SlideShare a Scribd company logo

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

V
Vladimir Bychkov

The document provides an overview of token-based security for web applications using OAuth 2.0 and OpenID Connect, presented by Vladimir Bychkov. It explains the architecture, protocols, and flows involved in delegated authorization and includes details on various grant types and security concerns for web applications. A demo section illustrates the practical applications of these concepts, showcasing different authorization flows and endpoints.

Software
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
TOKEN-BASED SECURITY FOR WEB APPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 Tech Talk DC 2019
About Vladimir Bychkov • SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: BYCHKOV@GMAIL.COM WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
EastBanc Technologies | Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
Agenda • AUTHORIZATION FOR WEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
Form-based authentication 5 Username Password Login Web server Set-Cookie: id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
Modern Application Landscape 6 Browser Mobile Server App Web App Web Service Web Service Web Service Enterprise IdP Social IdP
Delegated Authorization 7 https + cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
OAuth 2.0 - Protocol Flow 10
OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
JWT – JSON Web Token 14
OpenID Connect Protocol Suite
DEMO – Client Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
DEMO – Resource Owner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
DEMO – Authorization Code Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
DEMO – Implicit Flow https://docs.pivotal.io
Authorization Code Interception Attack 20
RFC7636 - Proof Key for Code Exchange (PKCE) 21
Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
Auth Middleware Federation gateway (Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
STS Federation gateway (After impl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS
THANK YOU VLADIMIR BYCHKOV SOFTWARE CRAFTSMAN BYCHKOV@GMAIL.COM

More Related Content

What's hot (20)

PDF
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PDF
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PDF
Json web token api authorization
Giulio De Donato
 
PDF
Implementing OAuth
leahculver
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
PDF
FIWARE ID Management
Miguel García González
 
PDF
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Worteks
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
An Introduction to OAuth2
Aaron Parecki
 
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
2016 pycontw web api authentication
Micron Technology
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Json web token api authorization
Giulio De Donato
 
Implementing OAuth
leahculver
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Single-Page-Application & REST security
Igor Bossenko
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
FIWARE ID Management
Miguel García González
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Worteks
 
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
Building an API Security Ecosystem
Prabath Siriwardena
 
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 

Similar to 2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect (20)

PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PDF
OAuth 2.0 and OpenID Connect
Jacob Combs
 
PPTX
Identity, authentication and authorization
Mithun Shanbhag
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PDF
OAuth Base Camp
Oliver Pfaff
 
PDF
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
PPTX
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
PPTX
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
PPTX
Y U No OAuth?!?
Jason Robert
 
PDF
RFC6749 et alia 20130504
Mattias Jidhage
 
PDF
The OpenID Connect Protocol
Clément OUDOT
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
Distributed Identities with OpenID
Bastian Hofmann
 
PPTX
OAuth 2
ChrisWood262
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Identity, authentication and authorization
Mithun Shanbhag
 
Demystifying OAuth 2.0
Karl McGuinness
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
OAuth Base Camp
Oliver Pfaff
 
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
Y U No OAuth?!?
Jason Robert
 
RFC6749 et alia 20130504
Mattias Jidhage
 
The OpenID Connect Protocol
Clément OUDOT
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Distributed Identities with OpenID
Bastian Hofmann
 
OAuth 2
ChrisWood262
 
Ad

Recently uploaded (20)

PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PDF
Online Queue Management System for Public Service Offices in Nepal [Focused i...
Rishab Acharya
 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PPTX
Tally software_Introduction_Presentation
AditiBansal54083
 
PPTX
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
DOCX
Import Data Form Excel to Tally Services
Tally xperts
 
PPTX
Java Native Memory Leaks: The Hidden Villain Behind JVM Performance Issues
Tier1 app
 
PPTX
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
PPTX
Equipment Management Software BIS Safety UK.pptx
BIS Safety Software
 
PDF
Mobile CMMS Solutions Empowering the Frontline Workforce
CryotosCMMSSoftware
 
PDF
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
PDF
Powering GIS with FME and VertiGIS - Peak of Data & AI 2025
Safe Software
 
PPTX
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PDF
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
PDF
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
Online Queue Management System for Public Service Offices in Nepal [Focused i...
Rishab Acharya
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
Tally software_Introduction_Presentation
AditiBansal54083
 
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
Import Data Form Excel to Tally Services
Tally xperts
 
Java Native Memory Leaks: The Hidden Villain Behind JVM Performance Issues
Tier1 app
 
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
Equipment Management Software BIS Safety UK.pptx
BIS Safety Software
 
Mobile CMMS Solutions Empowering the Frontline Workforce
CryotosCMMSSoftware
 
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
Powering GIS with FME and VertiGIS - Peak of Data & AI 2025
Safe Software
 
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
Ad

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

  • 1. TOKEN-BASED SECURITY FOR WEB APPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: [email protected] 1 Tech Talk DC 2019
  • 2. About Vladimir Bychkov • SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: [email protected] WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
  • 3. EastBanc Technologies | Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
  • 4. Agenda • AUTHORIZATION FOR WEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
  • 5. Form-based authentication 5 Username Password Login Web server Set-Cookie: id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
  • 6. Modern Application Landscape 6 Browser Mobile Server App Web App Web Service Web Service Web Service Enterprise IdP Social IdP
  • 7. Delegated Authorization 7 https + cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
  • 8. OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
  • 9. OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
  • 10. OAuth 2.0 - Protocol Flow 10
  • 11. OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
  • 12. OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
  • 13. OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
  • 14. JWT – JSON Web Token 14
  • 16. DEMO – Client Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
  • 17. DEMO – Resource Owner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
  • 18. DEMO – Authorization Code Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
  • 19. DEMO – Implicit Flow https://docs.pivotal.io
  • 21. RFC7636 - Proof Key for Code Exchange (PKCE) 21
  • 22. Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
  • 23. Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
  • 24. Auth Middleware Federation gateway (Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
  • 25. STS Federation gateway (After impl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS