JR
Uploaded byJason Robert
555 views

Y U No OAuth?!?

This document discusses authentication methods for securing web applications using identity providers. It provides an overview of the progression of user management from "roll your own" authentication to using OAuth 2.0 and OpenID Connect. Specific grant types like Authorization Code, Implicit Flow, and Hybrid Flow are described for authenticating different application types like native/legacy apps, server-side web apps, and single-page apps. Choosing an identity provider depends on factors like ecosystem, cloud provider, and control requirements. Popular options discussed include Active Directory, Auth0, Azure AD, Google, etc.

Embed presentation

Y U NO OAUTH?!? Using Common Patterns to Secure Your Web Applications Jason Robert Twitter – @jasontrobert Website – espressocoder.com Linkedin – in/jasonrobert/
Meet the Speaker ■ Software Architect ■ Auth0 Ambassador ■ Bootcamp Instructor ■ Blogs @ https://espressocoder.com ■ PASSIONATE DEVELOPER & MENTOR
Roadmap ■ Progression of User Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
PROGRESSION OF USER MANAGEMENT IN THE WEB
“Roll Your Own” ■ You’re responsible for all aspects of identity management – User management, storage, and authentication ■ Users need to be created, administered, and managed ■ Users and passwords in a persistent store – Please tell me you hashed and salted those passwords! ■ Session managed via session state and/or cookie
ASP.NET Identity ■ Introduced in ASP.NET 2.0 – aspnet_regsql.exe – ASPNET Web Administration Tool ■ Designed to solve common site membership requirements ■ Forms-based Authentication (user-name / password) ■ Database backend for user names, passwords, and profile data – Profile data requires the Profile Provider API
Modern ASP.NET Identity ■ ASP.NET Identity works with claims-based authentication – Identity is represented as a set of claims ■ Supports redirection-based login with authentication providers – Google, Facebook, Twitter, etc. ■ Storage based on EF Core and extensible ■ Distributed as a NuGet package(s) – Microsoft.AspNetCore.EntityFramework.Identity
Distributed Web Architectures ■ But what about… – Dealing with multiple web applications – Native or legacy systems – Server to server communication – 3rd party integration – Single sign-on ■ ASP.NET Identity alone isn’t always ideal for distributed architectures like Microservices ■ Is there another way?
USE AN OAUTH 2.0 IDENTITY PROVIDER
What is an Identity Provider? ■ Creates, maintains, and manages information for principals while providing authentication services to relying applications ■ Provides centralized login and workflow for all of your applications – Web, native, mobile, etc. ■ Hosted as a separate web application (Separation of Concerns) ■ Enables Single Sign-on – User friendly – Reduces attack surface
THE UNDERLYING TECHNOLOGIES
JSON Web Tokens (JWTs) ■ Compact and self-contained way to securely transmit information between two applications ■ Contains claims about a principal enabling authorization rules to be enforced ■ A JWT is digitally signed to verify authenticity ■ Typically Base64 encoded but can be encrypted via JSON Web Encryption (JWE)
Structure of a JWT ■ Header – Contains two key pieces of information ■ The type of the token (JWT) ■ The signing algorithm ■ Payload – Contains the claims ■ Claims are statements about an entity / user ■ Signature – Contains a signature of the Header & Payload ■ Typically uses a strong encryption algorithm
Structure of a JWT
ID Token vs Access Token ■ ID Token – Shows client application that user authenticated successfully – Contains information (claims) about a principle – Authentication response ■ Access Token – Provides “access” to a secure resource – Typically used as a bearer token – Should be managed securely
OAuth 2.0 ■ Industry-standard protocol for authorization ■ Provides specific authorization processes for web, desktop, and mobile applications ■ Describes several “grant types” for acquiring an access token – Client Credentials – Password – Authorization Code – Implicit
OpenID Connect ■ OpenID Connect is an authentication protocol based on the OAuth 2.0 specifications ■ OpenID Connect lets developers authenticate their users across websites and apps ■ Presents three flows for authentication that dictate how authentication is handled by the Identity Provider – Authorization Code Flow – Implicit Flow – Hybrid Flow
AUTHENTICATION METHODS
WHAT TYPES OF APPLICATIONS DO YOU WORK WITH?
BACKEND SYSTEMS
Client Credentials ■ Obtain a token outside the context of a user ■ Use to when communicating across two backend systems ■ Authentication is performed via client_id & client_secret ■ Think of Client ID & Client Secret as UserName and Password Client ID / Client Secret may be required as a Basic Auth header or included in the post body The grant_type is client_credentials
Client Credentials
Client Credentials Expiration When the token expires Audience Who the token is for Issuer Where the token came from
Client ID and Client Secret provided in authentication header The grant_type must be set to client_credentials
The token is provided in an authorization header as a Bearer token
Authority must match the “iss” claim Audience must match the “aud” claim
LEGACY APPLICATIONS
Password ■ Similar to client credentials but, with a user’s context ■ Use with native or legacy applications – Never use with your web apps! ■ Requires user name and password – In addition to client_id and client_secret Username and password fields are introduced The grant_type is password
Password
Password Authentication Method Reference How the principle authenticated Password-based Authentication Subject Unique Id for the principle
Username and password are now included in the request Client ID and Client Secret provided in authentication header
The password token is provided to the api in the exact same way as before
Authorization Policies can be used for routes that require a “sub” claim Authentication is setup in the same way
Policies can be assigned to controllers for authorization
SERVER SIDE WEB APPLICATIONS
Implicit Flow ■ The browser requests a token directly from the authorization server ■ The authorization server redirects to the redirect_uri with the id_token ■ Can be used with server-side web applications such as ASP.NET Core MVC ■ Do not use with Single Page Apps Token is returned via redirect
Implicit Flow
Implicit Flow Nonce used to prevent replay attacks. Must match the nonce provided by initial redirect request Unique Session ID
ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow After the id_token is received a session is established with the web application
SERVER SIDE WEB APPLICATIONS WITH SECURE API
Hybrid Flow 1 2 ■ Uses redirect uri to return id_token AND code ■ Use with server-side web applications that additionally need to call a separate backend api ■ Code is used server-side in order to retrieve an access_token ■ Authorization code is used in conjunction with Client Secret which stays server side
Hybrid Flow
ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow
SINGLE PAGE WEB APPLICATIONS
Why Implicit Flow is bad for SPAs ■ SPA applications need an access_token ■ Response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage ■ Don’t panic if you are using implicit flow but, recognize better options are now available
Authorization Code with PKCE ■ New recommendation for SPAs ■ Redirect from authorization server only contains an authorization code – Protected by PKCE ■ PKCE mitigates the threat of having the authorization code intercepted ■ Browser requests token with authorization code 1 2
Authorization Code with PKCE
CHOOSING AN IDENTITY PROVIDER
Weighing Your Options ■ Choose an Identity Provider that fits with your ecosystem – Is your solution an internal application? – Is your solution cloud hosted? – Which cloud provider do you use? – What level of control is required? ■ Validate it is OpenID Connect Certified!
On-Premise… Active Directory Federation Services 2016
In the Cloud…
Still not sure? https://openid.net/certification/
Graduated! You’ve learned… ■ Progression of User Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
Jason Robert Twitter - @jasontrobert Website – espressocoder.com Linkedin - in/jasonrobert/

More Related Content

PPTX
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
byJason Robert
 
PPTX
Web API 2 Token Based Authentication
byjeremysbrown
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
OpenId Connect Protocol
byMichael Furman
 
PPT
Authentication Technologies
byNicholas Davis
 
PPTX
An Introduction to OAuth 2
byAaron Parecki
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
byJason Robert
 
Web API 2 Token Based Authentication
byjeremysbrown
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
OAuth2 + API Security
byAmila Paranawithana
 
OpenId Connect Protocol
byMichael Furman
 
Authentication Technologies
byNicholas Davis
 
An Introduction to OAuth 2
byAaron Parecki
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 

What's hot

PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
PDF
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
PDF
Two Factor Authentication and You
byChris Stone
 
PDF
OAuth - Open API Authentication
byleahculver
 
PPTX
Extended Security with WSO2 API Management Platform
byWSO2
 
PDF
Learn with WSO2 - API Security
byWSO2
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PPTX
Api security
byteodorcotruta
 
PDF
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
PDF
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
KEY
LinkedIn OAuth: Zero To Hero
byTaylor Singletary
 
PPTX
D@W REST security
byGaurav Sharma
 
PDF
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
PDF
OAuth2 primer
byManish Pandit
 
PDF
The Ultimate Guide to Mobile API Security
byStormpath
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
Two Factor Authentication and You
byChris Stone
 
OAuth - Open API Authentication
byleahculver
 
Extended Security with WSO2 API Management Platform
byWSO2
 
Learn with WSO2 - API Security
byWSO2
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
Api security
byteodorcotruta
 
Two-factor Authentication
byPortalGuard dba PistolStar, Inc.
 
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
LinkedIn OAuth: Zero To Hero
byTaylor Singletary
 
D@W REST security
byGaurav Sharma
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
OAuth2 primer
byManish Pandit
 
The Ultimate Guide to Mobile API Security
byStormpath
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 

Similar to Y U No OAuth?!?

PPTX
Wso2 is integration with .net core
byIsmaeel Enjreny
 
PDF
Applications and deployment patterns of o auth and open id connect
byKavindu Dodanduwa
 
PPTX
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
bygemziebeth
 
PPTX
OAuth 2
byChrisWood262
 
PDF
Securing .NET Core, ASP.NET Core applications
byNETUserGroupBern
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PDF
OAuth2
bySPARK MEDIA
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 
PDF
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
byapidays
 
PDF
Full stack security
byDPC Consulting Ltd
 
PDF
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
PPTX
WebHack #13 Web authentication essentials
by昉达 王
 
PDF
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
PDF
OAuth 2.0 Misconceptions
byCory Forsyth
 
Wso2 is integration with .net core
byIsmaeel Enjreny
 
Applications and deployment patterns of o auth and open id connect
byKavindu Dodanduwa
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
bygemziebeth
 
OAuth 2
byChrisWood262
 
Securing .NET Core, ASP.NET Core applications
byNETUserGroupBern
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
Demystifying OAuth 2.0
byKarl McGuinness
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
OAuth2
bySPARK MEDIA
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
byapidays
 
Full stack security
byDPC Consulting Ltd
 
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
WebHack #13 Web authentication essentials
by昉达 王
 
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
OAuth 2.0 Misconceptions
byCory Forsyth
 

Recently uploaded

PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PDF
How NetSuite Cloud ERP Helps Businesses Overcome Legacy System Downtime.
byTechWize
 
PDF
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
PDF
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
PDF
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
PPTX
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
PPTX
Membershipanywhere - Digital Membership Card - USA , Canada, Australia.pptx
bymembershipanywhere
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PDF
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PPTX
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
PPTX
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
PDF
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
PPTX
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 
PDF
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
How NetSuite Cloud ERP Helps Businesses Overcome Legacy System Downtime.
byTechWize
 
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
Membershipanywhere - Digital Membership Card - USA , Canada, Australia.pptx
bymembershipanywhere
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 

Y U No OAuth?!?

  • 1.
    Y U NOOAUTH?!? Using Common Patterns to Secure Your Web Applications Jason Robert Twitter – @jasontrobert Website – espressocoder.com Linkedin – in/jasonrobert/
  • 2.
    Meet the Speaker ■Software Architect ■ Auth0 Ambassador ■ Bootcamp Instructor ■ Blogs @ https://espressocoder.com ■ PASSIONATE DEVELOPER & MENTOR
  • 3.
    Roadmap ■ Progression ofUser Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
  • 4.
  • 5.
    “Roll Your Own” ■You’re responsible for all aspects of identity management – User management, storage, and authentication ■ Users need to be created, administered, and managed ■ Users and passwords in a persistent store – Please tell me you hashed and salted those passwords! ■ Session managed via session state and/or cookie
  • 6.
    ASP.NET Identity ■ Introducedin ASP.NET 2.0 – aspnet_regsql.exe – ASPNET Web Administration Tool ■ Designed to solve common site membership requirements ■ Forms-based Authentication (user-name / password) ■ Database backend for user names, passwords, and profile data – Profile data requires the Profile Provider API
  • 7.
    Modern ASP.NET Identity ■ASP.NET Identity works with claims-based authentication – Identity is represented as a set of claims ■ Supports redirection-based login with authentication providers – Google, Facebook, Twitter, etc. ■ Storage based on EF Core and extensible ■ Distributed as a NuGet package(s) – Microsoft.AspNetCore.EntityFramework.Identity
  • 8.
    Distributed Web Architectures ■But what about… – Dealing with multiple web applications – Native or legacy systems – Server to server communication – 3rd party integration – Single sign-on ■ ASP.NET Identity alone isn’t always ideal for distributed architectures like Microservices ■ Is there another way?
  • 9.
    USE AN OAUTH2.0 IDENTITY PROVIDER
  • 10.
    What is anIdentity Provider? ■ Creates, maintains, and manages information for principals while providing authentication services to relying applications ■ Provides centralized login and workflow for all of your applications – Web, native, mobile, etc. ■ Hosted as a separate web application (Separation of Concerns) ■ Enables Single Sign-on – User friendly – Reduces attack surface
  • 11.
  • 12.
    JSON Web Tokens(JWTs) ■ Compact and self-contained way to securely transmit information between two applications ■ Contains claims about a principal enabling authorization rules to be enforced ■ A JWT is digitally signed to verify authenticity ■ Typically Base64 encoded but can be encrypted via JSON Web Encryption (JWE)
  • 13.
    Structure of aJWT ■ Header – Contains two key pieces of information ■ The type of the token (JWT) ■ The signing algorithm ■ Payload – Contains the claims ■ Claims are statements about an entity / user ■ Signature – Contains a signature of the Header & Payload ■ Typically uses a strong encryption algorithm
  • 14.
  • 15.
    ID Token vsAccess Token ■ ID Token – Shows client application that user authenticated successfully – Contains information (claims) about a principle – Authentication response ■ Access Token – Provides “access” to a secure resource – Typically used as a bearer token – Should be managed securely
  • 16.
    OAuth 2.0 ■ Industry-standardprotocol for authorization ■ Provides specific authorization processes for web, desktop, and mobile applications ■ Describes several “grant types” for acquiring an access token – Client Credentials – Password – Authorization Code – Implicit
  • 17.
    OpenID Connect ■ OpenIDConnect is an authentication protocol based on the OAuth 2.0 specifications ■ OpenID Connect lets developers authenticate their users across websites and apps ■ Presents three flows for authentication that dictate how authentication is handled by the Identity Provider – Authorization Code Flow – Implicit Flow – Hybrid Flow
  • 18.
  • 19.
  • 20.
  • 21.
    Client Credentials ■ Obtaina token outside the context of a user ■ Use to when communicating across two backend systems ■ Authentication is performed via client_id & client_secret ■ Think of Client ID & Client Secret as UserName and Password Client ID / Client Secret may be required as a Basic Auth header or included in the post body The grant_type is client_credentials
  • 22.
  • 23.
    Client Credentials Expiration When thetoken expires Audience Who the token is for Issuer Where the token came from
  • 24.
    Client ID andClient Secret provided in authentication header The grant_type must be set to client_credentials
  • 25.
    The token isprovided in an authorization header as a Bearer token
  • 26.
    Authority must match the“iss” claim Audience must match the “aud” claim
  • 27.
  • 28.
    Password ■ Similar toclient credentials but, with a user’s context ■ Use with native or legacy applications – Never use with your web apps! ■ Requires user name and password – In addition to client_id and client_secret Username and password fields are introduced The grant_type is password
  • 29.
  • 30.
    Password Authentication Method Reference Howthe principle authenticated Password-based Authentication Subject Unique Id for the principle
  • 31.
    Username and password arenow included in the request Client ID and Client Secret provided in authentication header
  • 32.
    The password tokenis provided to the api in the exact same way as before
  • 33.
    Authorization Policies can beused for routes that require a “sub” claim Authentication is setup in the same way
  • 34.
    Policies can beassigned to controllers for authorization
  • 35.
  • 36.
    Implicit Flow ■ Thebrowser requests a token directly from the authorization server ■ The authorization server redirects to the redirect_uri with the id_token ■ Can be used with server-side web applications such as ASP.NET Core MVC ■ Do not use with Single Page Apps Token is returned via redirect
  • 37.
  • 39.
    Implicit Flow Nonce usedto prevent replay attacks. Must match the nonce provided by initial redirect request Unique Session ID
  • 40.
    ASP.NET Core Middleware canbe used to facilitate OpenIdConnect Implicit Flow After the id_token is received a session is established with the web application
  • 41.
  • 42.
    Hybrid Flow 1 2 ■ Usesredirect uri to return id_token AND code ■ Use with server-side web applications that additionally need to call a separate backend api ■ Code is used server-side in order to retrieve an access_token ■ Authorization code is used in conjunction with Client Secret which stays server side
  • 43.
  • 44.
    ASP.NET Core Middleware canbe used to facilitate OpenIdConnect Implicit Flow ASP.NET Core Middleware can be used to facilitate OpenIdConnect Implicit Flow
  • 45.
  • 46.
    Why Implicit Flow isbad for SPAs ■ SPA applications need an access_token ■ Response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage ■ Don’t panic if you are using implicit flow but, recognize better options are now available
  • 47.
    Authorization Code withPKCE ■ New recommendation for SPAs ■ Redirect from authorization server only contains an authorization code – Protected by PKCE ■ PKCE mitigates the threat of having the authorization code intercepted ■ Browser requests token with authorization code 1 2
  • 48.
  • 49.
  • 50.
    Weighing Your Options ■Choose an Identity Provider that fits with your ecosystem – Is your solution an internal application? – Is your solution cloud hosted? – Which cloud provider do you use? – What level of control is required? ■ Validate it is OpenID Connect Certified!
  • 51.
  • 52.
  • 53.
  • 54.
    Graduated! You’ve learned… ■ Progressionof User Management in the Web ■ JWTs, OAuth 2.0, and OpenID Connect ■ Authentication Methods ■ Choosing an Identity Provider
  • 55.
    Jason Robert Twitter -@jasontrobert Website – espressocoder.com Linkedin - in/jasonrobert/

Editor's Notes

  • #8 Community Maintained Store Providers ASP.NET Identity MongoDB Providers: By Tugberk Ugurlu By Alexandre Spieser ASP.NET Identity LinqToDB Provider ASP.NET Identity DynamoDB Provider ASP.NET Identity RavenDB Providers: By Judah Gabriel Himango By Iskandar Rafiev ASP.NET Identity Cassandra Provider ASP.NET Identity Firebase Provider ASP.NET Identity Redis Provider ASP.NET Identity DocumentDB