Application Security in ASP.NET Core

•

0 j'aime•48 vues

NETUserGroupBern

Logiciels

ASP.NET Core Security
• Damien Bowden Microsoft MVP
• https://damienbod.com
• @damien_bod

https://github.com/damienbod
ASP.NET Core, OpenID Connect, OAuth, Identity, Azure
Angular, angular-auth-oidc-client npm

Security & Applications today
OpenID Connect, OAuth2
Protecting APIs
Authorization: ASP.NET Core Policies

Application
Authentication Business
Data Access
Authorization
Identity

Application
Authentication Business
Data Access
Authorization
Identity
Application 2
Authentication Business
Data Access
Authorization
Identity

WAF
HTTPS everywhere, Certs Protected Zone

Authentication, Authorization, Accounting
Session Protection HTTP headers
HTTPS Certs TLS 1.2, 1.3
WAF Web Application Firewall

Authentication
Authorization
Signout
Session

USE Standards
Don’t implement this yourself, use
certified libs, packages, tested

OAuth2
OpenID Connect Authentication
Authorization
Delegated

OpenID Connect
http://openid.net/connect/
• Standard, Specification
• Authentication and Authorization
• built on top of OAuth2 (access control)
• Identity (Person can have n Identities)
• UserInfo Endpoint

Open ID Connect (OIDC) is
supported by almost all systems.
Azure AD, Azure B2C, OKTA, IdentityServer4, google
accounts, Openiddict, node-oidc-provider

OpenID Connect Flows
OAuth2 Flows
http://openid.net/specs/openid-
connect-core-1_0.html
OAuth2 Resource Owner Credentials Flow
OpenID Connect Code flow
OpenID Connect Hybrid flow
OpenID Connect PKCE Authorization Code
Flow RFC 7636
OAuth Device Flow

id token
token (access token)
reference / self contained token
refresh token
scope
Back-Channel
Front-Channel
User Agent

OAuth2 Resource
Owner Credentials
Flow
• MC to MC applications
• trusted client
• grant_type=client_cred
ential&client_id=xxxxx
xxxxx&client_secret=xx
xxxxxxxx
• Limited user cases

OpenID Connect
Authorization Code
flow
• Server to server
applications with User
• Can keep secrets, is
trusted
• Client is authenticated
• response_type = code

OIDC Authorization
Hybrid flow
• Mix of the Code and
Implicit Flow
• Can be used for Web
applications with
server side rendering.
• response_type = code
id_token |
code id_token token |
code token

Native App PKCE
Authorization Code
Flow
RFC 7636
https://tools.ietf.org/html/rfc
7636

Single Page
Applications
Cookies
OIDC Code Flow with
PKCE
OIDC Implicit Flow

OpenID Connect Code flow
with PKCE
• For browser applications, SPAs
• Client is not authenticated, or trusted
• response_type = code
• NO SECRET

OAuth Device Flow
RFC 7636
https://tools.ietf.org/html/dra
ft-ietf-oauth-device-flow-12

https://github.com/damienbod/AspNetCoreHybridFlowWithApi
https://github.com/damienbod/AspNetCoreWindowsAuth
OpenID Connect Hybrid Flow
Code examples

https://github.com/damienbod/AspNetCoreHybridFlowWithApi
https://github.com/damienbod/AspNetCoreWindowsAuth
OAuth2 Resource Owner Credentials Flow
Code examples

JWT Bearer Authentication
Introspection
Cookies … not for APIs mostly...

Public APIs
use same access_token
Private APIs, APIs in protected Zones
use a new access_token, not the public access_token

Authorization is the responsibility of the
Application / API, not the STS.
This can be implemented in an separate
library.

Standard Requirements
Complex Requirements
Policies uses Requirements
Authorization Handlers

ASP.NET Core Policies, Handlers and
Requirements makes it easy to focus
on Authorization

https://openid.net/developers/specs/
https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow
https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
https://www.npmjs.com/package/angular-auth-oidc-client
https://openid.net
https://auth0.com/blog/cookies-vs-tokens-definitive-guide
https://www.npmjs.com/package/angular-auth-oidc-client
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate
https://scotthelme.co.uk/say-hello-to-security-txt
https://csp-evaluator.withgoogle.com/

Contenu connexe

Similaire à Application Security in ASP.NET Core

DDD Melbourne 2014 security in ASP.Net Web API 2

Pratik Khasnabis

OpenId Connect Protocol

Michael Furman

Adding identity management and access control to your app

Álvaro Alonso González

We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps. This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization. This presentation was first given in the London Mobile Security Meetup https://www.meetup.com/London-Mobile-Developer-Security/

Mobile Authentication - Onboarding, best practices & anti-patterns

Pieter Ennes

Adding Identity Management and Access Control to your App

FIWARE

Authentication with zend framework

George Mihailov

Entreprises are deploying more applications to workers phones and tablets. These applications are currently all using separate authentications to establish user identity and authorization. This session will look at how the Native Application profile of OpenID Connect creates a local token broker on the device to centralize authentication for multiple enterprise and SaaS applications on a device. This can be used to increase security by enabling additional authentication factors and a enhanced view of device posture, as well as increasing usability, bu reducing the number of unnecessary authentications that interrupt the users work flow every day.

CIS 2015 Extreme OpenID Connect - John Bradley

CloudIDSummit

OAuth 2.0 refresher Talk

marcwan

Implementing Microservices Security Patterns & Protocols with Spring

VMware Tanzu

FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...

FIWARE

OpenId Connect in Shibboleth Identity Provider

Misagh Moayyed

Office Track: SharePoint Apps for the IT Pro - Thomas Vochten

ITProceed

OAuth2 Best Practices in Native Apps

Jeff Fontas

How to build Simple yet powerful API.pptx

Channa Ly

How to Build, Manage, and Promote APIs

WSO2

OpenID Connect "101" Introduction -- October 23, 2018

OpenIDFoundation

[Workshop] API-driven Integration

WSO2

OAuth 2.0 (RFC 6749/50) is a delegated authorization framework that makes requesting access for and authenticating as a client to an API as easy as getting a token and using a token. This session will explore the different OAuth flows in the spec as will as discuss extensions such as the JWT assertion flow and SAML bearer extension, and will also discuss security mitigations needed to use the protocol safely.

CIS 2015 Extreme OAuth - Paul Meyer

CloudIDSummit

Using Cisco Jabber Guest, organizations can connect with customers or other public users (guests) through their website or mobile application using instant-on, real-time voice and video. Guests in queue can watch videos about products and then talk with subject-matter experts. They can see shared content, ask questions and get them answered in real time. And they can do so from the device they prefer - tablet, computer, or smart phone. As a developer, you can create custom experiences using Jabber Guest within a Web app on Windows and Mac or a mobile app on iOS and Android. In this session you'll learn how simple, straightforward, and welcoming the integration can be … for both the developer / organization implementing Jabber Guest integration, and for the guests themselves.

DEVNET-1121 Customizing Cisco Video Access for Guests

Cisco DevNet

OAuth and OEmbed

leahculver

Similaire à Application Security in ASP.NET Core (20)

DDD Melbourne 2014 security in ASP.Net Web API 2

OpenId Connect Protocol

Adding identity management and access control to your app

Mobile Authentication - Onboarding, best practices & anti-patterns

Adding Identity Management and Access Control to your App

Authentication with zend framework

CIS 2015 Extreme OpenID Connect - John Bradley

OAuth 2.0 refresher Talk

Implementing Microservices Security Patterns & Protocols with Spring

FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...

