More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Asp.Net Identity
Similar to Asp.Net Identity (20)
Recently uploaded
Recently uploaded (20)
Asp.Net Identity
- 1. ASP.Net Identity Marwa Ahmad Software Developer 1
- 2. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 2
- 3. 01 | Identity Overview • What is Identity ? • History overview • Architecture of ASP.NET Identity • ASP.NET Identity Customization 3
- 4. What is Identity? o Identity is Users, Authentication, Authorization. It is a claims based system; stores login, roles, claims o Supports claims, roles, custom data stores, individual database backed auth, Oauth/OpenId, Organizational –AD, Azure AD, Single Sign On (SSO), Social Login providers 4
- 5. History Overview Nov 2005 ASP.NET 2.0 – Introducing Membership! • SQL Server, SQL Express Oct 2013 ASP.NET Identity v1 • Completely new model May 2012 Universal Providers (First NuGet) • SQL CE, Azure, one provider to access all SQL Mar 2014 ASP.NET Identity v2 • VS 2013 Update 2. Two factor authN, account lockout, confirmation, reset, etc Aug 2012 Simple Membership • Sourced in Web Pages, came to MVC / Web Forms Oct 2014 (alpha) ASP.NET 5 – Identity v3 • VS 2013 Update 3. Changes to work with ASP.NET 5 5
- 6. ASP.NET Identity Architecture o Consists of Managers & Stores o Managers o High-level classes; not concerned with how user info is stored, registering new users, validating credentials and loading user information o Ex: SigninManager, RoleManager, UserManager 6
- 7. ASP.NET Identity Architecture (cont.) • Stores o Deals with DAL; CRUD functionality o Closely coupled with the persistence mechanism o By default EF Code First used to create tables SQL Server o Implementations available for Azure Table Storage, RavenDB and MongoDB 7
- 8. ASP.NET Identity Architecture (cont.) 8 • Based on Owin & EF
- 9. ASP.NET Identity Architecture (cont.) • EF default implementation of users & roles 9
- 10. ASP.NET Identity Customization • Customize the user store the same applies to role store 10
- 11. ASP.NET Identity Customization (cont.) • Interfaces to implement when customizing user store 11
- 12. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 12
- 13. 02 | Locally Authenticated Users • What are locally authenticated users? o Uses DB to authenticate; no third party i.e. authentication is on the same server (AspNetUsers table) • Customizing the SQL database & entities ApplicationUser : IdentityUser • Customizing the type of user store o Create your own UserStore and IdentityUser. RoleStore as well if you want that. Storage provider custom implementations exist(MySql, Azure Table Storage, RavenDB, etc 13
- 14. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 14
- 15. 03 | oAuth and Social Providers • What is oAuth? o oAuth is a protocol o The protocol allows for third party applications to access resources without users giving credentials to third party o Supports desktop, web, mobile, etc • How does Identity use oAuth? • Integrating with social/other providers 15
- 16. 03 | oAuth and Social Providers (cont.) • How does Identity use oAuth? 16
- 17. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 17
- 18. 04 | Two Factor Authentication 18
- 19. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 19
- 20. Asp.Net Identity with Webapi • Webapi2 Security AutheN Bearer Token tutorial; useful video; 2 mins only! • Works with Framework 4.5, AspNet.Identity.Core 2.2.1, AspNet.Identity.EntityFramework 2.2.1, AspNet.Identity.WebApi 5.2.3 • Steps: • Create new Webapi project with Individual account authentication type • Run the project • Use Fiddler, call the Register endpoint; Ex: http://localhost:8070/api/Account/Register Request post body: then excute {"Email": “myemail@gmail.com", "Password": "Pa$$w0rd", "ConfirmPassword": "Pa$$w0rd"} • User fiddler: http://localhost:8070/token Request body: username=myemail@gmail.com&grant_type=password&Password=Pa$$w0rd • Now you are authorized to user any endpoint which requires [Authorize] 20
- 21. Asp.Net Identity with Webapi 21
- 22. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 22
- 23. 05 | Identity Tips & Recommendations • Utilize SSL everywhere. Never run without it o Attacker on network can steal your cookies and hijack your session o Yes, even login page needs to be protected o Any page user can access while logged in should be protected • Enforce a strong password policy! o Increase default values on manager.PasswordValidator • Use Xsrf tokens everywhere for post methods • Do not allow for unlimited login attempts o Brute forcers dream. • Two factor authentication highly recommended • Caution – be wary of email as a second factor authentication 23
