Securing .NET Core, ASP.NET Core applications

•

0 likes•81 views

NETUserGroupBern

Software

Application Security today
OpenID Connect, OAuth
An introduction to Self Sovereign Identity

WAF
HTTPS everywhere, Certs Protected Zone

Authentication, Authorization, Accounting
Session Protection HTTP headers
HTTPS Certificates TLS 1.2, 1.3
Hosting
GDPR, Data breaches
WAF Web Application Firewall
Security in applications

Authentication
Authorization
Signout
Session

USE Standards
Don’t implement this yourself, use
certified libs, packages, tested

OAuth2
OpenID Connect Authentication
Authorization
Delegated

OpenID Connect
http://openid.net/connect/
• Standard, Specification
• Authentication and Authorization
• built on top of OAuth2 (access control)
• Identity (Person can have n Identities)
• UserInfo Endpoint

Open ID Connect (OIDC) is
supported by almost all systems.
Azure AD, Auth0, OKTA, IdentityServer4, google accounts,
Openiddict, node-oidc-provider, Azure B2C

OpenID Connect
Flows
OAuth2 Flows
http://openid.net/specs/openid-
connect-core-1_0.html
OAuth2 Resource Owner Credentials Flow
OpenID Connect Code flow + PKCE with client secret
OpenID Connect Hybrid flow
OpenID Connect Code flow + PKCE with no secret
OAuth Device Flow
On Behalf Of (OBO) Flow
Azure Managed Identities

id token
token (access token)
reference / self contained token
refresh token
scope
Back-Channel
Front-Channel
User Agent

OAuth2 Resource
Owner Credentials
Flow
• MC to MC applications
• trusted client
• grant_type=client_credenti
al&client_id=xxxxxxxxxx&cli
ent_secret=xxxxxxxxxx
• Limited user cases

OpenID Connect
Authorization Code
flow + PKCE + secret
• Server to server
applications with User
• Can keep secrets, is trusted
• Client is authenticated
• response_type = code

OIDC Hybrid flow
• Mix of the Code and
Implicit Flow
• Can be used for Web
applications with server
side rendering.
• response_type = code
id_token |
code id_token token |
code token

Native App / SPA
Authorization Code
Flow + PKCE
• RFC 7636
• No secret for public clients
• https://tools.ietf.org/html/r
fc7636

Single Page
Applications
• Cookies
• OIDC Code Flow with PKCE
• OIDC Implicit Flow

OpenID Connect Code flow
with PKCE
• For browser applications, SPAs
• Client is not authenticated, or trusted
• response_type = code
• NO SECRET
• Use reference tokens if possible
• When using Refresh tokens, check that the STS supports the
latest fixes,
• Use Revocation!

Difference between Native
APPS and SPA
• Native apps use different Redirect URLs
• Storage for persisting tokens is different
• Native app opens a browser to authenicate
• Refresh tokens stored in the browser (or silent
renew ...)

OAuth Device Flow
• RFC 7636
• https://tools.ietf.org/html/d
raft-ietf-oauth-device-flow-12

OAuth On Behalf of
OBO Flow
• - RFC 6749
• https://tools.ietf.org/html/r
fc6749
• https://docs.microsoft.com/
en-us/azure/active-
directory/develop/v2-oauth2-
on-behalf-of-flow

src: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

src: https://www.youtube.com/watch?v=vYUKC0mZFqI

Similar to Securing .NET Core, ASP.NET Core applications

DotNet 2019 | Hugo Biarge - Autenticación en aplicaciones web y nativas

Plain Concepts

We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps. This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization. This presentation was first given in the London Mobile Security Meetup https://www.meetup.com/London-Mobile-Developer-Security/

Mobile Authentication - Onboarding, best practices & anti-patterns

Pieter Ennes

Shifting security left simplifying security for k8s open shift environments

LibbySchulze

OpenId Connect Protocol

Michael Furman

OpenID Connect "101" Introduction -- October 23, 2018

OpenIDFoundation

Zend server 6 compliance

Yonni Mendes

APIConnect Security Best Practice

Shiu-Fun Poon

Identity is one of the most critical components in all web applications. When not designed correctly, it can lead to security holes, code duplication, and maintenance nightmares. By leveraging technologies like OAuth 2.0, OpenID Connect, and JSON Web Tokens, you can build a robust security model that is scalable across all of your projects. In this session, we will take a dive into the most popular identity solutions that are available today and discuss how they can be utilized by your ASP.NET Core web applications.

