SlideShare une entreprise Scribd logo

Asp.Net Identity

Télécharger en tant que PPTX, PDF
M
Marwa Ahmad

Asp.Net Identity Management

Logiciels
1  sur  26
ASP.Net Identity Marwa Ahmad Software Developer 1
Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 2
01 | Identity Overview • What is Identity ? • History overview • Architecture of ASP.NET Identity • ASP.NET Identity Customization 3
What is Identity? o Identity is Users, Authentication, Authorization. It is a claims based system; stores login, roles, claims o Supports claims, roles, custom data stores, individual database backed auth, Oauth/OpenId, Organizational –AD, Azure AD, Single Sign On (SSO), Social Login providers 4
History Overview Nov 2005 ASP.NET 2.0 – Introducing Membership! • SQL Server, SQL Express Oct 2013 ASP.NET Identity v1 • Completely new model May 2012 Universal Providers (First NuGet) • SQL CE, Azure, one provider to access all SQL Mar 2014 ASP.NET Identity v2 • VS 2013 Update 2. Two factor authN, account lockout, confirmation, reset, etc Aug 2012 Simple Membership • Sourced in Web Pages, came to MVC / Web Forms Oct 2014 (alpha) ASP.NET 5 – Identity v3 • VS 2013 Update 3. Changes to work with ASP.NET 5 5
ASP.NET Identity Architecture o Consists of Managers & Stores o Managers o High-level classes; not concerned with how user info is stored, registering new users, validating credentials and loading user information o Ex: SigninManager, RoleManager, UserManager 6
ASP.NET Identity Architecture (cont.) • Stores o Deals with DAL; CRUD functionality o Closely coupled with the persistence mechanism o By default EF Code First used to create tables SQL Server o Implementations available for Azure Table Storage, RavenDB and MongoDB 7
ASP.NET Identity Architecture (cont.) 8 • Based on Owin & EF
ASP.NET Identity Architecture (cont.) • EF default implementation of users & roles 9
ASP.NET Identity Customization • Customize the user store the same applies to role store 10
ASP.NET Identity Customization (cont.) • Interfaces to implement when customizing user store 11
Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 12
02 | Locally Authenticated Users • What are locally authenticated users? o Uses DB to authenticate; no third party i.e. authentication is on the same server (AspNetUsers table) • Customizing the SQL database & entities ApplicationUser : IdentityUser • Customizing the type of user store o Create your own UserStore and IdentityUser. RoleStore as well if you want that. Storage provider custom implementations exist(MySql, Azure Table Storage, RavenDB, etc 13
Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 14
03 | oAuth and Social Providers • What is oAuth? o oAuth is a protocol o The protocol allows for third party applications to access resources without users giving credentials to third party o Supports desktop, web, mobile, etc • How does Identity use oAuth? • Integrating with social/other providers 15
03 | oAuth and Social Providers (cont.) • How does Identity use oAuth? 16
Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 17
04 | Two Factor Authentication 18
Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 19
Asp.Net Identity with Webapi • Webapi2 Security AutheN Bearer Token tutorial; useful video; 2 mins only! • Works with Framework 4.5, AspNet.Identity.Core 2.2.1, AspNet.Identity.EntityFramework 2.2.1, AspNet.Identity.WebApi 5.2.3 • Steps: • Create new Webapi project with Individual account authentication type • Run the project • Use Fiddler, call the Register endpoint; Ex: http://localhost:8070/api/Account/Register Request post body: then excute {"Email": “myemail@gmail.com", "Password": "Pa$$w0rd", "ConfirmPassword": "Pa$$w0rd"} • User fiddler: http://localhost:8070/token Request body: username=myemail@gmail.com&grant_type=password&Password=Pa$$w0rd • Now you are authorized to user any endpoint which requires [Authorize] 20
Asp.Net Identity with Webapi 21
Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 22
05 | Identity Tips & Recommendations • Utilize SSL everywhere. Never run without it o Attacker on network can steal your cookies and hijack your session o Yes, even login page needs to be protected o Any page user can access while logged in should be protected • Enforce a strong password policy! o Increase default values on manager.PasswordValidator • Use Xsrf tokens everywhere for post methods • Do not allow for unlimited login attempts o Brute forcers dream. • Two factor authentication highly recommended • Caution – be wary of email as a second factor authentication 23
Finally What’s Next? • ASP.NET vNext (ASP.NET 5) being in development, Katana is slowly getting retired. Version 3.0 will most likely be last major release of Katana as a standalone framework • vNext is the successor to Katana (which is why they look so similar). Katana was the beginning of the break away from System.Web and to more modular components for the web stack. You can see vNext as a continuation of that work plus (new CLR, new Project System, new http abstractions)* David Fowler vNext Architect • Everything that exists today in Katana will make it's way into vNext • ASP.NET vNext will be supported by .NET Framework 4.6 24
References • Customizing asp.net authentication with Identity • Securing web applications using asp.net identity • Introduction to asp.net identity • Creating web project; authentication modes • Overview of custom storage provider of asp.net identity • Asp.net identity releases • Owin & Katana simplified • Individual accounts in Webapi • AspNet Identity 2.1 with AspNet WebApi 2.2; Accounts managemenet • AspNet Identity 2.0 & WebApi- Customizing Identity Models & implementing Role-based Authorization 25
26

