SlideShare a Scribd company logo

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core

V
Vladimir Bychkov

This document summarizes a presentation on authentication and authorization in ASP.NET Core 2. It discusses identity and principal objects, claims-based authentication, middleware, and local and external logins. OAuth 2.0 and OpenID Connect are covered, including flows like client credentials, authorization code, and implicit. Demos show implementing these flows. The document also discusses policy-based authorization and other security concerns like CORS, CSRF, and XSS protection.

Software
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
FUNDAMENTALS OF AUTHENTICATION AND AUTHORIZATION WITH ASP.NET CORE 2 Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 NOVA CodeCamp 2019
</> NORTHERN VIRGINIA CODECAMP PLATINUM GOLD Hosted by
About Vladimir • VLADIMIR BYCHKOV • TECHNICAL TEAM LEAD AND PROJECT MANAGER AT EASTBANC TECHNOLOGIES • EMAIL: BYCHKOV@GMAIL.COM • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
EastBanc Technologies | Custom Software Development Custom Software Development. Based in Georgetown. We are hiring!
5
Part I – Authentication Fundamentals
IIdentity & IPrincipal
ClaimsIdentity & ClaimsPrincipal
DEMO 1 - Claims
ASP.NET Core Middleware
IAuthenticationService
DEMO 2 – ASP.NET Core (Local Logins)
Local Logins == Evil
DEMO 3 – ASP.NET Core (External/Social Logins) • PRE-REQUISITES • REGISTER APP AT ID PROVIDER (GOOGLE/FACEBOOK/ETC.)
Part II – Authorization (OAuth 2 and OpenID Connect) • AUTHORIZATION FOR SERVICE-BASED APPLICATIONS AND APIS • OAUTH 2.0 / OPENID CONNECT • LINGO • CLIENT CREDENTIALS FLOW • RESOURCE OWNER PASSWORD FLOW • AUTHORIZATION CODE FLOW / HYBRID FLOW • IMPLICIT FLOW • ASP.NET CORE, POLICY-BASED AUTHORIZATION
AuthZ for service based apps • API -> API COMMUNICATIONS • MOBILE/NATIVE APPS -> API • 3RD PARTY APP -> API (RESOURCES) • 3RD PARTY HAS TO STORE PASSWORD • NO WAY TO LIMIT SCOPE • CANNOT REVOKE ACCESS (OTHER THAN CHANGING PASSWORD) • TOKEN-BASED SECURITY • TOKEN SIGNING/VERIFICATION • TOKEN EXPIRATION/REVOCATION • TOKEN FORMAT • TOKEN DELIVERY
OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR AUTHORIZATION • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER • CLIENT • AUTHORIZATION SERVER • RESOURCE SERVER • AUTHORIZATION GRANT • ACCESS TOKEN • SCOPE • CONSENT
OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token TokenGrant (Credentials)
OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Authorization code Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. JWT bearer Lets a client in possession of a JSON Web Token (JWT) assertion from one security domain exchange it for an OAuth 2.0 access token in another domain. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USERINFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
OpenID Connect Protocol Suite
DEMO 4.1 – Client Credentials Flow https://docs.pivotal.io
DEMO 4.2 – Resource Owner Credentials Flow https://docs.pivotal.io
DEMO 4.3 – Authorization Code Flow https://docs.pivotal.io
DEMO 4.4 – Implicit Flow https://docs.pivotal.io
Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2 INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
THANK YOU VLADIMIR BYCHKOV SOFTWARE CRAFTSMAN BYCHKOV@GMAIL.COM

More Related Content

What's hot (20)

PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OpenIDFoundation
 
PDF
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PPTX
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
PDF
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
PDF
Shoot Me a Token: OpenAM as an OAuth2 Provider
ForgeRock
 
PDF
OAuth 2.0 and OpenID Connect
Jacob Combs
 
PDF
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
MikeLeszcz
 
PDF
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
PDF
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
PPTX
Adding identity management and access control to your app
Álvaro Alonso González
 
PPTX
Presentation
Laxman Kumar
 
PPTX
Extended Security with WSO2 API Management Platform
WSO2
 
PDF
Five Things You Gotta Know About Modern Identity
Mark Diodati
 
PDF
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE
 
PPTX
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
PDF
OpenAM as Flexible Integration Component
ForgeRock
 
PDF
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OpenIDFoundation
 
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
ForgeRock
 
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
MikeLeszcz
 
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
Adding identity management and access control to your app
Álvaro Alonso González
 
Presentation
Laxman Kumar
 
Extended Security with WSO2 API Management Platform
WSO2
 
Five Things You Gotta Know About Modern Identity
Mark Diodati
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
OpenAM as Flexible Integration Component
ForgeRock
 
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 

Similar to 2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core (20)

PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
PDF
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
PPTX
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
MysoreMuleSoftMeetup
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PPTX
Web API 2 Token Based Authentication
jeremysbrown
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PPTX
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
PDF
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PPTX
Adding Identity Management and Access Control to your App
FIWARE
 
