SlideShare a Scribd company logo

Token Authentication in ASP.NET Core--Stormpath Webinar

Download as PPTX, PDF
R
Remy Champion

Stormpath's .NET Developer Evangelist, Nate Barbettini, walks us through token authentication in ASP.NET Core. You will learn how sessions work, how token authentication works, and some of the intricacies of token authentication with ASP.NET Core.

Technology
1 of 23
TOKEN AUTHENTICATION in ASP.NET Core Nate Barbettini @nbarbettini
Welcome! • Agenda • Stormpath 101 (5 mins) • Get Started with iOS (40 mins) • Q&A (10 mins) • Remy Champion Marketing • Nate Barbettini .NET Developer Evangelist
Speed to Market & Cost Reduction • Complete Identity solution out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance
Stormpath User Management
Overview ● How Sessions Work (And Why They Suck) ● How Token Authentication Works ● Tokens + ASP.NET Core
How Sessions Work Browser ASP.NET (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; Log In: nate@example.com MySecretPassword123! Open Profile Page Profit! Session Store
Drawbacks of Sessions ● Scaling is hard ● Doesn’t work with mobile
How Token Authentication Works Browser ASP.NET (1) POST /login (2) 200 OK eyJ0eXAiOiJKV... Stored token: eyJ0eXAiOiJKV... (3) GET /profile (4) 200 OK Authorization: Bearer eyJ0eXAiOiJKV... Log In: nate@example.com MySecretPassword123! Open Profile View Profit!
Advantages of Tokens Stateless! Works on both web and mobile Flexible
● A JWT is a JSON object that’s been stringified and base64-encoded: Anatomy of JSON Web Tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpb mUgSldUIEJ1aWxkZXIiLCJpYXQiOjE0NjU1ODAwNzEsImV4cCI6MTQ 5NzExNjA3NywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoib mF0ZUBleGFtcGxlLmNvbSIsImlzQXdlc29tZSI6InRydWUiLCJwcm9 2aWRlcyI6WyJzdGF0ZWxlc3MiLCJhdXRoZW50aWNhdGlvbiJdfQ.VX rLbyQeJfDmwTAg-JnRsyD23RYMQJshTx79z2STu0U Red = Header Blue = Payload (“claims”) Green = Cryptographic signature (JWS)
Anatomy of JSON Web Tokens { typ: "JWT", alg: "HS256" } { iss: "Online JWT Builder", iat: 1465580071, exp: 1497116077, aud: "www.example.com", sub: "nate@example.com", isAwesome: "true", provides: [ "stateless", "authentication" ] } Header Body
● Cryptographically signed by the server ● Signature guarantees it hasn’t been forged or altered Token Security
● Token expiration (exp claim) and not-before (nbf claim) ● Optional token revocation using a nonce (jti claim) ● Use HTTPS (TLS) everywhere! ● Store tokens securely Token Security
Where to Store Tokens? ● On mobile: local device storage, sent via HTTP headers ● On the web: cookies, or HTML5 web storage (via HTTP headers)
Where to Store Tokens? ● HTML5 web storage: vulnerable to XSS (cross-site scripting) ● Cookies: not vulnerable to XSS ○ Set the HttpOnly and Secure flags ○ Still need to protect against CSRF ● More info: Stormpath blog https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
Generating Tokens in ASP.NET Core ● This functionality was included in ASP.NET, but was removed from ASP.NET Core. ● The community has stepped up to build this functionality: ○ Stormpath ASP.NET Core plugin ○ Thinktecture IdentityServer4 ○ AspNet.Security.OpenIdConnect.Server ○ OpenIddict
● Basic JWT creation: JwtSecurityTokenHandler Generating Tokens in ASP.NET Core using System.IdentityModel.Tokens.Jwt; var claims = new Claim[] { new Claim(JwtRegisteredClaimNames.Sub, username), new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), }; // Create the JWT and write it to a string var jwt = new JwtSecurityToken( issuer: _options.Issuer, audience: _options.Audience, claims: claims, notBefore: now, expires: now.Add(TimeSpan.FromMinutes(5)), signingCredentials: _options.SigningCredentials); var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
● Nate’s simple example on Github: https://github.com/nbarbettini/SimpleTokenProvider Generating Tokens in ASP.NET Core
Validating Tokens in ASP.NET Core ● Validating incoming Bearer (HTTP header) tokens is easy! var mySecretKey = new SymmetricSecurityKey( Encoding.ASCII.GetBytes("mysupersecret_secretKey!123")); app.UseJwtBearerAuthentication(new JwtBearerOptions() { AutomaticAuthenticate = true, TokenValidationParameters = new TokenValidationParameters() { IssuerSigningKey = mySecretKey, ValidateLifetime = true, ValidIssuer = "MyApplication", ValidAudience = "https://app.example.com", } });
Validating Tokens in ASP.NET Core ● JWTs in cookies? See SimpleTokenProvider on Github.
● Hosted user identity and authentication/authorization API ● Token generation and authentication ● Single Sign-On across multiple applications ● Multi-tenant support for SaaS applications ● Free (forever) developer tier About Stormpath
Token authentication in ASP.NET Core tutorial https://stormpath.com/blog/token-authentication-asp-net-core Stormpath + ASP.NET Core quickstart https://docs.stormpath.com/dotnet/aspnetcore/latest/quickstart.html Web storage vs. cookies https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage Nate’s SimpleTokenProvider sample https://github.com/nbarbettini/SimpleTokenProvider Q&A
Thank you! Nate Barbettini @nbarbettini recaffeinate.co .ws

