SlideShare a Scribd company logo

Wso2 is integration with .net core

Download as PPTX, PDF
Ismaeel Enjreny
Ismaeel Enjreny

In this slide will explain how we can use .NET Core with WSO2 Identity Server to build a secure Web Application based on OAuth2 and OpenID Connect

Software
1 of 19
WSO2 - IDENTITY SERVER Integration with .NET Core ENG. Ahmed Abouelenein 15 Dec-2021
Notes Demo App • Demo Web Application to add your notes • Plans • Free Add Notes By Title & Details • Sliver Categorized Notes • Gold Fancy Color • Users authenticated By WSO2 • Client : ASP.NET Core MVC Web Application • API : ASP.NET Core Web API • https://github.com/ahmedabouelenein/Notes
OAuth2 • OAuth2 is open protocol to allow secure authorization in simple and standard method from web , mobile and desktop applications • OAuth for authorization used for issuing and validating access tokens on the internet • WSO2 implement OAuth2 standard like other Identity providers (Identity server , Ping , Trustbuilder , Azure AD …)
OpenID Connect • OpenID Connect is simple identity layer on top of OAuth2 protocol • OpenID Connect extend OAuth2 • Used for verifying the identity of end user based on authentication performed by authorization server • OpenID Connect fills the OAuth2.0 gap which is intended to provide authorization but not authentication
OAuth2 Participants • Resource Owner • The identity who own the data • Grants access to protected resources • Client Application • App that makes protected resource resquests on behalf of the resource owner and with its authorization • Authorization Server • Server issuing access tokens to the clients • Authenticates the resource owner and obtains authorization • Resource Server • Server that hosts protected resources • Handle protected resource requests using access tokens
Public and Confidential Clients • Confidential Client : • Capable of maintaining the confidentiality of their credentials eg ( client ID, Client Secret ) • Live on server • Server side web apps (MVC web Application) • Public client • Incapable of maintaining their credentials client ID , client secrets • Live on user device ( web browser , mobile device ..) • Javascript applications and mobile applications
Authorization Code flow • Flow determine how code and / or token(s) are returned to the client • How communication between IDP and Client • Depend on Application Type (public or confidential) we must use different flow • Flow types • Implicit flow • Hybrid flow • Resource owner (Password credential ) flow • Client credential flow
Authorization endpoint • Used by client application to obtain authentication and /or authorization via redirection • Identity Provider Level
Redirection endpoint • Used by IDP to return code & token(s) to the client application • Client Level
Token endpoint • Used by client application to request tokens (without redirection) from the IDP • IDP Level • Communication Types: • Front Channel Communication Browser URL or Form POST • Back Channel Communication Server to Server communication (Token end point)
Authorization Code Flow
Authorization Code flow With PKCE • Authorization code flow is vulnerable to injection attacks • Attacker can use code to get token and has all privilages of the victim • PKCE (Proof Key for Code Exchange)
Authorization Code flow With PKCE
Tokens • Types • Identity Token (proves that the user has been authenticated) • Access Token (allows the client application to access the user's resource) • Refresh Token (offline access) • Format • JWT Token (self hosting web token) • Reference Token
Claims and Scopes • Claims is a name value pair that represents what the subject is • Scopes are used to request specific sets of claims. • OpenId scope is mandatory scope to specify that OpenID Connect should be used.
Inspecting Tokens
Other endpoints • UserInfo Endpoint • Introspect Endpoint
Token Validation • Check that the JWT is well formed. • Check the signature. • Check the standard claims. • Verify token audience claims
Q & A

Recommended

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Api presentation
Api presentationApi presentation
Api presentation
Tiago Cardoso
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
What's an api
What's an apiWhat's an api
What's an api
Jacques Ledoux
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 

Recommended

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Api presentation
Api presentationApi presentation
Api presentation
Tiago Cardoso
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
What's an api
What's an apiWhat's an api
What's an api
Jacques Ledoux
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Introduction to API
Introduction to APIIntroduction to API
Introduction to API
rajnishjha29
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
Rest API
Rest APIRest API
Rest API
Rohana K Amarakoon
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
Tricode (part of Dept)
 
Api testing
Api testingApi testing
Api testing
Keshav Kashyap
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
Ismaeel Enjreny
 
Python Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + JenkinsPython Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + Jenkins
Fagun Priyadarshi
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
SharePoint Permissions 101
SharePoint Permissions 101SharePoint Permissions 101
SharePoint Permissions 101
Thomas Duff
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecture
jessepollak
 

More Related Content

What's hot

What's hot (20)

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Introduction to API
Introduction to APIIntroduction to API
Introduction to API
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Rest API
Rest APIRest API
Rest API
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
 
Api testing
Api testingApi testing
Api testing
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
 
Python Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + JenkinsPython Automation With Gauge + Selenium + API + Jenkins
Python Automation With Gauge + Selenium + API + Jenkins
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
SharePoint Permissions 101
SharePoint Permissions 101SharePoint Permissions 101
SharePoint Permissions 101
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Sql injection
Sql injectionSql injection
Sql injection
 

Similar to Wso2 is integration with .net core

Similar to Wso2 is integration with .net core (20)

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecture
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 

More from Ismaeel Enjreny

More from Ismaeel Enjreny (20)

Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
 
Elastic 101 ingest manager
Elastic 101 ingest managerElastic 101 ingest manager
Elastic 101 ingest manager
 
Elastic 101 - API Logs
Elastic 101 - API Logs Elastic 101 - API Logs
Elastic 101 - API Logs
 
