SlideShare a Scribd company logo
1 of 37
Download to read offline
Securing .NET Core,
ASP.NET Core
applications
• Damien Bowden
• https://damienbod.com
• @damien_bod
Application Security today
OpenID Connect, OAuth
An introduction to Self Sovereign Identity
WAF
HTTPS everywhere, Certs Protected Zone
WAF
HTTPS everywhere, Certs Protected Zone
Authentication, Authorization, Accounting
Session Protection HTTP headers
HTTPS Certificates TLS 1.2, 1.3
Hosting
GDPR, Data breaches
WAF Web Application Firewall
Security in applications
Authentication, Authorization, Accounting
Session Protection HTTP headers
HTTPS Certificates TLS 1.2, 1.3
Hosting
GDPR, Data breaches
WAF Web Application Firewall
ASP.NET Core solutions
Authentication
Authorization
Signout
Session
USE Standards
Don’t implement this yourself, use
certified libs, packages, tested
OAuth2
OpenID Connect Authentication
Authorization
Delegated
OpenID Connect
http://openid.net/connect/
• Standard, Specification
• Authentication and Authorization
• built on top of OAuth2 (access control)
• Identity (Person can have n Identities)
• UserInfo Endpoint
Open ID Connect (OIDC) is
supported by almost all systems.
Azure AD, Auth0, OKTA, IdentityServer4, google accounts,
Openiddict, node-oidc-provider, Azure B2C
Authentication
Authorization
Signout
Session
OpenID Connect,
OAuth
OpenID Connect
Flows
OAuth2 Flows
http://openid.net/specs/openid-
connect-core-1_0.html
OAuth2 Resource Owner Credentials Flow
OpenID Connect Code flow + PKCE with client secret
OpenID Connect Hybrid flow
OpenID Connect Code flow + PKCE with no secret
OAuth Device Flow
On Behalf Of (OBO) Flow
Azure Managed Identities
id token
token (access token)
reference / self contained token
refresh token
scope
Back-Channel
Front-Channel
User Agent
OAuth2 Resource
Owner Credentials
Flow
• MC to MC applications
• trusted client
• grant_type=client_credenti
al&client_id=xxxxxxxxxx&cli
ent_secret=xxxxxxxxxx
• Limited user cases
OAuth2 Resource Owner Credentials Flow
OpenID Connect
Authorization Code
flow + PKCE + secret
• Server to server
applications with User
• Can keep secrets, is trusted
• Client is authenticated
• response_type = code
OIDC Authorization Code flow
OIDC Hybrid flow
• Mix of the Code and
Implicit Flow
• Can be used for Web
applications with server
side rendering.
• response_type = code
id_token |
code id_token token |
code token
OIDC Hybrid flow
Native App / SPA
Authorization Code
Flow + PKCE
• RFC 7636
• No secret for public clients
• https://tools.ietf.org/html/r
fc7636
Single Page
Applications
• Cookies
• OIDC Code Flow with PKCE
• OIDC Implicit Flow
OpenID Connect Code flow
with PKCE
• For browser applications, SPAs
• Client is not authenticated, or trusted
• response_type = code
• NO SECRET
• Use reference tokens if possible
• When using Refresh tokens, check that the STS supports the
latest fixes,
• Use Revocation!
Difference between Native
APPS and SPA
• Native apps use different Redirect URLs
• Storage for persisting tokens is different
• Native app opens a browser to authenicate
• Refresh tokens stored in the browser (or silent
renew ...)
OAuth Device Flow
• RFC 7636
• https://tools.ietf.org/html/d
raft-ietf-oauth-device-flow-12
OAuth On Behalf of
OBO Flow
• - RFC 6749
• https://tools.ietf.org/html/r
fc6749
• https://docs.microsoft.com/
en-us/azure/active-
directory/develop/v2-oauth2-
on-behalf-of-flow
src: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Azure Managed
identities
src: https://www.youtube.com/watch?v=vYUKC0mZFqI
Thank you
@damienbod

More Related Content

Similar to Securing .NET Core, ASP.NET Core applications

Zend server 6 compliance
Zend server 6  complianceZend server 6  compliance
Zend server 6 compliance
Yonni Mendes
 

Similar to Securing .NET Core, ASP.NET Core applications (20)