OpenId Connect in Shibboleth Identity Provider

Office Track: SharePoint Apps for the IT Pro - Thomas Vochten

OAuth2 Best Practices in Native Apps

How to build Simple yet powerful API.pptx

How to Build, Manage, and Promote APIs

OpenID Connect "101" Introduction -- October 23, 2018

[Workshop] API-driven Integration

CIS 2015 Extreme OAuth - Paul Meyer

DEVNET-1121 Customizing Cisco Video Access for Guests

OAuth and OEmbed

Plus de NETUserGroupBern

Large Language Models, Data & APIs - Integrating Generative AI Power into you...

NETUserGroupBern

AAD und .NET

NETUserGroupBern

SHIFT LEFT WITH DEVSECOPS

NETUserGroupBern

Ob ASP.net MVC, NuGet oder die codebasierten Migrationen bei EF – immer mehr Konzepte und Ideen schwappen von Ruby in die .Net Welt. Wieso aber gerade von Ruby? Und was macht Rails so beliebt bei Webentwicklern? Ruby ist wie C# eine objektorientierte Programmiersprache. Damit enden die Gemeinsamkeiten aber schon fast. Die vielen fremden Konzepte und Ansätze machen einen Einstieg in Ruby und Rails nicht gerade einfach. Aber genau in diesen Unterschieden liegen die Stärken und machen Ruby so interessant. Dieser Vortrag gibt einen Überblick über Ruby und Rails und hilft einem sich in dieser ungewohnten Umgebung zu Recht zu finden.

Ruby und Rails für .NET Entwickler

NETUserGroupBern

Bei all dem Hype rund um NoSQL übersieht man gerne wie viele einsatzbereite Produkte darauf warten unser Entwicklerleben zu vereinfachen. Eines dieser Produkte ist RavenDB, eine dokumentenorientierte Datenbank mit Transaktionsunterstützung. Im Gegensatz zu vielen NoSQL-Lösungen ist RavenDB voll in die .Net-Welt integriert. So kann man seine Abfragen mittels LINQ formulieren und muss nicht auf JavaScript setzen. Die grosse Erfahrung von Oren Eini bei der Optimierung von NHibernate und Entity Framework wurden in RavenDB aufgenommen. So hilft eine frühzeitige Erkennung von Select N+1 Abfragen spätere Probleme in der Produktion zu verhindern. Neben diesen Eigenheiten wird uns Johnny Graber auch zeigen was es alles für Einsatzmöglichkeiten gibt. Die Flexibilität von NoSQL gepaart mit der Einfachheit von RavenDB ist dabei keineswegs nur etwas für grosse Firmen wie Google, Facebook oder Twitter - der nächste Prototyp kann davon genauso gut profitieren.

Einführung in RavenDB

NETUserGroupBern

Do you try to keep up with all the new frameworks, patterns and trends in IT? Good luck, it’s an endless stream of things to learn. The good news: software development isn’t the only profession with this problem. Doctors face the same challenges and must keep the safety of patients in mind while working as cost-effective as possible. With much higher stakes, it’s no surprise that medicine is a highly regulated field with explicit rules on the lifelong training – rules that we can use as a source of inspiration for our training. In this session we will look how the doctors in Switzerland organise their continuing medical education, debunk some myths about learning and figure out how we can use our daily work as a jumpstart for improvement.

What Doctors Can Teach Us on Continuous Learning

NETUserGroupBern

Entity Framework Core - Der Umstieg auf Core

NETUserGroupBern

Weiches Zeugs für harte Jungs und Mädels

NETUserGroupBern

Änderungen im Cardinality Estimator SQL Server 2014

NETUserGroupBern

Rest Fundamentals

NETUserGroupBern

Refactoring: Mythen & Fakten

NETUserGroupBern

AngularJs

NETUserGroupBern

Pragmatische Anforderungen

NETUserGroupBern

Einführung in MongoDB

NETUserGroupBern

What the hell is PowerShell?

