal, Vimeo…

Slide 15

Slide 15 text

15 @leastprivilege The way forward… Browser Native App Server App "Thing" Web App Web API Web API Web API Security Token Service Authentication, SSO, account linking, federation, social logins…

Slide 16

Slide 16 text

16 @leastprivilege Security Protocols Browser Native App Server App "Thing" Web App Web API Web API Web API OpenID Connect* OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Security Token Service * *

Slide 17

Slide 17 text

17 @leastprivilege OpenID Connect Middleware • Much improved – support for implicit, code and hybrid flow – support for userinfo endpoint & better token management app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "OIDC", SignInScheme = "Cookies", Authority = "https://demo.identityserver.io", ClientId = "mvc", ClientSecret = "secret" ResponseType = "code id_token", SaveTokens = true });

Slide 18

Slide 18 text

18 @leastprivilege Web API Authentication • Middleware for JWT access tokens built-in – cookies not recommended app.UseOAuthBearerAuthentication(new JwtBearerOptions { Authority = "https://localhost:44300", Audience = "my.api", options.AutomaticAuthenticate = true; });

Slide 19

Slide 19 text

19 @leastprivilege Issuing Tokens • No built-in token issuance middleware anymore • Microsoft recommends IdentityServer (me too) – OpenID Connect and OAuth 2.0 token service* http://github.com/identityserver http://leastprivilege.com/2016/01/11/announcing-identityserver-for-asp-net-5-and-net-core/

Slide 20

Slide 20 text

20 @leastprivilege Data Protection • Who thought this would be a good idea?? For giggles: "https://www.google.com/#q=

Slide 21

Slide 21 text

21 @leastprivilege Key Container Locations • On Azure Web Apps (no encryption) – %HOME%\ASP.NET\DataProtection-Keys • If user profile is loaded (encrypted) – %LOCALAPPDATA%\ASP.NET\DataProtection-Keys • IIS / no profile (encrypted) – Registry HKLM • In-Memory • Manual configuration 2015-05-02T08:20:38.6577127Z 2015-05-02T08:20:38.6424674Z 2015-07-31T08:20:38.6424674Z AQ...g==

Slide 22

Slide 22 text

22 @leastprivilege Authorization • Complete re-write – support for unauthorized vs forbidden – better separation of business code and authorization logic – re-usable policies – resource/action based authorization – DI enabled

Slide 23

Slide 23 text

23 @leastprivilege [Authorize] • Similar syntax – roles still supported* [Authorize] public class HomeController : Controller { [AllowAnonymous] public IActionResult Index() { return View(); } [Authorize(Roles = "Sales")] public IActionResult About() { return View(User); } } * …and who thought that would be a good idea?

Slide 24

Slide 24 text

24 @leastprivilege Authorization policies services.AddAuthorization(options => { options.AddPolicy("SalesSenior", policy => { policy.RequireAuthenticatedUser(); policy.RequireClaim("department", "sales"); policy.RequireClaim("status", "senior"); }); }; [Authorize("SalesSenior")] public IActionResult Manage() { // stuff } Startup Controller

Slide 25

Slide 25 text

25 @leastprivilege Custom Requirements public class JobLevelRequirement : IAuthorizationRequirement { public JobLevel Level { get; } public JobLevelRequirement(JobLevel level) { Level = level; } } public static class StatusPolicyBuilderExtensions { public static AuthorizationPolicyBuilder RequireJobLevel( this AuthorizationPolicyBuilder builder, JobLevel level) { builder.AddRequirements(new JobLevelRequirement(level)); return builder; } }

Slide 26

Slide 26 text

26 @leastprivilege Handling Requirements public class JobLevelRequirementHandler : AuthorizationHandler { private readonly IOrganizationService _service; public JobLevelRequirementHandler(IOrganizationService service) { _service = service; } protected override void Handle( AuthorizationContext context, JobLevelRequirement requirement) { var currentLevel = _service.GetJobLevel(context.User); if (currentLevel == requirement.Level) { context.Succeed(requirement); } } }

Slide 27

Slide 27 text

27 @leastprivilege Resource-based Authorization Subject Object Operation - client ID - subject ID - scopes - more claims + DI - read - write - send via email - ... - ID - owner - more properties + DI

Slide 28

Slide 28 text

28 @leastprivilege Example: Document resource public class DocumentAuthorizationHandler : AuthorizationHandler { public override void Handle( AuthorizationContext context, OperationAuthorizationRequirement operation, Document resource) { // authorization logic } } services.AddTransient(); DI

Slide 29

Slide 29 text

29 @leastprivilege Invoking the authorization handler public class DocumentController : Controller { private readonly IAuthorizationService _authz; public DocumentController(IAuthorizationService authz) { _authz = authz; } public async Task Update(Document doc) { if (!await _authz.AuthorizeAsync(User, doc, Operations.Update)) { // forbidden return new ChallengeResult(); } // do stuff } }

Slide 30

Slide 30 text

30 @leastprivilege …or from a View @{ @using Microsoft.AspNetCore.Authorization @inject IAuthorizationService _authz } @if (await _authz.AuthorizeAsync(User, "SalesOnly")) {

Sales only

}

Slide 31

Slide 31 text

31 @leastprivilege Resources • https://github.com/leastprivilege/ – AspNetCoreSecuritySamples • https://github.com/aspnet – home – security – announcements • http://docs.asp.net

Slide 32

Slide 32 text

32 @leastprivilege thank you!