Recommended

State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 
Htaccess info
Htaccess infoHtaccess info
Htaccess infoumakant jadhav
 
LA Kings Digital Project
LA Kings Digital ProjectLA Kings Digital Project
LA Kings Digital ProjectJustin Ullestad
 
Investigación acción
Investigación acciónInvestigación acción
Investigación acciónMariana AG
 
Gdi presentation eng
Gdi presentation engGdi presentation eng
Gdi presentation engOle Jensen
 
i101 Final Group Project - Active Database Solution for Local Nonprofit
i101 Final Group Project - Active Database Solution for Local Nonprofiti101 Final Group Project - Active Database Solution for Local Nonprofit
i101 Final Group Project - Active Database Solution for Local NonprofitJordan Wright
 
Презентация Высоцкий
Презентация ВысоцкийПрезентация Высоцкий
Презентация ВысоцкийМарина Поветкина
 
Educación virtual
Educación virtualEducación virtual
Educación virtualmafaldowski
 

Recommended

State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 
Htaccess info
Htaccess infoHtaccess info
Htaccess infoumakant jadhav
 
LA Kings Digital Project
LA Kings Digital ProjectLA Kings Digital Project
LA Kings Digital ProjectJustin Ullestad
 
Investigación acción
Investigación acciónInvestigación acción
Investigación acciónMariana AG
 
Gdi presentation eng
Gdi presentation engGdi presentation eng
Gdi presentation engOle Jensen
 
i101 Final Group Project - Active Database Solution for Local Nonprofit
i101 Final Group Project - Active Database Solution for Local Nonprofiti101 Final Group Project - Active Database Solution for Local Nonprofit
i101 Final Group Project - Active Database Solution for Local NonprofitJordan Wright
 
Презентация Высоцкий
Презентация ВысоцкийПрезентация Высоцкий
Презентация ВысоцкийМарина Поветкина
 
Educación virtual
Educación virtualEducación virtual
Educación virtualmafaldowski
 
MLflow at Company Scale
MLflow at Company ScaleMLflow at Company Scale
MLflow at Company ScaleDatabricks
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEMDamien Antipa
 
dJango
dJangodJango
dJangoBob Chao
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
php
phpphp
phpbhuvana553
 
Hands on web development with play 2.0
Hands on web development with play 2.0Hands on web development with play 2.0
Hands on web development with play 2.0Abbas Raza
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒Toki Kanno
 
Manish
ManishManish
ManishManish Jain
 
How to deploy & optimize eZ Publish
How to deploy & optimize eZ PublishHow to deploy & optimize eZ Publish
How to deploy & optimize eZ PublishKaliop-slide
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersAccelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersTodd Anglin
 
Entrepreneurship3
Entrepreneurship3Entrepreneurship3
Entrepreneurship3Yenwen Feng
 
Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Wim Godden
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Testing Microservices @DevoxxBE 23.pdf
Testing Microservices @DevoxxBE 23.pdfTesting Microservices @DevoxxBE 23.pdf
Testing Microservices @DevoxxBE 23.pdfVictor Rentea
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