DotNet 2019 | Hugo Biarge - Autenticación en aplicaciones web y nativas
DotNet 2019 | Hugo Biarge - Autenticación en aplicaciones web y nativasDotNet 2019 | Hugo Biarge - Autenticación en aplicaciones web y nativas
DotNet 2019 | Hugo Biarge - Autenticación en aplicaciones web y nativas
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
Zend server 6 compliance
Zend server 6  complianceZend server 6  compliance
Zend server 6 compliance
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
Wso2 is integration with .net core
Wso2 is   integration with .net coreWso2 is   integration with .net core
Wso2 is integration with .net core
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 
Y U No OAuth?!?
Y U No OAuth?!?Y U No OAuth?!?
Y U No OAuth?!?
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
Social Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID Connect
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecture
 

More from NETUserGroupBern

More from NETUserGroupBern (20)

Large Language Models, Data & APIs - Integrating Generative AI Power into you...
Large Language Models, Data & APIs - Integrating Generative AI Power into you...Large Language Models, Data & APIs - Integrating Generative AI Power into you...
Large Language Models, Data & APIs - Integrating Generative AI Power into you...
 
AAD und .NET
AAD und .NETAAD und .NET
AAD und .NET
 
SHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSSHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPS
 
Ruby und Rails für .NET Entwickler
Ruby und Rails für .NET EntwicklerRuby und Rails für .NET Entwickler
Ruby und Rails für .NET Entwickler
 
Einführung in RavenDB
Einführung in RavenDBEinführung in RavenDB
Einführung in RavenDB
 
What Doctors Can Teach Us on Continuous Learning
What Doctors Can Teach Us on Continuous LearningWhat Doctors Can Teach Us on Continuous Learning
What Doctors Can Teach Us on Continuous Learning
 
Entity Framework Core - Der Umstieg auf Core
Entity Framework Core - Der Umstieg auf CoreEntity Framework Core - Der Umstieg auf Core
Entity Framework Core - Der Umstieg auf Core
 
Weiches Zeugs für harte Jungs und Mädels
Weiches Zeugs für harte Jungs und MädelsWeiches Zeugs für harte Jungs und Mädels
Weiches Zeugs für harte Jungs und Mädels
 
Änderungen im Cardinality Estimator SQL Server 2014
Änderungen im Cardinality Estimator SQL Server 2014Änderungen im Cardinality Estimator SQL Server 2014
Änderungen im Cardinality Estimator SQL Server 2014
 
Rest Fundamentals
Rest FundamentalsRest Fundamentals
Rest Fundamentals
 
Refactoring: Mythen & Fakten
Refactoring: Mythen & FaktenRefactoring: Mythen & Fakten
Refactoring: Mythen & Fakten
 
AngularJs
AngularJsAngularJs
AngularJs
 
Pragmatische Anforderungen
Pragmatische AnforderungenPragmatische Anforderungen
Pragmatische Anforderungen
 
Einführung in MongoDB
Einführung in MongoDBEinführung in MongoDB
Einführung in MongoDB
 
What the hell is PowerShell?
What the hell is PowerShell?What the hell is PowerShell?
What the hell is PowerShell?
 
Know your warm up
Know your warm upKnow your warm up
Know your warm up
 
BDD mit Machine.Specifications (MSpec)
BDD mit Machine.Specifications (MSpec)BDD mit Machine.Specifications (MSpec)
BDD mit Machine.Specifications (MSpec)
 
Versionskontrolle mit Git
Versionskontrolle mit GitVersionskontrolle mit Git
Versionskontrolle mit Git
 
.NETworking Workshop Design Thinking
.NETworking Workshop Design Thinking.NETworking Workshop Design Thinking
.NETworking Workshop Design Thinking
 
Reaktive Programmierung mit den Reactive Extensions (Rx)
Reaktive Programmierung mit den Reactive Extensions (Rx)Reaktive Programmierung mit den Reactive Extensions (Rx)
Reaktive Programmierung mit den Reactive Extensions (Rx)
 

Recently uploaded

JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
mbmh111980
 

Recently uploaded (20)

5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Naer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research SynthesisNaer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research Synthesis
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 

Securing .NET Core, ASP.NET Core applications