Y U No OAuth, Using Common Patterns to Secure Your Web Applications

Jason Robert

OAuth2 Best Practices in Native Apps

Jeff Fontas

Wso2 is integration with .net core

Ismaeel Enjreny

Accessing APIs using OAuth on the federated (WordPress) web

Felix Arntz

Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group

EPC Group

Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends. It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation. It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to . It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.

Spa Secure Coding Guide

Geoffrey Vandiest

FIDO Technical Overview at FIDO KWG Hackathon

Ki-Eun Shin

Y U No OAuth?!?

Jason Robert

Creating a Sign On with Open id connect

Derek Binkley

Social Single Sign-On with OpenID Connect

James Melville

Authentication with zend framework

George Mihailov

Does the blue team got you feeling down because they are on you like Windows Defender on a Mimikatz binary? Have you lost sleep at night because their logging and alerting levels are so well tuned that if they were vocals, auto-tune couldn’t make them any better? Do you like surprises? Well you are in luck! Over the last few months we’ve been doing a bit of research around various Microsoft “features”, and have mined a few interesting nuggets that you might find useful if you’re trying to be covert on your red team engagements. This talk will be “mystery surprise box” style as we’ll be weaponizing some things for the first time. There will be demos and new tools presented during the talk. So, if you want to win at hide-n-seek with the blue team, come get your covert attack mystery box!

Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...

Beau Bullock

Clef security architecture

jessepollak

Similar to Securing .NET Core, ASP.NET Core applications (20)

DotNet 2019 | Hugo Biarge - Autenticación en aplicaciones web y nativas

Mobile Authentication - Onboarding, best practices & anti-patterns

Shifting security left simplifying security for k8s open shift environments

OpenId Connect Protocol

OpenID Connect "101" Introduction -- October 23, 2018

Zend server 6 compliance

APIConnect Security Best Practice

Y U No OAuth, Using Common Patterns to Secure Your Web Applications

OAuth2 Best Practices in Native Apps

Wso2 is integration with .net core

Accessing APIs using OAuth on the federated (WordPress) web

Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group

Spa Secure Coding Guide

FIDO Technical Overview at FIDO KWG Hackathon

Y U No OAuth?!?

Creating a Sign On with Open id connect

Social Single Sign-On with OpenID Connect

Authentication with zend framework

Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...

Clef security architecture

More from NETUserGroupBern

Large Language Models, Data & APIs - Integrating Generative AI Power into you...

NETUserGroupBern

AAD und .NET

NETUserGroupBern

SHIFT LEFT WITH DEVSECOPS

NETUserGroupBern

Ob ASP.net MVC, NuGet oder die codebasierten Migrationen bei EF – immer mehr Konzepte und Ideen schwappen von Ruby in die .Net Welt. Wieso aber gerade von Ruby? Und was macht Rails so beliebt bei Webentwicklern? Ruby ist wie C# eine objektorientierte Programmiersprache. Damit enden die Gemeinsamkeiten aber schon fast. Die vielen fremden Konzepte und Ansätze machen einen Einstieg in Ruby und Rails nicht gerade einfach. Aber genau in diesen Unterschieden liegen die Stärken und machen Ruby so interessant. Dieser Vortrag gibt einen Überblick über Ruby und Rails und hilft einem sich in dieser ungewohnten Umgebung zu Recht zu finden.

Ruby und Rails für .NET Entwickler

NETUserGroupBern

Bei all dem Hype rund um NoSQL übersieht man gerne wie viele einsatzbereite Produkte darauf warten unser Entwicklerleben zu vereinfachen. Eines dieser Produkte ist RavenDB, eine dokumentenorientierte Datenbank mit Transaktionsunterstützung. Im Gegensatz zu vielen NoSQL-Lösungen ist RavenDB voll in die .Net-Welt integriert. So kann man seine Abfragen mittels LINQ formulieren und muss nicht auf JavaScript setzen. Die grosse Erfahrung von Oren Eini bei der Optimierung von NHibernate und Entity Framework wurden in RavenDB aufgenommen. So hilft eine frühzeitige Erkennung von Select N+1 Abfragen spätere Probleme in der Produktion zu verhindern. Neben diesen Eigenheiten wird uns Johnny Graber auch zeigen was es alles für Einsatzmöglichkeiten gibt. Die Flexibilität von NoSQL gepaart mit der Einfachheit von RavenDB ist dabei keineswegs nur etwas für grosse Firmen wie Google, Facebook oder Twitter - der nächste Prototyp kann davon genauso gut profitieren.