More Related Content

Similar to Token Authentication in ASP.NET Core--Stormpath Webinar

MLflow at Company Scale
MLflow at Company ScaleMLflow at Company Scale
MLflow at Company ScaleDatabricks
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEMDamien Antipa
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
Hands on web development with play 2.0
Hands on web development with play 2.0Hands on web development with play 2.0
Hands on web development with play 2.0Abbas Raza
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒Toki Kanno
 
How to deploy & optimize eZ Publish
How to deploy & optimize eZ PublishHow to deploy & optimize eZ Publish
How to deploy & optimize eZ PublishKaliop-slide
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersAccelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersTodd Anglin
 
Entrepreneurship3
Entrepreneurship3Entrepreneurship3
Entrepreneurship3Yenwen Feng
 
Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Wim Godden
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Testing Microservices @DevoxxBE 23.pdf
Testing Microservices @DevoxxBE 23.pdfTesting Microservices @DevoxxBE 23.pdf
Testing Microservices @DevoxxBE 23.pdfVictor Rentea
 

Similar to Token Authentication in ASP.NET Core--Stormpath Webinar (20)

MLflow at Company Scale
MLflow at Company ScaleMLflow at Company Scale
MLflow at Company Scale
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEM
 
dJango
dJangodJango
dJango
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
php
phpphp
php
 
Hands on web development with play 2.0
Hands on web development with play 2.0Hands on web development with play 2.0
Hands on web development with play 2.0
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒
 
Manish
ManishManish
Manish
 
How to deploy & optimize eZ Publish
How to deploy & optimize eZ PublishHow to deploy & optimize eZ Publish
How to deploy & optimize eZ Publish
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersAccelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
 
Entrepreneurship3
Entrepreneurship3Entrepreneurship3
Entrepreneurship3
 
Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Testing Microservices @DevoxxBE 23.pdf
Testing Microservices @DevoxxBE 23.pdfTesting Microservices @DevoxxBE 23.pdf
Testing Microservices @DevoxxBE 23.pdf
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 

