SlideShare a Scribd company logo
1 of 57
Download to read offline
ASP.NET Core Security
• Damien Bowden Microsoft MVP
• https://damienbod.com
• @damien_bod
https://github.com/damienbod
ASP.NET Core, OpenID Connect, OAuth, Identity, Azure
Angular, angular-auth-oidc-client npm
Security & Applications today
OpenID Connect, OAuth2
Protecting APIs
Authorization: ASP.NET Core Policies
Security &
Applications
today
Application
Application
Authentication Business
Data Access
Authorization
Identity
Application
Authentication Business
Data Access
Authorization
Identity
Application 2
Authentication Business
Data Access
Authorization
Identity
Application
Authentication Business
Data Access
Authorization
Identity
Application 2
Authentication Business
Data Access
Authorization
Identity
HTTPS everywhere, Certs
WAF
HTTPS everywhere, Certs Protected Zone
WAF
HTTPS everywhere, Certs Protected Zone
Authentication, Authorization, Accounting
Session Protection HTTP headers
HTTPS Certs TLS 1.2, 1.3
WAF Web Application Firewall
Authentication
Authorization
Signout
Session
USE Standards
Don’t implement this yourself, use
certified libs, packages, tested
OAuth2
OpenID Connect Authentication
Authorization
Delegated
OpenID Connect
http://openid.net/connect/
• Standard, Specification
• Authentication and Authorization
• built on top of OAuth2 (access control)
• Identity (Person can have n Identities)
• UserInfo Endpoint
Open ID Connect (OIDC) is
supported by almost all systems.
Azure AD, Azure B2C, OKTA, IdentityServer4, google
accounts, Openiddict, node-oidc-provider
Authentication
Authorization
Signout
Session
OpenID Connect Flows
OAuth2 Flows
http://openid.net/specs/openid-
connect-core-1_0.html
OAuth2 Resource Owner Credentials Flow
OpenID Connect Code flow
OpenID Connect Hybrid flow
OpenID Connect PKCE Authorization Code
Flow RFC 7636
OAuth Device Flow
id token
token (access token)
reference / self contained token
refresh token
scope
Back-Channel
Front-Channel
User Agent
OAuth2 Resource
Owner Credentials
Flow
• MC to MC applications
• trusted client
• grant_type=client_cred
ential&client_id=xxxxx
xxxxx&client_secret=xx
xxxxxxxx
• Limited user cases
OAuth2 Resource Owner Credentials Flow
OpenID Connect
Authorization Code
flow
• Server to server
applications with User
• Can keep secrets, is
trusted
• Client is authenticated
• response_type = code
OIDC Authorization Code flow
OIDC Authorization
Hybrid flow
• Mix of the Code and
Implicit Flow
• Can be used for Web
applications with
server side rendering.
• response_type = code
id_token |
code id_token token |
code token
OIDC Hybrid flow
Native App PKCE
Authorization Code
Flow
RFC 7636
https://tools.ietf.org/html/rfc
7636
Single Page
Applications
Cookies
OIDC Code Flow with
PKCE
OIDC Implicit Flow
OpenID Connect Code flow
with PKCE
• For browser applications, SPAs
• Client is not authenticated, or trusted
• response_type = code
• NO SECRET
OAuth Device Flow
RFC 7636
https://tools.ietf.org/html/dra
ft-ietf-oauth-device-flow-12
https://github.com/damienbod/AspNetCoreHybridFlowWithApi
https://github.com/damienbod/AspNetCoreWindowsAuth
OpenID Connect Hybrid Flow
Code examples
https://github.com/damienbod/AspNetCoreHybridFlowWithApi
https://github.com/damienbod/AspNetCoreWindowsAuth
OAuth2 Resource Owner Credentials Flow
Code examples
Protecting APIs
JWT Bearer Authentication
Introspection
Cookies … not for APIs mostly...
Public APIs
use same access_token
Private APIs, APIs in protected Zones
use a new access_token, not the public access_token
Authorization:
ASP.NET Core
Policies
Authorization is the responsibility of the
Application / API, not the STS.
This can be implemented in an separate
library.
Standard Requirements
Complex Requirements
Policies uses Requirements
Authorization Handlers
Create a Requirement
Make a Handler
Create a Policy
Apply the Policy (Controller)
Apply the Policy (Razor Page)
Apply a Requirement directly
Handler with Resource
ASP.NET Core Policies, Handlers and
Requirements makes it easy to focus
on Authorization
Thank you
@damienbod
https://openid.net/developers/specs/
https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow
https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
https://www.npmjs.com/package/angular-auth-oidc-client
https://openid.net
https://auth0.com/blog/cookies-vs-tokens-definitive-guide
https://www.npmjs.com/package/angular-auth-oidc-client
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate
https://scotthelme.co.uk/say-hello-to-security-txt
https://csp-evaluator.withgoogle.com/