- 24. Finally What’s Next? • ASP.NET vNext (ASP.NET 5) being in development, Katana is slowly getting retired. Version 3.0 will most likely be last major release of Katana as a standalone framework • vNext is the successor to Katana (which is why they look so similar). Katana was the beginning of the break away from System.Web and to more modular components for the web stack. You can see vNext as a continuation of that work plus (new CLR, new Project System, new http abstractions)* David Fowler vNext Architect • Everything that exists today in Katana will make it's way into vNext • ASP.NET vNext will be supported by .NET Framework 4.6 24
- 25. References • Customizing asp.net authentication with Identity • Securing web applications using asp.net identity • Introduction to asp.net identity • Creating web project; authentication modes • Overview of custom storage provider of asp.net identity • Asp.net identity releases • Owin & Katana simplified • Individual accounts in Webapi • AspNet Identity 2.1 with AspNet WebApi 2.2; Accounts managemenet • AspNet Identity 2.0 & WebApi- Customizing Identity Models & implementing Role-based Authorization 25
- 26. 26
Editor's Notes
- *Claims: Key-Value pair per user; Role is single value “Admin” Much more info about user as the user delivers claim to your app Ex “Facebook Access Token”, “CAAVl6UvghVkBAIGZB… *Single Sign On (SSO): User provides same credentials multiple services. User provides credentials once multiple services.
- IdentityUser an EF implementation, EmailService, SmsService (twilio sms)
- OWIN itself does not have any tools, libraries or anything else. It is just a specification. OWIN is not a framework. OWIN is a specification on how web servers and web applications should be built in order to decouple one from another and allow movement of ASP.NET applications to environments where at the current state it is not possible.
- public class IdentityUser : IUser<int> { public IdentityUser() { ... } public IdentityUser(string userName) { ... } public int Id { get; set; } public string UserName { get; set; } // can also define optional properties such as: // PasswordHash // SecurityStamp // Claims // Logins // Roles } public class UserStore : IUserStore<IdentityUser, int> { public UserStore() { ... } public UserStore(ExampleStorage database) { ... } public Task CreateAsync(IdentityUser user) { ... } public Task DeleteAsync(IdentityUser user) { ... } public Task<IdentityUser> FindByIdAsync(int userId) { ... } public Task<IdentityUser> FindByNameAsync(string userName) { ... } public Task UpdateAsync(IdentityUser user) { ... } public void Dispose() { ... } }
- *Reconfigure application to use new storage provider : Replace default storage provider in MVC project http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
- Several custom implementations exist for storage providers ASP.NET Identity Recommended Resources Overview of Custom Storage Providers for ASP.NET Identity
- Integrating with social/other providers (Demo + ..) Works with oAuth 2.0 We’re making the OpenIDConnect middleware more generic to support more providers We’ve added a generic OAuth2 middleware that works with many different providers https://github.com/aspnet/Security/blob/dev/samples/SocialSample/Startup.cs#L116
- AspNetUserLogin table Tracks provider name Tokens are not stored Your app requests a request token, gets one and URL User goes to URL (with token) and authenticates & allows app oAuth provider redirects back to your ‘success’ page with Your code parses access token, potentially stores it If user doesn’t have an account, prompt them to register with email (so we have something on hand). We could change code to auto create. All requests to protected resources are done with access token that is stored in AspNetUserClaims
- *totp: Time-based One-time Password Algorithm is an algorithm that computes a one-time password from a shared secret key and the current time. When developing remember… Adding the phone number triggers the first verification No phone #? SmsService code will never be called Debug – you may not have all the code you need Email will only be available if it’s verified
- Identity is not multi-tenant or multi-app Use SSO with Azure for multi tenant https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet Shared across apps via shared sql db with identity tables **It’s extensible** AspNet.Identity.EntityFramework.Multitenant on github
- ASP.NET vNext will be built on top of .NET Core 5. .NET Core 5 is lightweight factored version of .NET Framework, designed to support goals of ASP.NET 5 and .NET Native.