Token Authentication in ASP.NET Core--Stormpath Webinar

  • 1. TOKEN AUTHENTICATION in ASP.NET Core Nate Barbettini @nbarbettini
  • 2. Welcome! • Agenda • Stormpath 101 (5 mins) • Get Started with iOS (40 mins) • Q&A (10 mins) • Remy Champion Marketing • Nate Barbettini .NET Developer Evangelist
  • 3. Speed to Market & Cost Reduction • Complete Identity solution out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance
  • 5. Overview ● How Sessions Work (And Why They Suck) ● How Token Authentication Works ● Tokens + ASP.NET Core
  • 6. How Sessions Work Browser ASP.NET (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; Log In: nate@example.com MySecretPassword123! Open Profile Page Profit! Session Store
  • 7. Drawbacks of Sessions ● Scaling is hard ● Doesn’t work with mobile
  • 8. How Token Authentication Works Browser ASP.NET (1) POST /login (2) 200 OK eyJ0eXAiOiJKV... Stored token: eyJ0eXAiOiJKV... (3) GET /profile (4) 200 OK Authorization: Bearer eyJ0eXAiOiJKV... Log In: nate@example.com MySecretPassword123! Open Profile View Profit!
  • 9. Advantages of Tokens Stateless! Works on both web and mobile Flexible
  • 10. ● A JWT is a JSON object that’s been stringified and base64-encoded: Anatomy of JSON Web Tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpb mUgSldUIEJ1aWxkZXIiLCJpYXQiOjE0NjU1ODAwNzEsImV4cCI6MTQ 5NzExNjA3NywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoib mF0ZUBleGFtcGxlLmNvbSIsImlzQXdlc29tZSI6InRydWUiLCJwcm9 2aWRlcyI6WyJzdGF0ZWxlc3MiLCJhdXRoZW50aWNhdGlvbiJdfQ.VX rLbyQeJfDmwTAg-JnRsyD23RYMQJshTx79z2STu0U Red = Header Blue = Payload (“claims”) Green = Cryptographic signature (JWS)
  • 11. Anatomy of JSON Web Tokens { typ: "JWT", alg: "HS256" } { iss: "Online JWT Builder", iat: 1465580071, exp: 1497116077, aud: "www.example.com", sub: "nate@example.com", isAwesome: "true", provides: [ "stateless", "authentication" ] } Header Body
  • 12. ● Cryptographically signed by the server ● Signature guarantees it hasn’t been forged or altered Token Security
  • 13. ● Token expiration (exp claim) and not-before (nbf claim) ● Optional token revocation using a nonce (jti claim) ● Use HTTPS (TLS) everywhere! ● Store tokens securely Token Security
  • 14. Where to Store Tokens? ● On mobile: local device storage, sent via HTTP headers ● On the web: cookies, or HTML5 web storage (via HTTP headers)
  • 15. Where to Store Tokens? ● HTML5 web storage: vulnerable to XSS (cross-site scripting) ● Cookies: not vulnerable to XSS ○ Set the HttpOnly and Secure flags ○ Still need to protect against CSRF ● More info: Stormpath blog https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
  • 16. Generating Tokens in ASP.NET Core ● This functionality was included in ASP.NET, but was removed from ASP.NET Core. ● The community has stepped up to build this functionality: ○ Stormpath ASP.NET Core plugin ○ Thinktecture IdentityServer4 ○ AspNet.Security.OpenIdConnect.Server ○ OpenIddict
  • 17. ● Basic JWT creation: JwtSecurityTokenHandler Generating Tokens in ASP.NET Core using System.IdentityModel.Tokens.Jwt; var claims = new Claim[] { new Claim(JwtRegisteredClaimNames.Sub, username), new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), }; // Create the JWT and write it to a string var jwt = new JwtSecurityToken( issuer: _options.Issuer, audience: _options.Audience, claims: claims, notBefore: now, expires: now.Add(TimeSpan.FromMinutes(5)), signingCredentials: _options.SigningCredentials); var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
  • 18. ● Nate’s simple example on Github: https://github.com/nbarbettini/SimpleTokenProvider Generating Tokens in ASP.NET Core
  • 19. Validating Tokens in ASP.NET Core ● Validating incoming Bearer (HTTP header) tokens is easy! var mySecretKey = new SymmetricSecurityKey( Encoding.ASCII.GetBytes("mysupersecret_secretKey!123")); app.UseJwtBearerAuthentication(new JwtBearerOptions() { AutomaticAuthenticate = true, TokenValidationParameters = new TokenValidationParameters() { IssuerSigningKey = mySecretKey, ValidateLifetime = true, ValidIssuer = "MyApplication", ValidAudience = "https://app.example.com", } });
  • 20. Validating Tokens in ASP.NET Core ● JWTs in cookies? See SimpleTokenProvider on Github.
  • 21. ● Hosted user identity and authentication/authorization API ● Token generation and authentication ● Single Sign-On across multiple applications ● Multi-tenant support for SaaS applications ● Free (forever) developer tier About Stormpath
  • 22. Token authentication in ASP.NET Core tutorial https://stormpath.com/blog/token-authentication-asp-net-core Stormpath + ASP.NET Core quickstart https://docs.stormpath.com/dotnet/aspnetcore/latest/quickstart.html Web storage vs. cookies https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage Nate’s SimpleTokenProvider sample https://github.com/nbarbettini/SimpleTokenProvider Q&A

Editor's Notes

  1. Intro - who I am: Stormpath .NET dev evangelist. Stormpath is all about helping developers use best practices for security and providing tools to make it easier to build secure applications. I’ve had a chance to be on the bleeding edge with ASP.NET Core - lots of stuff has changed!
  2. The browser POSTs the user’s credentials to your server. A session ID is created or updated that identifies the user. The session ID is pushed down to the browser inside a cookie. The cookie is included on each subsequent request. The session ID is used to find the session information in the session store (either in-memory or in a database). If the session lookup succeeds, the request is authenticated. If the session store is in-memory, each user must stay on the server they started with.
  3. The client POSTs the user’s credentials to your token endpoint. Your server generates a signed token that represents the user’s authentication ticket. The token is sent back to the client and stored somewhere locally. When the client needs to make another API request, it sends the token along with the request. Your API inspects the token to ensure it hasn’t been tampered with. The token includes the information necessary to prove the user is authenticated. The server doesn’t need to do any lookups. Any server could have fulfilled the request, not just the one that the user authenticated with.
  4. The token itself contains enough information about the user, so the server doesn’t need to look up their session in a session store.
  5. It’s separated into two or three sections by periods. Header: Metadata Body: Payload or “claims” In this case, NOT encrypted.
  6. You might be wondering: can’t anyone just change these values?
  7. Security needs to be airtight if we are going to implicitly trust something the client is sending us.
  8. If I can get a malicious script to run on your page, I can do localStorage.getItem and grab your token.
  9. Microsoft built a middleware component for this. Great for mobile APIs.