Einführung in RavenDB

NETUserGroupBern

Do you try to keep up with all the new frameworks, patterns and trends in IT? Good luck, it’s an endless stream of things to learn. The good news: software development isn’t the only profession with this problem. Doctors face the same challenges and must keep the safety of patients in mind while working as cost-effective as possible. With much higher stakes, it’s no surprise that medicine is a highly regulated field with explicit rules on the lifelong training – rules that we can use as a source of inspiration for our training. In this session we will look how the doctors in Switzerland organise their continuing medical education, debunk some myths about learning and figure out how we can use our daily work as a jumpstart for improvement.

What Doctors Can Teach Us on Continuous Learning

NETUserGroupBern

Entity Framework Core - Der Umstieg auf Core

NETUserGroupBern

Weiches Zeugs für harte Jungs und Mädels

NETUserGroupBern

Änderungen im Cardinality Estimator SQL Server 2014

NETUserGroupBern

Rest Fundamentals

NETUserGroupBern

Refactoring: Mythen & Fakten

NETUserGroupBern

AngularJs

NETUserGroupBern

Pragmatische Anforderungen

NETUserGroupBern

Einführung in MongoDB

NETUserGroupBern

What the hell is PowerShell?

NETUserGroupBern

Know your warm up

NETUserGroupBern

BDD mit Machine.Specifications (MSpec)

NETUserGroupBern

Versionskontrolle mit Git

NETUserGroupBern

.NETworking Workshop Design Thinking

NETUserGroupBern

Reaktive Programmierung mit den Reactive Extensions (Rx)

NETUserGroupBern

More from NETUserGroupBern (20)

Large Language Models, Data & APIs - Integrating Generative AI Power into you...

AAD und .NET

SHIFT LEFT WITH DEVSECOPS

Ruby und Rails für .NET Entwickler

Einführung in RavenDB

What Doctors Can Teach Us on Continuous Learning

Entity Framework Core - Der Umstieg auf Core

Weiches Zeugs für harte Jungs und Mädels

Änderungen im Cardinality Estimator SQL Server 2014

Rest Fundamentals

Refactoring: Mythen & Fakten

AngularJs

Pragmatische Anforderungen

Einführung in MongoDB

What the hell is PowerShell?

Know your warm up

BDD mit Machine.Specifications (MSpec)

Versionskontrolle mit Git

.NETworking Workshop Design Thinking

Reaktive Programmierung mit den Reactive Extensions (Rx)

Recently uploaded

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

masabamasaba

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

masabamasaba

Technology has taken up space all over the world. From generating content with a single command on ChatGPT to getting your food served by Robots at your favorite restaurant, artificial advancements have ruled every space. Every industry is set to develop top-notch technology in every sector; finance, IT, healthcare, gaming, and banking, with competitive market standards. One of these rapidly growing industries is Mobile App Development. According to the Straits Research report, it is expected to reach USD 583.03 billion at a CAGR OF 12.8% between (2022 and 2030). It clearly shows how mobile app development has become an integral part of the digital landscape and revolutionized technology.

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

ayushiqss

%in Durban+277-882-255-28 abortion pills for sale in Durban

masabamasaba

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal.

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

masabamasaba

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In Chinsurah ❤Personal Whatsapp Number Chinsurah Call Girls 8617697112 💦✅. Chinsurah escorts we are avaliable for our all types budget customers with offer great deals in Chinsurah.Call Now our Chinsurah escort service & call girls ... Independent call girls in Chinsurah escorts available 24 hours a day for discreet incall and outcall bookings from trusted call girls - Elis.in. Nitya salvi Chinsurah escorts service agency # Are you looking for sexy call girls ? Call our agency to get you dream independent call girl, ... One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Flexibility Choices and options Lists of many beauty fantasies Turn your dream into reality Perfect companionship Cheap and convenient In-call and Out-call services And many more. WhatsApp Chat: 📞 8617697112 Visit The Website : https://www.nityasalvi.com/

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...

Nitya salvi

InShot proinshot.com stands tall among its peers as the ultimate video editing app, offering simplicity, versatility, and power in one package. With its intuitive interface and comprehensive feature set, InShot caters to both beginners and seasoned editors alike. Whether you're creating content for social media, YouTube, or personal projects, InShot empowers you to unleash your creativity and transform your videos into captivating masterpieces. Join the millions of users who trust InShot https://www.proinshot.com/ for all their video editing needs and discover the difference for yourself!

Exploring the Best Video Editing App.pdf

proinshot.com

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

ADR, or Architecture Decision Record, is a valuable tool in software development for several reasons. It provides a centralized location for documenting and tracking architectural decisions, aiding both current and future team members. ADRs enhance communication among team members by documenting the rationale behind architectural decisions, especially beneficial during onboarding of new team members or when revisiting decisions. They serve as a knowledge base, enabling teams to learn from past decisions and refine their decision-making process. Additionally, ADRs contribute to transparency by helping stakeholders understand the reasons behind specific architectural choices. As with any other tool or process, introducing them into an organization can face several obstacles, and overcoming these challenges is crucial for successful implementation. In this talk I go through some common problems and our way of solving them.