Elasticsearch k8s
Elasticsearch k8sElasticsearch k8s
Elasticsearch k8s
 
ELK Observability 1
ELK Observability 1ELK Observability 1
ELK Observability 1
 
ELK observability 2
ELK observability 2ELK observability 2
ELK observability 2
 
Deploy Elasticsearch Cluster on Kubernetes
Deploy Elasticsearch Cluster on KubernetesDeploy Elasticsearch Cluster on Kubernetes
Deploy Elasticsearch Cluster on Kubernetes
 
Redis 101 Data Structure
Redis 101 Data StructureRedis 101 Data Structure
Redis 101 Data Structure
 
Redis 101 - INTRO
Redis 101 - INTRORedis 101 - INTRO
Redis 101 - INTRO
 
Elastic 101 ingest manager
Elastic 101 ingest managerElastic 101 ingest manager
Elastic 101 ingest manager
 
Getting started with Elasticsearch in .net
Getting started with Elasticsearch in .netGetting started with Elasticsearch in .net
Getting started with Elasticsearch in .net
 
Elastic 101 log enrichment
Elastic 101 log enrichmentElastic 101 log enrichment
Elastic 101 log enrichment
 
Elastic 101 index operations
Elastic 101 index operationsElastic 101 index operations
Elastic 101 index operations
 
Elastic 101 - Get started
Elastic 101 - Get startedElastic 101 - Get started
Elastic 101 - Get started
 
دليل البرمجة باستخدام Dynamo DB للمبتدئين
دليل البرمجة باستخدام Dynamo DB للمبتدئيندليل البرمجة باستخدام Dynamo DB للمبتدئين
دليل البرمجة باستخدام Dynamo DB للمبتدئين
 
Amazon services iam
Amazon services iamAmazon services iam
Amazon services iam
 
Amazon services ec2
Amazon services ec2Amazon services ec2
Amazon services ec2
 
Redis - Partitioning
Redis - PartitioningRedis - Partitioning
Redis - Partitioning
 
Redis Clients Handling
Redis Clients HandlingRedis Clients Handling
Redis Clients Handling
 

Recently uploaded

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 

Recently uploaded (20)

Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Lessons from the Field: Legacy Platforms – It's Time to Let Go...
WSO2CON 2024 - Lessons from the Field: Legacy Platforms – It's Time to Let Go...WSO2CON 2024 - Lessons from the Field: Legacy Platforms – It's Time to Let Go...
WSO2CON 2024 - Lessons from the Field: Legacy Platforms – It's Time to Let Go...
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 

Wso2 is integration with .net core

  • 1. WSO2 - IDENTITY SERVER Integration with .NET Core ENG. Ahmed Abouelenein 15 Dec-2021
  • 2. Notes Demo App • Demo Web Application to add your notes • Plans • Free Add Notes By Title & Details • Sliver Categorized Notes • Gold Fancy Color • Users authenticated By WSO2 • Client : ASP.NET Core MVC Web Application • API : ASP.NET Core Web API • https://github.com/ahmedabouelenein/Notes
  • 3. OAuth2 • OAuth2 is open protocol to allow secure authorization in simple and standard method from web , mobile and desktop applications • OAuth for authorization used for issuing and validating access tokens on the internet • WSO2 implement OAuth2 standard like other Identity providers (Identity server , Ping , Trustbuilder , Azure AD …)
  • 4. OpenID Connect • OpenID Connect is simple identity layer on top of OAuth2 protocol • OpenID Connect extend OAuth2 • Used for verifying the identity of end user based on authentication performed by authorization server • OpenID Connect fills the OAuth2.0 gap which is intended to provide authorization but not authentication
  • 5. OAuth2 Participants • Resource Owner • The identity who own the data • Grants access to protected resources • Client Application • App that makes protected resource resquests on behalf of the resource owner and with its authorization • Authorization Server • Server issuing access tokens to the clients • Authenticates the resource owner and obtains authorization • Resource Server • Server that hosts protected resources • Handle protected resource requests using access tokens
  • 6. Public and Confidential Clients • Confidential Client : • Capable of maintaining the confidentiality of their credentials eg ( client ID, Client Secret ) • Live on server • Server side web apps (MVC web Application) • Public client • Incapable of maintaining their credentials client ID , client secrets • Live on user device ( web browser , mobile device ..) • Javascript applications and mobile applications
  • 7. Authorization Code flow • Flow determine how code and / or token(s) are returned to the client • How communication between IDP and Client • Depend on Application Type (public or confidential) we must use different flow • Flow types • Implicit flow • Hybrid flow • Resource owner (Password credential ) flow • Client credential flow
  • 8. Authorization endpoint • Used by client application to obtain authentication and /or authorization via redirection • Identity Provider Level
  • 9. Redirection endpoint • Used by IDP to return code & token(s) to the client application • Client Level
  • 10. Token endpoint • Used by client application to request tokens (without redirection) from the IDP • IDP Level • Communication Types: • Front Channel Communication Browser URL or Form POST • Back Channel Communication Server to Server communication (Token end point)
  • 12. Authorization Code flow With PKCE • Authorization code flow is vulnerable to injection attacks • Attacker can use code to get token and has all privilages of the victim • PKCE (Proof Key for Code Exchange)
  • 14. Tokens • Types • Identity Token (proves that the user has been authenticated) • Access Token (allows the client application to access the user's resource) • Refresh Token (offline access) • Format • JWT Token (self hosting web token) • Reference Token
  • 15. Claims and Scopes • Claims is a name value pair that represents what the subject is • Scopes are used to request specific sets of claims. • OpenId scope is mandatory scope to specify that OpenID Connect should be used.
  • 17. Other endpoints • UserInfo Endpoint • Introspect Endpoint
  • 18. Token Validation • Check that the JWT is well formed. • Check the signature. • Check the standard claims. • Verify token audience claims
  • 19. Q & A