Recommandé

Identity in ASP.NET Core
Identity in ASP.NET CoreIdentity in ASP.NET Core
Identity in ASP.NET Core
ondrejbalas
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_ppt
Shivanand Arur
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Dependency injection - the right way
Dependency injection - the right wayDependency injection - the right way
Dependency injection - the right way
Thibaud Desodt
 
Asp.Net Core MVC with Entity Framework
Asp.Net Core MVC with Entity FrameworkAsp.Net Core MVC with Entity Framework
Asp.Net Core MVC with Entity Framework
Shravan A
 
Angular
AngularAngular
Angular
TejinderMakkar
 
Introduction to ASP.NET Core
Introduction to ASP.NET CoreIntroduction to ASP.NET Core
Introduction to ASP.NET Core
Avanade Nederland
 

Recommandé

Identity in ASP.NET Core
Identity in ASP.NET CoreIdentity in ASP.NET Core
Identity in ASP.NET Core
ondrejbalas
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_ppt
Shivanand Arur
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Dependency injection - the right way
Dependency injection - the right wayDependency injection - the right way
Dependency injection - the right way
Thibaud Desodt
 
Asp.Net Core MVC with Entity Framework
Asp.Net Core MVC with Entity FrameworkAsp.Net Core MVC with Entity Framework
Asp.Net Core MVC with Entity Framework
Shravan A
 
Angular
AngularAngular
Angular
TejinderMakkar
 
Introduction to ASP.NET Core
Introduction to ASP.NET CoreIntroduction to ASP.NET Core
Introduction to ASP.NET Core
Avanade Nederland
 
Angular 2.0 forms
Angular 2.0 formsAngular 2.0 forms
Angular 2.0 forms
Eyal Vardi
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring Security
Knoldus Inc.
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web API
habib_786
 
Building .NET Microservices
Building .NET MicroservicesBuilding .NET Microservices
Building .NET Microservices
VMware Tanzu
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Angular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP ServicesAngular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP Services
WebStackAcademy
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Middleware in Asp.Net Core
Middleware in Asp.Net CoreMiddleware in Asp.Net Core
Middleware in Asp.Net Core
Shahriar Hossain
 
Angular Data Binding
Angular Data BindingAngular Data Binding
Angular Data Binding
Jennifer Estrada
 
AngularJS
AngularJS AngularJS
AngularJS
NexThoughts Technologies
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Angular 2.0 Dependency injection
Angular 2.0 Dependency injectionAngular 2.0 Dependency injection
Angular 2.0 Dependency injection
Eyal Vardi
 
Dependency injection and inversion
Dependency injection and inversionDependency injection and inversion
Dependency injection and inversion
chhabraravish23
 
Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction
WebStackAcademy
 
Web api
Web apiWeb api
Web api
Sudhakar Sharma
 
Angular tutorial
Angular tutorialAngular tutorial
Angular tutorial
Rohit Gupta
 
Angular overview
Angular overviewAngular overview
Angular overview
Thanvilahari
 
Angular 14.pptx
Angular 14.pptxAngular 14.pptx
Angular 14.pptx
MohaNedGhawar
 
Asp.net MVC training session
Asp.net MVC training sessionAsp.net MVC training session
Asp.net MVC training session
Hrichi Mohamed
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
rustd
 
ASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NET
Eduardo Pires
 

Contenu connexe

Tendances

ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web API
habib_786
 

Tendances (20)

Angular 2.0 forms
Angular 2.0 formsAngular 2.0 forms
Angular 2.0 forms
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring Security
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web API
 
Building .NET Microservices
Building .NET MicroservicesBuilding .NET Microservices
Building .NET Microservices
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Angular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP ServicesAngular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP Services
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Middleware in Asp.Net Core
Middleware in Asp.Net CoreMiddleware in Asp.Net Core
Middleware in Asp.Net Core
 