More Related Content

Similar to Application Security in ASP.NET Core

How to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsHow to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIs
WSO2
 

Similar to Application Security in ASP.NET Core (20)

DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
OAuth 2.0 refresher Talk
OAuth 2.0 refresher TalkOAuth 2.0 refresher Talk
OAuth 2.0 refresher Talk
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
OpenId Connect in Shibboleth Identity Provider
OpenId Connect in Shibboleth Identity ProviderOpenId Connect in Shibboleth Identity Provider
OpenId Connect in Shibboleth Identity Provider
 
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas VochtenOffice Track: SharePoint Apps for the IT Pro - Thomas Vochten
Office Track: SharePoint Apps for the IT Pro - Thomas Vochten
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
How to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsHow to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIs
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
DEVNET-1121 Customizing Cisco Video Access for Guests
DEVNET-1121	Customizing Cisco Video Access for GuestsDEVNET-1121	Customizing Cisco Video Access for Guests
DEVNET-1121 Customizing Cisco Video Access for Guests
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 

More from NETUserGroupBern

More from NETUserGroupBern (20)

Large Language Models, Data & APIs - Integrating Generative AI Power into you...
Large Language Models, Data & APIs - Integrating Generative AI Power into you...Large Language Models, Data & APIs - Integrating Generative AI Power into you...
Large Language Models, Data & APIs - Integrating Generative AI Power into you...
 
AAD und .NET
AAD und .NETAAD und .NET
AAD und .NET
 
SHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSSHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPS
 
Ruby und Rails für .NET Entwickler
Ruby und Rails für .NET EntwicklerRuby und Rails für .NET Entwickler
Ruby und Rails für .NET Entwickler
 
Einführung in RavenDB
Einführung in RavenDBEinführung in RavenDB
Einführung in RavenDB
 
What Doctors Can Teach Us on Continuous Learning
What Doctors Can Teach Us on Continuous LearningWhat Doctors Can Teach Us on Continuous Learning
What Doctors Can Teach Us on Continuous Learning
 
Entity Framework Core - Der Umstieg auf Core
Entity Framework Core - Der Umstieg auf CoreEntity Framework Core - Der Umstieg auf Core
Entity Framework Core - Der Umstieg auf Core
 
Weiches Zeugs für harte Jungs und Mädels
Weiches Zeugs für harte Jungs und MädelsWeiches Zeugs für harte Jungs und Mädels
Weiches Zeugs für harte Jungs und Mädels
 
Änderungen im Cardinality Estimator SQL Server 2014
Änderungen im Cardinality Estimator SQL Server 2014Änderungen im Cardinality Estimator SQL Server 2014
Änderungen im Cardinality Estimator SQL Server 2014
 
Rest Fundamentals
Rest FundamentalsRest Fundamentals
Rest Fundamentals
 
Refactoring: Mythen & Fakten
Refactoring: Mythen & FaktenRefactoring: Mythen & Fakten
Refactoring: Mythen & Fakten
 
AngularJs
AngularJsAngularJs
AngularJs
 
Pragmatische Anforderungen
Pragmatische AnforderungenPragmatische Anforderungen
Pragmatische Anforderungen
 
Einführung in MongoDB
Einführung in MongoDBEinführung in MongoDB
Einführung in MongoDB
 
What the hell is PowerShell?
What the hell is PowerShell?What the hell is PowerShell?
What the hell is PowerShell?
 
Know your warm up
Know your warm upKnow your warm up
Know your warm up
 
BDD mit Machine.Specifications (MSpec)
BDD mit Machine.Specifications (MSpec)BDD mit Machine.Specifications (MSpec)
BDD mit Machine.Specifications (MSpec)
 
Versionskontrolle mit Git
Versionskontrolle mit GitVersionskontrolle mit Git
Versionskontrolle mit Git
 
.NETworking Workshop Design Thinking
.NETworking Workshop Design Thinking.NETworking Workshop Design Thinking
.NETworking Workshop Design Thinking
 
Reaktive Programmierung mit den Reactive Extensions (Rx)
Reaktive Programmierung mit den Reactive Extensions (Rx)Reaktive Programmierung mit den Reactive Extensions (Rx)
Reaktive Programmierung mit den Reactive Extensions (Rx)
 

Recently uploaded

Recently uploaded (20)

The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
 

Application Security in ASP.NET Core