Architecture decision records - How not to get lost in the past

Papp Krisztián

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

masabamasaba

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

masabamasaba

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

Recently uploaded (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand

10 Trends Likely to Shape Enterprise Technology in 2024

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

%in Durban+277-882-255-28 abortion pills for sale in Durban

TECUNIQUE: Success Stories: IT Service provider

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...

Exploring the Best Video Editing App.pdf

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

Architecture decision records - How not to get lost in the past

AI & Machine Learning Presentation Template

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

Microsoft AI Transformation Partner Playbook.pdf

Securing .NET Core, ASP.NET Core applications

1. Securing .NET Core, ASP.NET Core applications • Damien Bowden • https://damienbod.com • @damien_bod

2. Application Security today OpenID Connect, OAuth An introduction to Self Sovereign Identity

3. WAF HTTPS everywhere, Certs Protected Zone

4. WAF HTTPS everywhere, Certs Protected Zone

5. Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certificates TLS 1.2, 1.3 Hosting GDPR, Data breaches WAF Web Application Firewall Security in applications

6. Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certificates TLS 1.2, 1.3 Hosting GDPR, Data breaches WAF Web Application Firewall ASP.NET Core solutions

7. Authentication Authorization Signout Session

8. USE Standards Don’t implement this yourself, use certified libs, packages, tested

10. OAuth2 OpenID Connect Authentication Authorization Delegated

11. OpenID Connect http://openid.net/connect/ • Standard, Specification • Authentication and Authorization • built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint

12. Open ID Connect (OIDC) is supported by almost all systems. Azure AD, Auth0, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider, Azure B2C

13. Authentication Authorization Signout Session

14. OpenID Connect, OAuth

15. OpenID Connect Flows OAuth2 Flows http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner Credentials Flow OpenID Connect Code flow + PKCE with client secret OpenID Connect Hybrid flow OpenID Connect Code flow + PKCE with no secret OAuth Device Flow On Behalf Of (OBO) Flow Azure Managed Identities

16. id token token (access token) reference / self contained token refresh token scope Back-Channel Front-Channel User Agent

17. OAuth2 Resource Owner Credentials Flow • MC to MC applications • trusted client • grant_type=client_credenti al&client_id=xxxxxxxxxx&cli ent_secret=xxxxxxxxxx • Limited user cases

18. OAuth2 Resource Owner Credentials Flow

19. OpenID Connect Authorization Code flow + PKCE + secret • Server to server applications with User • Can keep secrets, is trusted • Client is authenticated • response_type = code

20. OIDC Authorization Code flow

21. OIDC Hybrid flow • Mix of the Code and Implicit Flow • Can be used for Web applications with server side rendering. • response_type = code id_token | code id_token token | code token

22. OIDC Hybrid flow

23. Native App / SPA Authorization Code Flow + PKCE • RFC 7636 • No secret for public clients • https://tools.ietf.org/html/r fc7636

24.

25. Single Page Applications • Cookies • OIDC Code Flow with PKCE • OIDC Implicit Flow

26. OpenID Connect Code flow with PKCE • For browser applications, SPAs • Client is not authenticated, or trusted • response_type = code • NO SECRET • Use reference tokens if possible • When using Refresh tokens, check that the STS supports the latest fixes, • Use Revocation!

27. Difference between Native APPS and SPA • Native apps use different Redirect URLs • Storage for persisting tokens is different • Native app opens a browser to authenicate • Refresh tokens stored in the browser (or silent renew ...)

28.

29.

30.

31. OAuth Device Flow • RFC 7636 • https://tools.ietf.org/html/d raft-ietf-oauth-device-flow-12

32.

33. OAuth On Behalf of OBO Flow • - RFC 6749 • https://tools.ietf.org/html/r fc6749 • https://docs.microsoft.com/ en-us/azure/active- directory/develop/v2-oauth2- on-behalf-of-flow

34. src: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

35. Azure Managed identities

36. src: https://www.youtube.com/watch?v=vYUKC0mZFqI

37. Thank you @damienbod

Securing .NET Core, ASP.NET Core applications

Recommended

Recommended

More Related Content

Similar to Securing .NET Core, ASP.NET Core applications

Similar to Securing .NET Core, ASP.NET Core applications (20)

More from NETUserGroupBern

More from NETUserGroupBern (20)

Recently uploaded

Recently uploaded (20)

Securing .NET Core, ASP.NET Core applications