JR
Uploaded byJason Robert
PPTX, PDF570 views

Y U No OAuth, Using Common Patterns to Secure Your Web Applications

The document discusses user management and authentication methods for web applications, highlighting the evolution from traditional identity management to utilizing OAuth 2.0 and OpenID Connect with JSON Web Tokens (JWTs). It covers various authentication flows, including client credentials, password, and implicit flows, emphasizing the importance of choosing the right identity provider based on the application's infrastructure. The document concludes with recommendations for modern authentication practices, particularly for single-page applications (SPAs), advocating for the use of authorization code with Proof Key for Code Exchange (PKCE).

Technology
Related topics:
ASP.NET Core
Download to read offline
Y U NO OAUTH?!? Using Common Patterns to Secure Your Web Applications Jason Robert Twitter – @jasontrobert Website – espressocoder.com Linkedin – in/jasonrobert/
Meet the Speaker ■ Software Architect ■ Bootcamp Instructor ■ Blogger & Speaker ■ Blogs @ https://espressocoder.com ■ PASSIONATE DEVELOPER & MENTOR
Roadmap ■ Progression of User Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
PROGRESSION OF USER MANAGEMENT IN THE WEB
“Roll Your Own” ■ You’re responsible for all aspects of identity management – User management, storage, and authentication ■ Users need to be created, administered, and managed ■ Users and passwords in a persistent store – Please tell me you hashed and salted those passwords! ■ Session can be managed via session state and/or cookie
ASP.NET Identity ■ Introduced in ASP.NET 2.0 – aspnet_regsql.exe – ASPNET Web Administration Tool ■ Designed to solve site membership requirements that were common at the time ■ Forms-based Authentication (user-name / password) ■ Database backend for user names, passwords, and profile data – Profile data requires the Profile Provider API
Modern ASP.NET Identity ■ ASP.NET Identity works with claims-based authentication – Identity is represented as a set of claims ■ Supports redirection-based login with authentication providers – Google, Facebook, Twitter, etc. ■ Storage based on EF Core and extensible ■ Distributed as a NuGet package(s) – Microsoft.AspNetCore.EntityFramework.Identity
Distributed Web Architectures ■ But what about… – Dealing with multiple web applications – Native or legacy systems – Server to server communication – 3rd party integration – Single sign-on ■ ASP.NET Identity isn’t always ideal for distributed architectures like Microservices ■ Is there another way?
USE AN OAUTH 2.0 IDENTITY PROVIDER
What is an Identity Provider? ■ Creates, maintains, and manages information for principals while providing authentication services to relying applications ■ Provides centralized login and workflow for all of your applications – Web, native, mobile, etc. ■ Hosted as a separate web application (Separation of Concerns) ■ Enables Single Sign-on – User friendly – Reduces attack surface
THE UNDERLYING TECHNOLOGIES
JSON Web Tokens (JWTs) ■ Compact and self-contained way to securely transmit information between two applications ■ Contains claims about a principal enabling authorization rules to be enforced ■ A JWT is digitally signed to verify authenticity ■ Typically Base64 encoded but can be encrypted via JSON Web Encryption (JWE)
Structure of a JWT ■ Header – Contains two key pieces of information ■ The type of the token (JWT) ■ The signing algorithm ■ Payload – Contains the claims ■ Claims are statements about an entity / user ■ Signature – Contains a signature of the Header & Payload ■ Typically uses a strong encryption algorithm
Structure of a JWT
Access Token vs Id Token ■ ID Token – Shows client application that user authenticated successfully – Contains information (claims) about a principle – Authentication response ■ Access Token – Provides “access” to a secure resource – Typically used as a bearer token – Should be managed securely
OAuth 2.0 ■ Industry-standard protocol for authorization ■ Provides specific authorization processes for web, desktop, and mobile applications ■ Describes several “grant types” for acquiring an access token – Client Credentials – Password – Authorization Code – Implicit
OpenID Connect ■ OpenID Connect is an authentication protocol based on the OAuth 2.0 specifications ■ OpenID Connect lets developers authenticate their users across websites and apps ■ Presents three flows for authentication that dictate how authentication is handled by the Identity Provider – Authorization Code Flow – Implicit Flow – Hybrid Flow
AUTHENTICATION METHODS
WHAT TYPES OF APPLICATIONS DO YOU WORK WITH?
BACKEND SYSTEMS
Client Credentials ■ Obtain a token outside the context of a user ■ Use to when communicating across two backend systems ■ Authentication is performed via client_id & client_secret ■ Think of Client ID & Client Secret as UserName and Password Client ID / Client Secret may be required as a Basic Auth header or included in the post body The grant_type is client_credentials
Client Credentials Client ID / Client Secret used for authentication JWT Access Token issued Token provided as a “bearer” authorization http header 1 2 3
Client Credentials Expiration When the token expires Audience Who the token is for Issuer Where the token came from
Client ID and Client Secret provided in authentication header The grant_type must be set to client_credentials
The token is provided in an authorization header as a Bearer token
Authority must match the “iss” claim Audience must match the “aud” claim
LEGACY APPLICATIONS
Password ■ Similar to client credentials but, with a user’s context ■ Use with native or legacy applications – Never use with your web apps! ■ Requires user name and password – In addition to client_id and client_secret Username and password fields are introduced The grant_type is password
Password Client ID, Client Secret, UserName, and Password used for authentication JWT Access Token issued Token provided as a “bearer” authorization http header 1 2 3
Password Authentication Method Reference How the principle authenticated Password-based Authentication Subject Unique Id for the principle
Username and password are now included in the request Client ID and Client Secret provided in authentication header
The password token is provided to the api in the exact same way as before
Authorization Policies can be used for routes that require a “sub” claim Authentication is setup in the same way
Policies can be assigned to controllers for authorization
SERVER SIDE WEB APPLICATIONS
Implicit Flow ■ The browser requests a token directly from the authorization server ■ The authorization server redirects to the redirect_uri with the id_token ■ Can be used with server-side web applications such as ASP.NET Core MVC ■ Do not use with Single Page Applications! Token is returned via redirect
Implicit Flow User browses to web application 1 2 3 4 Redirects to the identity provider User authenticates with identity provider Identity provider redirects back to web application with id_token
Implicit Flow Nonce used to prevent replay attacks. Must match the nonce provided by initial redirect request Unique Session ID
ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow After the id_token is received a session is established with the web application
SERVER SIDE WEB APPLICATIONS WITH API
Hybrid Flow 1 2 ■ Uses redirect uri to return id_token AND code ■ Use with server-side web applications that additionally need to call a backend api ■ Code is used server-side in order to retrieve an access_token ■ Authorization code’s can only be used once
Hybrid Flow 1 User gets redirected to Identity Provider 2 3 4 User authenticates and receives code and id_token Authorization code is used to retrieve access_token (and new code) Access_token is used to authenticate with secure api
ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow
SINGLE PAGE WEB APPLICATIONS
Why Implicit Flow is bad for SPAs ■ SPA applications need an access_token ■ Response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage ■ Don’t panic if you are using implicit flow but, recognize better options are now available
Authorization Code with PKCE ■ New recommendation for SPAs ■ Redirect from authorization server only contains an authorization code – Protected by PKCE ■ PKCE mitigates the threat of having the authorization code intercepted ■ Browser requests token with authorization code 1 2
Authorization Code with PKCE 1 2 Redirects to the identity provider Redirects to authorization server with code_challenge After successful authentication, authorization code is returned to redirect url 3 Authorization code is provided with code_verifier. Upon successful validation, id_token, access_token are returned
CHOOSING AN IDENTITY PROVIDER
Weighing Your Options ■ Choose an Identity Provider that fits with your ecosystem – Is your solution an internal application? – Is your solution cloud hosted? – Which cloud provider do you use? – What level of control is required? ■ Validate it is OpenID Connect Certified!
On-Premise… Active Directory Federation Services 2016
In the Cloud…
Still not sure? https://openid.net/certification/
Graduated! You’ve learned… ■ Progression of User Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
Jason Robert Twitter - @jasontrobert Website – espressocoder.com Linkedin - in/jasonrobert/
SO NOW THE QUESTION?!?
Y U No OAuth, Using Common Patterns to Secure Your Web Applications

More Related Content

PPTX
Y U No OAuth?!?
byJason Robert
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PPT
Authentication Technologies
byNicholas Davis
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
An Introduction to OAuth 2
byAaron Parecki
 
PDF
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
PPTX
OpenId Connect Protocol
byMichael Furman
 
Y U No OAuth?!?
byJason Robert
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
Authentication Technologies
byNicholas Davis
 
OAuth2 + API Security
byAmila Paranawithana
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
An Introduction to OAuth 2
byAaron Parecki
 
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
OpenId Connect Protocol
byMichael Furman
 

What's hot

PDF
OAuth - Open API Authentication
byleahculver
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
PDF
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
PDF
Learn with WSO2 - API Security
byWSO2
 
PDF
Two Factor Authentication and You
byChris Stone
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
PPTX
Extended Security with WSO2 API Management Platform
byWSO2
 
PDF
Full stack security
byDPC Consulting Ltd
 
PDF
OAuth2 primer
byManish Pandit
 
PDF
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
PDF
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
KEY
LinkedIn OAuth: Zero To Hero
byTaylor Singletary
 
PPTX
D@W REST security
byGaurav Sharma
 
PPTX
The State of OAuth2
byAaron Parecki
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
PDF
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
bySam Bowne
 
PPTX
Api security
byteodorcotruta
 
OAuth - Open API Authentication
byleahculver
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
Learn with WSO2 - API Security
byWSO2
 
Two Factor Authentication and You
byChris Stone
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
Extended Security with WSO2 API Management Platform
byWSO2
 
Full stack security
byDPC Consulting Ltd
 
OAuth2 primer
byManish Pandit
 
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
LinkedIn OAuth: Zero To Hero
byTaylor Singletary
 
D@W REST security
byGaurav Sharma
 
The State of OAuth2
byAaron Parecki
 
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
bySam Bowne
 
Api security
byteodorcotruta
 

Similar to Y U No OAuth, Using Common Patterns to Secure Your Web Applications

PPTX
Wso2 is integration with .net core
byIsmaeel Enjreny
 
PDF
Applications and deployment patterns of o auth and open id connect
byKavindu Dodanduwa
 
PPTX
OAuth 2
byChrisWood262
 
PPTX
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
bygemziebeth
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PDF
Securing .NET Core, ASP.NET Core applications
byNETUserGroupBern
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PDF
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
PDF
OAuth2
bySPARK MEDIA
 
PPTX
Authentication Flow with visual representation
bytagsquare55
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 
PDF
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
byapidays
 
PDF
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
PDF
OAuth and why you should use it
bySergey Podgornyy
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PPTX
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
byCodemotion
 
Wso2 is integration with .net core
byIsmaeel Enjreny
 
Applications and deployment patterns of o auth and open id connect
byKavindu Dodanduwa
 
OAuth 2
byChrisWood262
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
bygemziebeth
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
Securing .NET Core, ASP.NET Core applications
byNETUserGroupBern
 
Demystifying OAuth 2.0
byKarl McGuinness
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
OAuth2
bySPARK MEDIA
 
Authentication Flow with visual representation
bytagsquare55
 
Securing Web Applications with Token Authentication
byStormpath
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
byapidays
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
OAuth and why you should use it
bySergey Podgornyy
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
byCodemotion
 

Recently uploaded

PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
Jonathan De Vita - Java and AI Development
byJonathan De Vita
 
PDF
How does a computer vision development company help retailers decode consumer...
byNextbrain Technologies
 
PDF
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
DOCX
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PPTX
2025 - AI terms & Meanings for Marketers
byashishav29
 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
PDF
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
PPTX
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
Jonathan De Vita - Java and AI Development
byJonathan De Vita
 
How does a computer vision development company help retailers decode consumer...
byNextbrain Technologies
 
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
2025 - AI terms & Meanings for Marketers
byashishav29
 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 

Y U No OAuth, Using Common Patterns to Secure Your Web Applications

  • 1.
    Y U NOOAUTH?!? Using Common Patterns to Secure Your Web Applications Jason Robert Twitter – @jasontrobert Website – espressocoder.com Linkedin – in/jasonrobert/
  • 2.
    Meet the Speaker ■Software Architect ■ Bootcamp Instructor ■ Blogger & Speaker ■ Blogs @ https://espressocoder.com ■ PASSIONATE DEVELOPER & MENTOR
  • 3.
    Roadmap ■ Progression ofUser Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
  • 4.
  • 5.
    “Roll Your Own” ■You’re responsible for all aspects of identity management – User management, storage, and authentication ■ Users need to be created, administered, and managed ■ Users and passwords in a persistent store – Please tell me you hashed and salted those passwords! ■ Session can be managed via session state and/or cookie
  • 6.
    ASP.NET Identity ■ Introducedin ASP.NET 2.0 – aspnet_regsql.exe – ASPNET Web Administration Tool ■ Designed to solve site membership requirements that were common at the time ■ Forms-based Authentication (user-name / password) ■ Database backend for user names, passwords, and profile data – Profile data requires the Profile Provider API
  • 7.
    Modern ASP.NET Identity ■ASP.NET Identity works with claims-based authentication – Identity is represented as a set of claims ■ Supports redirection-based login with authentication providers – Google, Facebook, Twitter, etc. ■ Storage based on EF Core and extensible ■ Distributed as a NuGet package(s) – Microsoft.AspNetCore.EntityFramework.Identity
  • 8.
    Distributed Web Architectures ■But what about… – Dealing with multiple web applications – Native or legacy systems – Server to server communication – 3rd party integration – Single sign-on ■ ASP.NET Identity isn’t always ideal for distributed architectures like Microservices ■ Is there another way?
  • 9.
    USE AN OAUTH2.0 IDENTITY PROVIDER
  • 10.
    What is anIdentity Provider? ■ Creates, maintains, and manages information for principals while providing authentication services to relying applications ■ Provides centralized login and workflow for all of your applications – Web, native, mobile, etc. ■ Hosted as a separate web application (Separation of Concerns) ■ Enables Single Sign-on – User friendly – Reduces attack surface
  • 11.
  • 12.
    JSON Web Tokens(JWTs) ■ Compact and self-contained way to securely transmit information between two applications ■ Contains claims about a principal enabling authorization rules to be enforced ■ A JWT is digitally signed to verify authenticity ■ Typically Base64 encoded but can be encrypted via JSON Web Encryption (JWE)
  • 13.
    Structure of aJWT ■ Header – Contains two key pieces of information ■ The type of the token (JWT) ■ The signing algorithm ■ Payload – Contains the claims ■ Claims are statements about an entity / user ■ Signature – Contains a signature of the Header & Payload ■ Typically uses a strong encryption algorithm
  • 14.
  • 15.
    Access Token vsId Token ■ ID Token – Shows client application that user authenticated successfully – Contains information (claims) about a principle – Authentication response ■ Access Token – Provides “access” to a secure resource – Typically used as a bearer token – Should be managed securely
  • 16.
    OAuth 2.0 ■ Industry-standardprotocol for authorization ■ Provides specific authorization processes for web, desktop, and mobile applications ■ Describes several “grant types” for acquiring an access token – Client Credentials – Password – Authorization Code – Implicit
  • 17.
    OpenID Connect ■ OpenIDConnect is an authentication protocol based on the OAuth 2.0 specifications ■ OpenID Connect lets developers authenticate their users across websites and apps ■ Presents three flows for authentication that dictate how authentication is handled by the Identity Provider – Authorization Code Flow – Implicit Flow – Hybrid Flow
  • 18.
  • 19.
  • 20.
  • 21.
    Client Credentials ■ Obtaina token outside the context of a user ■ Use to when communicating across two backend systems ■ Authentication is performed via client_id & client_secret ■ Think of Client ID & Client Secret as UserName and Password Client ID / Client Secret may be required as a Basic Auth header or included in the post body The grant_type is client_credentials
  • 22.
    Client Credentials Client ID/ Client Secret used for authentication JWT Access Token issued Token provided as a “bearer” authorization http header 1 2 3
  • 23.
    Client Credentials Expiration When thetoken expires Audience Who the token is for Issuer Where the token came from
  • 24.
