This document summarizes a presentation on authentication and authorization in ASP.NET Core 2. It discusses identity and principal objects, claims-based authentication, middleware, and local and external logins. OAuth 2.0 and OpenID Connect are covered, including flows like client credentials, authorization code, and implicit. Demos show implementing these flows. The document also discusses policy-based authorization and other security concerns like CORS, CSRF, and XSS protection.

1. FUNDAMENTALS OF AUTHENTICATION AND
AUTHORIZATION WITH ASP.NET CORE 2
Presented by Vladimir Bychkov
Email: bychkov@gmail.com
1
NOVA CodeCamp 2019

2. </> NORTHERN VIRGINIA CODECAMP
PLATINUM
GOLD
Hosted by

3. About Vladimir
• VLADIMIR BYCHKOV
• TECHNICAL TEAM LEAD AND PROJECT MANAGER AT EASTBANC TECHNOLOGIES
• EMAIL: BYCHKOV@GMAIL.COM
• LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/
WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM

4. EastBanc Technologies | Custom Software Development
Custom Software Development.
Based in Georgetown.
We are hiring!

5. 5

6. Part I – Authentication Fundamentals

7. IIdentity & IPrincipal

8. ClaimsIdentity & ClaimsPrincipal

9. DEMO 1 - Claims

10. ASP.NET Core Middleware

11. IAuthenticationService

12. DEMO 2 – ASP.NET Core (Local Logins)

13. Local Logins == Evil

14. DEMO 3 – ASP.NET Core (External/Social Logins)
• PRE-REQUISITES
• REGISTER APP AT ID PROVIDER (GOOGLE/FACEBOOK/ETC.)

15. Part II – Authorization (OAuth 2 and OpenID Connect)
• AUTHORIZATION FOR SERVICE-BASED APPLICATIONS AND APIS
• OAUTH 2.0 / OPENID CONNECT
• LINGO
• CLIENT CREDENTIALS FLOW
• RESOURCE OWNER PASSWORD FLOW
• AUTHORIZATION CODE FLOW / HYBRID FLOW
• IMPLICIT FLOW
• ASP.NET CORE, POLICY-BASED AUTHORIZATION

16. AuthZ for service based apps
• API -> API COMMUNICATIONS
• MOBILE/NATIVE APPS -> API
• 3RD PARTY APP -> API (RESOURCES)
• 3RD PARTY HAS TO STORE PASSWORD
• NO WAY TO LIMIT SCOPE
• CANNOT REVOKE ACCESS (OTHER THAN CHANGING PASSWORD)
• TOKEN-BASED SECURITY
• TOKEN SIGNING/VERIFICATION
• TOKEN EXPIRATION/REVOCATION
• TOKEN FORMAT
• TOKEN DELIVERY

17. OAuth 2.0 - Overview
• OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR AUTHORIZATION
• INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF
• LINGO:
• RESOURCE OWNER
• CLIENT
• AUTHORIZATION SERVER
• RESOURCE SERVER
• AUTHORIZATION GRANT
• ACCESS TOKEN
• SCOPE
• CONSENT

18. OAuth 2.0 - Architecture
Resource owner (User) Client (Relying Party - RP) Resource server (Resources)
Authorization server
(Security Token Service – STS)
Token
TokenGrant
(Credentials)

19. OAuth 2.0 - Grants
Grant type Client type / Use case
Client Credentials For clients, such as web services, acting on their own behalf.
Resource Owner
Password
For trusted native clients where the application and the authorization server belong to the same provider.
Authorization code
Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to
take advantage of single sign-on via the system browser.
Implicit Intended for browser-based (JavaScript) applications without a backend.
Refresh token
A special grant to let clients refresh their access token without having to go through the steps of a code or
password grant again.
JWT bearer
Lets a client in possession of a JSON Web Token (JWT) assertion from one security domain exchange it for an
OAuth 2.0 access token in another domain.
Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc.
Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.

20. OAuth 2.0 – Endpoints (SSL required)
• AUTHORIZATION ENDPOINT
• USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE
AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER.
• TOKEN ENDPOINT
• USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR
REFRESH TOKEN.
• REDIRECTION ENDPOINT (CLIENT)

21. OpenID Connect
• ID TOKEN (JWT)
• DISCOVERY ENDPOINT
• USERINFO ENDPOINT (JSON SCHEMA)
• USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS

22. OpenID Connect Protocol Suite

23. DEMO 4.1 – Client Credentials Flow
https://docs.pivotal.io

24. DEMO 4.2 – Resource Owner Credentials Flow
https://docs.pivotal.io

25. DEMO 4.3 – Authorization Code Flow
https://docs.pivotal.io

26. DEMO 4.4 – Implicit Flow
https://docs.pivotal.io

27. Web Apps – Other security concerns
• HTTPS ALL THE WAY!
• CROSS-SITE REQUEST FORGERY (CSRF)
• ASP.NET CORE 2 INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS
• BUILT-IN ACTION FILTERS:
• VALIDATEANTIFORGERYTOKEN
• AUTOVALIDATEANTIFORGERYTOKEN
• IGNOREANTIFORGERYTOKEN
• CROSS-SITE SCRIPTING (XSS)
• VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS)
• HTML/URL ENCODING

28. Web Apps – Other security concerns (cont.)
• CROSS-ORIGIN REQUESTS (CORS)
• ENABLE CORS AND SET EXPLICIT POLICIES
• SECRET/KEY MANAGEMENT AND DATA PROTECTION
• OPEN REDIRECTS

29. THANK YOU
VLADIMIR BYCHKOV
SOFTWARE CRAFTSMAN
BYCHKOV@GMAIL.COM