PPTX
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
[WSO2Con USA 2018] Identity APIs is the New Black
WSO2
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
PDF
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
PDF
Introduction to the Globus Platform for Developers
Globus
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
MysoreMuleSoftMeetup
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Web API 2 Token Based Authentication
jeremysbrown
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Adding Identity Management and Access Control to your App
FIWARE
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
[WSO2Con USA 2018] Identity APIs is the New Black
WSO2
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Introduction to the Globus Platform for Developers
Globus
 
Ad

Recently uploaded (20)

PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
PPTX
Writing Better Code - Helping Developers make Decisions.pptx
Lorraine Steyn
 
PDF
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
PDF
Executive Business Intelligence Dashboards
vandeslie24
 
PDF
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
PPTX
Human Resources Information System (HRIS)
Amity University, Patna
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PDF
Understanding the Need for Systemic Change in Open Source Through Intersectio...
Imma Valls Bernaus
 
PPTX
Migrating Millions of Users with Debezium, Apache Kafka, and an Acyclic Synch...
MD Sayem Ahmed
 
PPTX
Java Native Memory Leaks: The Hidden Villain Behind JVM Performance Issues
Tier1 app
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PDF
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
PDF
Thread In Android-Mastering Concurrency for Responsive Apps.pdf
Nabin Dhakal
 
PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
PPTX
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
 
PDF
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
PPT
MergeSortfbsjbjsfk sdfik k
RafishaikIT02044
 
PPTX
Equipment Management Software BIS Safety UK.pptx
BIS Safety Software
 
PDF
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
PPTX
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
Writing Better Code - Helping Developers make Decisions.pptx
Lorraine Steyn
 
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
Executive Business Intelligence Dashboards
vandeslie24
 
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
Human Resources Information System (HRIS)
Amity University, Patna
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
Understanding the Need for Systemic Change in Open Source Through Intersectio...
Imma Valls Bernaus
 
Migrating Millions of Users with Debezium, Apache Kafka, and an Acyclic Synch...
MD Sayem Ahmed
 
Java Native Memory Leaks: The Hidden Villain Behind JVM Performance Issues
Tier1 app
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
Thread In Android-Mastering Concurrency for Responsive Apps.pdf
Nabin Dhakal
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
 
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
MergeSortfbsjbjsfk sdfik k
RafishaikIT02044
 
Equipment Management Software BIS Safety UK.pptx
BIS Safety Software
 
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
Ad

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core

  • 1. FUNDAMENTALS OF AUTHENTICATION AND AUTHORIZATION WITH ASP.NET CORE 2 Presented by Vladimir Bychkov Email: [email protected] 1 NOVA CodeCamp 2019
  • 2. </> NORTHERN VIRGINIA CODECAMP PLATINUM GOLD Hosted by
  • 3. About Vladimir • VLADIMIR BYCHKOV • TECHNICAL TEAM LEAD AND PROJECT MANAGER AT EASTBANC TECHNOLOGIES • EMAIL: [email protected] • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
  • 4. EastBanc Technologies | Custom Software Development Custom Software Development. Based in Georgetown. We are hiring!
  • 5. 5
  • 6. Part I – Authentication Fundamentals
  • 9. DEMO 1 - Claims
  • 12. DEMO 2 – ASP.NET Core (Local Logins)
  • 14. DEMO 3 – ASP.NET Core (External/Social Logins) • PRE-REQUISITES • REGISTER APP AT ID PROVIDER (GOOGLE/FACEBOOK/ETC.)
  • 15. Part II – Authorization (OAuth 2 and OpenID Connect) • AUTHORIZATION FOR SERVICE-BASED APPLICATIONS AND APIS • OAUTH 2.0 / OPENID CONNECT • LINGO • CLIENT CREDENTIALS FLOW • RESOURCE OWNER PASSWORD FLOW • AUTHORIZATION CODE FLOW / HYBRID FLOW • IMPLICIT FLOW • ASP.NET CORE, POLICY-BASED AUTHORIZATION
  • 16. AuthZ for service based apps • API -> API COMMUNICATIONS • MOBILE/NATIVE APPS -> API • 3RD PARTY APP -> API (RESOURCES) • 3RD PARTY HAS TO STORE PASSWORD • NO WAY TO LIMIT SCOPE • CANNOT REVOKE ACCESS (OTHER THAN CHANGING PASSWORD) • TOKEN-BASED SECURITY • TOKEN SIGNING/VERIFICATION • TOKEN EXPIRATION/REVOCATION • TOKEN FORMAT • TOKEN DELIVERY
  • 17. OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR AUTHORIZATION • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER • CLIENT • AUTHORIZATION SERVER • RESOURCE SERVER • AUTHORIZATION GRANT • ACCESS TOKEN • SCOPE • CONSENT
  • 18. OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token TokenGrant (Credentials)
  • 19. OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Authorization code Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. JWT bearer Lets a client in possession of a JSON Web Token (JWT) assertion from one security domain exchange it for an OAuth 2.0 access token in another domain. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
  • 20. OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
  • 21. OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USERINFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
  • 23. DEMO 4.1 – Client Credentials Flow https://docs.pivotal.io
  • 24. DEMO 4.2 – Resource Owner Credentials Flow https://docs.pivotal.io
  • 25. DEMO 4.3 – Authorization Code Flow https://docs.pivotal.io
  • 26. DEMO 4.4 – Implicit Flow https://docs.pivotal.io
  • 27. Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2 INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
  • 28. Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS