End to End Security with MVC and Web API

DEVintersection
Session AS17

End-to-End Security for Your
Web API and MVC Applications
Michele Leroux Bustamante
michelebusta@solliance.net

Michele Leroux Bustamante
Managing Partner
Solliance (solliance.net)
CEO and Cofounder
Snapboard (snapboard.com)
Microsoft Regional Director
Microsoft MVP
Author, Speaker
Pluralsight courses on the way!
Blog: michelebusta.com
@michelebusta

2

© DEVintersection. All rights reserved.
http://www.DEVintersection.com

WPF
Client

Windows
Phone 8
Windows
Phone 7

iPhone

Windows
8/Surface

Android

Mobile
Browsers

iPad

Web
API

Web API
(mobile)

(ajax)

Web API
(business)

MVC Web

Things are complicated…
So we seek simplicity
where we can

WS-Federation
WS-ReliableMessaging

WS-PolicyAttachment
OASIS Web Services Security

WS*
HELL

WSDL

WS-Coordination

WS-CAF

MTOM

WS-Transfer

WS-Eventing

WS-BusinessActivity

WS-ResourceTransfer

WSRF

DIME

WS-Addressing
SOAP

Authentication / Authorization Considerations
 Authentication




Windows, username/password, cert
WS-Federation, SAML 2.0, OAuth2 w/ OpenID
Connect

 Token Formats



Windows, Basic
SAML 1.1, SAML 2.0, JSON Web Token (JWT), SWT
(legacy)

 Authorization


Roles, Claims, social scenarios and architecture

 Message Protection (TLS / SSL / WS*)
10


Browsers
HTML
View

JS

OK

ajax

View
Controller

Web API
Controller

MVC
Web API
Controller

Web API

Mobile

Browsers

Devices

HTML
View

JS

OK

ajax

View
Controller

View/API
Controller

View
View
Views

MVC

WPF

Client
OK

API
Controller

Web API

Windows
Clients
OK

Windows Mobile

Devices
OK

Other
Clients
OK

iOS Mobile

Android Mobile

Devices

Devices

OK

OK

API
Controller

Web API

Wherever possible
choose the lowest
common denominator

POINTS: WebSecurity and Claims
 Initialize WebSecurity early
 Use ClaimsPrincipal to get all claims (Roles)
 Install AuthorizationAttribute as a filter, use
AllowAnonymousAttribute
 Use AuthorizationAttribute to prevent access by
roles
 Create utilities to streamline use of claims

17


POINTS: WIF Sessions
 Create a custom SessionAuthenticationModule


Encapsulate cookie write/delete, ClaimsPrincipal
create

 For Forms redirect, need WebSecurity enabled


Must delete forms cookie + session cookie

 Other WIF best practices





Use SSL
Server side session cookies (space, load
balancing)
Shared token cache (replay detection, load
balancing)
19


POINTS: Additional WIF Techniques
 ClaimsAuthenticationManager


Transform claims from user authentication into
application claims (assumes stored by app)

 ClaimsAuthorizationManager



Use with custom AuthorizationAttribute
See Thinktecture library

 ClaimsPrincipalPermission


DO NOT USE

20


POINTS: Web API Calls
 Must authenticate calls to Web API
 Trusted Subsystem



No need to authenticate the user again
Provide a key (Windows, Certificate, signed token)

 JWT




New preferred way to send lightweight token
Pass user claims relevant to downstream services

22


Social Login and User Consent
 OAuth 2.0



Supports variations of passive and active federation
Popular for used for user consent flows where an applications wants
access to user information from another applications






Sharing flickr photos
Sharing tweets
Facebook integration

NOT for authentication

 Authentication




Twitter
Facebook Connect
OpenID Connect

23


User Consent

Browser

3

Login
Page

11
Requested
Information

1

5

4
Authorization
Code

6
Client
Application

8

Store
Tokens

2
Get access token

7

Access + refresh token

9

Authorization
Server

Request information

10

Requested Information

Resource
Server

Social Login / Delegated Authorization
 Typical choices for B-to-B




Username/password
Twitter
Linked In

 Typical choices for B-to-C





Username/password
Twitter
Facebook
(maybe) Google+

 Corporate environments




Windows
Username/password
Live ID

25


Login or Register?
 Make both available
 Make it obvious
 Navigation bar is one option

33


Access Control &
Twitter
Browser
3
Google
1

6

2

FaceBook

Yahoo!

Windows
Live

5

Access
Control

Your App

Twitter

4

Your STS

Your App &
Facebook / Twitter
Browser

FaceBook

Twitter

Your App

OAuthWebSecurity

Access Control, Social
& Azure AD (vision)
Browser

Google
Yahoo!

Access
Control

Your App

User
Profile

Azure
AD

FaceBook

Windows
Live
Twitter

Identity and Access Management Tools
 Windows Azure Active Directory




Sync directories with domain
Spin up new directories
Connect with other IdP

 Thinktecture




Code base for IdP and Authorization Server
Fully functional, you own it, you can edit it
WS-Fed and OAuth2, SAML2 coming

 Auth0



Hosted model, affordable, from small bus to enterprise
When you don’t want to own the code, need IdP, Authorization
Server/OpenID Connect support

37


References
 Conference resources:


http://michelebusta.com

 See my snapboards:




Currently at the alpha site:
http://snapboardalpha.cloudapp.net/michelebusta
Will move these to snapboard.com/michelebusta when we go live on the
main site (SOON watch my blog for announcement)

 Contact me:



@michelebusta

38


End to End Security with MVC and Web API

More Related Content

What's hot

Viewers also liked

Similar to End to End Security with MVC and Web API

More from Michele Leroux Bustamante

Recently uploaded

End to End Security with MVC and Web API