Angular Data Binding
Angular Data BindingAngular Data Binding
Angular Data Binding
 
AngularJS
AngularJS AngularJS
AngularJS
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Angular 2.0 Dependency injection
Angular 2.0 Dependency injectionAngular 2.0 Dependency injection
Angular 2.0 Dependency injection
 
Dependency injection and inversion
Dependency injection and inversionDependency injection and inversion
Dependency injection and inversion
 
Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction
 
Web api
Web apiWeb api
Web api
 
Angular tutorial
Angular tutorialAngular tutorial
Angular tutorial
 
Angular overview
Angular overviewAngular overview
Angular overview
 
Angular 14.pptx
Angular 14.pptxAngular 14.pptx
Angular 14.pptx
 
Asp.net MVC training session
Asp.net MVC training sessionAsp.net MVC training session
Asp.net MVC training session
 

En vedette

Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
rustd
 
Asp.net identity dot netconf
Asp.net identity dot netconfAsp.net identity dot netconf
Asp.net identity dot netconf
rustd
 
Asp.net identity overview
Asp.net identity overviewAsp.net identity overview
Asp.net identity overview
功豪 魏
 
Bring your own authentication to mvc
Bring your own authentication to mvcBring your own authentication to mvc
Bring your own authentication to mvc
Shayne Boyer
 

En vedette (7)

Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
 
ASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NET
 
Asp.net identity dot netconf
Asp.net identity dot netconfAsp.net identity dot netconf
Asp.net identity dot netconf
 
Asp.net identity overview
Asp.net identity overviewAsp.net identity overview
Asp.net identity overview
 
Asp.Net Mvc 5 Identity
Asp.Net Mvc 5 IdentityAsp.Net Mvc 5 Identity
Asp.Net Mvc 5 Identity
 
What's New in ASP.NET Identity - TRINUG Sept 2014
What's New in ASP.NET Identity - TRINUG Sept 2014What's New in ASP.NET Identity - TRINUG Sept 2014
What's New in ASP.NET Identity - TRINUG Sept 2014
 
Bring your own authentication to mvc
Bring your own authentication to mvcBring your own authentication to mvc
Bring your own authentication to mvc
 

Similaire à Asp.Net Identity

Amit Kumar Architect with Web and Angular JS
Amit Kumar Architect with Web and Angular JSAmit Kumar Architect with Web and Angular JS
Amit Kumar Architect with Web and Angular JS
Amit Kumar
 
Integrating SharePoint 2010 and Visual Studio Lightswitch
Integrating SharePoint 2010 and Visual Studio LightswitchIntegrating SharePoint 2010 and Visual Studio Lightswitch
Integrating SharePoint 2010 and Visual Studio Lightswitch
Rob Windsor
 

Similaire à Asp.Net Identity (20)

SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
Aws
AwsAws
Aws
 
Sharepoint server 2013 training
Sharepoint server 2013 trainingSharepoint server 2013 training
Sharepoint server 2013 training
 
ASP.NET MVC - Latest & Greatest So Far
ASP.NET MVC - Latest & Greatest So FarASP.NET MVC - Latest & Greatest So Far
ASP.NET MVC - Latest & Greatest So Far
 
Developer’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App ModelDeveloper’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App Model
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
Aws sys ops administrator
Aws sys ops administratorAws sys ops administrator
Aws sys ops administrator
 
Sitecore - what to look forward to
Sitecore - what to look forward toSitecore - what to look forward to
Sitecore - what to look forward to
 
Custom Development in SharePoint – What are my options now?
Custom Development in SharePoint – What are my options now?Custom Development in SharePoint – What are my options now?
Custom Development in SharePoint – What are my options now?
 
Exposing services with Azure API Management
Exposing services with Azure API ManagementExposing services with Azure API Management
Exposing services with Azure API Management
 
Brewing Beer with Windows Azure - ASPConf
Brewing Beer with Windows Azure - ASPConfBrewing Beer with Windows Azure - ASPConf
Brewing Beer with Windows Azure - ASPConf
 
SharePoint 2013 App or Not to App
SharePoint 2013 App or Not to AppSharePoint 2013 App or Not to App
SharePoint 2013 App or Not to App
 
Introduction to ASP.NET MVC
Introduction to ASP.NET MVCIntroduction to ASP.NET MVC
Introduction to ASP.NET MVC
 
Microsoft certified azure developer associate
Microsoft certified azure developer associateMicrosoft certified azure developer associate
Microsoft certified azure developer associate
 
Amit Kumar Architect with Web and Angular JS
Amit Kumar Architect with Web and Angular JSAmit Kumar Architect with Web and Angular JS
Amit Kumar Architect with Web and Angular JS
 