    Client ID andClient Secret provided in authentication header The grant_type must be set to client_credentials
  • 25.
    The token isprovided in an authorization header as a Bearer token
  • 26.
    Authority must match the“iss” claim Audience must match the “aud” claim
  • 27.
  • 28.
    Password ■ Similar toclient credentials but, with a user’s context ■ Use with native or legacy applications – Never use with your web apps! ■ Requires user name and password – In addition to client_id and client_secret Username and password fields are introduced The grant_type is password
  • 29.
    Password Client ID, ClientSecret, UserName, and Password used for authentication JWT Access Token issued Token provided as a “bearer” authorization http header 1 2 3
  • 30.
    Password Authentication Method Reference Howthe principle authenticated Password-based Authentication Subject Unique Id for the principle
  • 31.
    Username and password arenow included in the request Client ID and Client Secret provided in authentication header
  • 32.
    The password tokenis provided to the api in the exact same way as before
  • 33.
    Authorization Policies can beused for routes that require a “sub” claim Authentication is setup in the same way
  • 34.
    Policies can beassigned to controllers for authorization
  • 35.
  • 36.
    Implicit Flow ■ Thebrowser requests a token directly from the authorization server ■ The authorization server redirects to the redirect_uri with the id_token ■ Can be used with server-side web applications such as ASP.NET Core MVC ■ Do not use with Single Page Applications! Token is returned via redirect
  • 37.
    Implicit Flow User browsesto web application 1 2 3 4 Redirects to the identity provider User authenticates with identity provider Identity provider redirects back to web application with id_token
  • 39.
    Implicit Flow Nonce usedto prevent replay attacks. Must match the nonce provided by initial redirect request Unique Session ID
  • 40.
    ASP.NET Core Middleware canbe used to facilitate OpenIdConnect Implicit Flow After the id_token is received a session is established with the web application
  • 41.
  • 42.
    Hybrid Flow 1 2 ■ Usesredirect uri to return id_token AND code ■ Use with server-side web applications that additionally need to call a backend api ■ Code is used server-side in order to retrieve an access_token ■ Authorization code’s can only be used once
  • 43.
    Hybrid Flow 1 User getsredirected to Identity Provider 2 3 4 User authenticates and receives code and id_token Authorization code is used to retrieve access_token (and new code) Access_token is used to authenticate with secure api
  • 44.
    ASP.NET Core Middleware canbe used to facilitate OpenIdConnect Implicit Flow ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow
  • 45.
  • 46.
    Why Implicit Flow isbad for SPAs ■ SPA applications need an access_token ■ Response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage ■ Don’t panic if you are using implicit flow but, recognize better options are now available
  • 47.
    Authorization Code withPKCE ■ New recommendation for SPAs ■ Redirect from authorization server only contains an authorization code – Protected by PKCE ■ PKCE mitigates the threat of having the authorization code intercepted ■ Browser requests token with authorization code 1 2
  • 48.
    Authorization Code withPKCE 1 2 Redirects to the identity provider Redirects to authorization server with code_challenge After successful authentication, authorization code is returned to redirect url 3 Authorization code is provided with code_verifier. Upon successful validation, id_token, access_token are returned
  • 49.
  • 50.
    Weighing Your Options ■Choose an Identity Provider that fits with your ecosystem – Is your solution an internal application? – Is your solution cloud hosted? – Which cloud provider do you use? – What level of control is required? ■ Validate it is OpenID Connect Certified!
  • 51.
  • 52.
  • 53.
  • 54.
    Graduated! You’ve learned… ■ Progressionof User Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
  • 55.
    Jason Robert Twitter -@jasontrobert Website – espressocoder.com Linkedin - in/jasonrobert/
  • 56.

Editor's Notes

  • #8 Community Maintained Store Providers ASP.NET Identity MongoDB Providers: By Tugberk Ugurlu By Alexandre Spieser ASP.NET Identity LinqToDB Provider ASP.NET Identity DynamoDB Provider ASP.NET Identity RavenDB Providers: By Judah Gabriel Himango By Iskandar Rafiev ASP.NET Identity Cassandra Provider ASP.NET Identity Firebase Provider ASP.NET Identity Redis Provider ASP.NET Identity DocumentDB