Azure Functions Real World Examples
Azure Functions Real World Examples Azure Functions Real World Examples
Azure Functions Real World Examples
 
Integrating SharePoint 2010 and Visual Studio Lightswitch
Integrating SharePoint 2010 and Visual Studio LightswitchIntegrating SharePoint 2010 and Visual Studio Lightswitch
Integrating SharePoint 2010 and Visual Studio Lightswitch
 
05 entity framework
05 entity framework05 entity framework
05 entity framework
 

Dernier

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 

Dernier (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 

Asp.Net Identity

  • 2. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 2
  • 3. 01 | Identity Overview • What is Identity ? • History overview • Architecture of ASP.NET Identity • ASP.NET Identity Customization 3
  • 4. What is Identity? o Identity is Users, Authentication, Authorization. It is a claims based system; stores login, roles, claims o Supports claims, roles, custom data stores, individual database backed auth, Oauth/OpenId, Organizational –AD, Azure AD, Single Sign On (SSO), Social Login providers 4
  • 5. History Overview Nov 2005 ASP.NET 2.0 – Introducing Membership! • SQL Server, SQL Express Oct 2013 ASP.NET Identity v1 • Completely new model May 2012 Universal Providers (First NuGet) • SQL CE, Azure, one provider to access all SQL Mar 2014 ASP.NET Identity v2 • VS 2013 Update 2. Two factor authN, account lockout, confirmation, reset, etc Aug 2012 Simple Membership • Sourced in Web Pages, came to MVC / Web Forms Oct 2014 (alpha) ASP.NET 5 – Identity v3 • VS 2013 Update 3. Changes to work with ASP.NET 5 5
  • 6. ASP.NET Identity Architecture o Consists of Managers & Stores o Managers o High-level classes; not concerned with how user info is stored, registering new users, validating credentials and loading user information o Ex: SigninManager, RoleManager, UserManager 6
  • 7. ASP.NET Identity Architecture (cont.) • Stores o Deals with DAL; CRUD functionality o Closely coupled with the persistence mechanism o By default EF Code First used to create tables SQL Server o Implementations available for Azure Table Storage, RavenDB and MongoDB 7
  • 8. ASP.NET Identity Architecture (cont.) 8 • Based on Owin & EF
  • 9. ASP.NET Identity Architecture (cont.) • EF default implementation of users & roles 9
  • 10. ASP.NET Identity Customization • Customize the user store the same applies to role store 10
  • 11. ASP.NET Identity Customization (cont.) • Interfaces to implement when customizing user store 11
  • 12. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 12
  • 13. 02 | Locally Authenticated Users • What are locally authenticated users? o Uses DB to authenticate; no third party i.e. authentication is on the same server (AspNetUsers table) • Customizing the SQL database & entities ApplicationUser : IdentityUser • Customizing the type of user store o Create your own UserStore and IdentityUser. RoleStore as well if you want that. Storage provider custom implementations exist(MySql, Azure Table Storage, RavenDB, etc 13
  • 14. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 14
  • 15. 03 | oAuth and Social Providers • What is oAuth? o oAuth is a protocol o The protocol allows for third party applications to access resources without users giving credentials to third party o Supports desktop, web, mobile, etc • How does Identity use oAuth? • Integrating with social/other providers 15
  • 16. 03 | oAuth and Social Providers (cont.) • How does Identity use oAuth? 16
  • 17. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 17
  • 18. 04 | Two Factor Authentication 18
  • 19. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 19
  • 20. Asp.Net Identity with Webapi • Webapi2 Security AutheN Bearer Token tutorial; useful video; 2 mins only! • Works with Framework 4.5, AspNet.Identity.Core 2.2.1, AspNet.Identity.EntityFramework 2.2.1, AspNet.Identity.WebApi 5.2.3 • Steps: • Create new Webapi project with Individual account authentication type • Run the project • Use Fiddler, call the Register endpoint; Ex: http://localhost:8070/api/Account/Register Request post body: then excute {"Email": “myemail@gmail.com", "Password": "Pa$$w0rd", "ConfirmPassword": "Pa$$w0rd"} • User fiddler: http://localhost:8070/token Request body: username=myemail@gmail.com&grant_type=password&Password=Pa$$w0rd • Now you are authorized to user any endpoint which requires [Authorize] 20
  • 22. Content • 01 | Identity Overview • 02 | Locally Authenticated Users • 03 | oAuth and Social Providers • 04 | Two Factor Authentication • 05 | Asp.Net Identity with Webapi • 06 | Identity Tips & Recommendations 22
  • 23. 05 | Identity Tips & Recommendations • Utilize SSL everywhere. Never run without it o Attacker on network can steal your cookies and hijack your session o Yes, even login page needs to be protected o Any page user can access while logged in should be protected • Enforce a strong password policy! o Increase default values on manager.PasswordValidator • Use Xsrf tokens everywhere for post methods • Do not allow for unlimited login attempts o Brute forcers dream. • Two factor authentication highly recommended • Caution – be wary of email as a second factor authentication 23
  • 24. Finally What’s Next? • ASP.NET vNext (ASP.NET 5) being in development, Katana is slowly getting retired. Version 3.0 will most likely be last major release of Katana as a standalone framework • vNext is the successor to Katana (which is why they look so similar). Katana was the beginning of the break away from System.Web and to more modular components for the web stack. You can see vNext as a continuation of that work plus (new CLR, new Project System, new http abstractions)* David Fowler vNext Architect • Everything that exists today in Katana will make it's way into vNext • ASP.NET vNext will be supported by .NET Framework 4.6 24
  • 25. References • Customizing asp.net authentication with Identity • Securing web applications using asp.net identity • Introduction to asp.net identity • Creating web project; authentication modes • Overview of custom storage provider of asp.net identity • Asp.net identity releases • Owin & Katana simplified • Individual accounts in Webapi • AspNet Identity 2.1 with AspNet WebApi 2.2; Accounts managemenet • AspNet Identity 2.0 & WebApi- Customizing Identity Models & implementing Role-based Authorization 25
  • 26. 26

Notes de l'éditeur

  1. *Claims: Key-Value pair per user; Role is single value “Admin” Much more info about user as the user delivers claim to your app Ex “Facebook Access Token”, “CAAVl6UvghVkBAIGZB… *Single Sign On (SSO): User provides same credentials  multiple services. User provides credentials once  multiple services.
  2. IdentityUser an EF implementation, EmailService, SmsService (twilio sms)
  3. OWIN itself does not have any tools, libraries or anything else. It is just a specification. OWIN is not a framework. OWIN is a specification on how web servers and web applications should be built in order to decouple one from another and allow movement of ASP.NET applications to environments where at the current state it is not possible.
  4. public class IdentityUser : IUser<int> { public IdentityUser() { ... } public IdentityUser(string userName) { ... } public int Id { get; set; } public string UserName { get; set; } // can also define optional properties such as: // PasswordHash // SecurityStamp // Claims // Logins // Roles } public class UserStore : IUserStore<IdentityUser, int> { public UserStore() { ... } public UserStore(ExampleStorage database) { ... } public Task CreateAsync(IdentityUser user) { ... } public Task DeleteAsync(IdentityUser user) { ... } public Task<IdentityUser> FindByIdAsync(int userId) { ... } public Task<IdentityUser> FindByNameAsync(string userName) { ... } public Task UpdateAsync(IdentityUser user) { ... } public void Dispose() { ... } }
  5. *Reconfigure application to use new storage provider : Replace default storage provider in MVC project http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
  6. Several custom implementations exist for storage providers ASP.NET Identity Recommended Resources Overview of Custom Storage Providers for ASP.NET Identity
  7. Integrating with social/other providers (Demo + ..) Works with oAuth 2.0 We’re making the OpenIDConnect middleware more generic to support more providers We’ve added a generic OAuth2 middleware that works with many different providers https://github.com/aspnet/Security/blob/dev/samples/SocialSample/Startup.cs#L116
  8. AspNetUserLogin table Tracks provider name Tokens are not stored Your app requests a request token, gets one and URL User goes to URL (with token) and authenticates & allows app oAuth provider redirects back to your ‘success’ page with Your code parses access token, potentially stores it If user doesn’t have an account, prompt them to register with email (so we have something on hand). We could change code to auto create. All requests to protected resources are done with access token that is stored in AspNetUserClaims
  9. *totp: Time-based One-time Password Algorithm is an algorithm that computes a one-time password from a shared secret key and the current time. When developing remember… Adding the phone number triggers the first verification No phone #? SmsService code will never be called Debug – you may not have all the code you need Email will only be available if it’s verified
  10. Identity is not multi-tenant or multi-app Use SSO with Azure for multi tenant https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet Shared across apps via shared sql db with identity tables **It’s extensible** AspNet.Identity.EntityFramework.Multitenant on github
  11. ASP.NET vNext will be built on top of .NET Core 5. .NET Core 5 is lightweight factored version of .NET Framework, designed to support goals of ASP.NET 5 and .NET Native.