NETUserGroupBern

Know your warm up

NETUserGroupBern

BDD mit Machine.Specifications (MSpec)

NETUserGroupBern

Versionskontrolle mit Git

NETUserGroupBern

.NETworking Workshop Design Thinking

NETUserGroupBern

Reaktive Programmierung mit den Reactive Extensions (Rx)

NETUserGroupBern

Plus de NETUserGroupBern (20)

Large Language Models, Data & APIs - Integrating Generative AI Power into you...

AAD und .NET

SHIFT LEFT WITH DEVSECOPS

Ruby und Rails für .NET Entwickler

Einführung in RavenDB

What Doctors Can Teach Us on Continuous Learning

Entity Framework Core - Der Umstieg auf Core

Weiches Zeugs für harte Jungs und Mädels

Änderungen im Cardinality Estimator SQL Server 2014

Rest Fundamentals

Refactoring: Mythen & Fakten

AngularJs

Pragmatische Anforderungen

Einführung in MongoDB

What the hell is PowerShell?

Know your warm up

BDD mit Machine.Specifications (MSpec)

Versionskontrolle mit Git

.NETworking Workshop Design Thinking

Reaktive Programmierung mit den Reactive Extensions (Rx)

Dernier

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, etc. Performance can be dialed UP (and back down) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

ryanfarris8

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

In today's dynamic e-commerce landscape, the payment gateway emerges as a linchpin, ensuring smooth and secure transactions between buyers and sellers. In this discourse, we delve into the meticulous process of devising test cases tailored for scrutinizing payment gateways. Crafting precise test cases for payment gateways is a quintessential responsibility for testers operating within the service industry. This article meticulously explores pivotal scenarios integral to how to test payment gateways, coupled with essential guidelines for drafting effective test cases.

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

kalichargn70th171

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

masabamasaba

Conference: Engage2024 in Antwerp Type: Workshop Speakers: Florian Vogler, Henning Kunz, Christoph Adler Title: Navigating the Future with The Hitchhiker's Guide to Notes and Domino 14 Abstract: Embark on an exhilarating journey with industry trailblazers Florian Vogler, Henning Kunz, and Christoph Adler in this not-to-be-missed workshop at the forefront of the tech universe. Get ready for a thrilling kick-off as we navigate the current state of the HCL universe, setting the stage for an exploration of the groundbreaking Notes and Domino 14. Discover the latest enhancements and revolutionary features that will redefine your experience. In this interactive session, unlock a treasure trove of tips and tricks to elevate your utilization of version 14, both with and without the game-changing panagenda MarvelClient. Brace yourself for also diving into Nomad, Nomad Web, and VoltMX, expanding your horizons in the expansive HCL landscape. Be a part of this exclusive opportunity to stay ahead in the ever-evolving world of HCL technologies. Your journey to mastering Notes and Domino 14 begins here. And remember, in the spirit of intergalactic exploration, don't forget to bring your towel!

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

panagenda

Model Call Girl Services in Delhi reach out to us at 🔝 9953056974 🔝✔️✔️ Our agency presents a selection of young, charming call girls available for bookings at Oyo Hotels. Experience high-class escort services at pocket-friendly rates, with our female escorts exuding both beauty and a delightful personality, ready to meet your desires. Whether it's Housewives, College girls, Russian girls, Muslim girls, or any other preference, we offer a diverse range of options to cater to your tastes. We provide both in-call and out-call services for your convenience. Our in-call location in Delhi ensures cleanliness, hygiene, and 100% safety, while our out-call services offer doorstep delivery for added ease. We value your time and money, hence we kindly request pic collectors, time-passers, and bargain hunters to refrain from contacting us. Our services feature various packages at competitive rates: One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Full night for more than 1 person: Contact us at 🔝 9953056974 🔝. for details Operating 24/7, we serve various locations in Delhi, including Green Park, Lajpat Nagar, Saket, and Hauz Khas near metro stations. For premium call girl services in Delhi 🔝 9953056974 🔝. Thank you for considering us!

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

9953056974 Low Rate Call Girls In Saket, Delhi NCR

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

Pharm-D Biostatistics and Research methodology

Anusha Are

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456

KiaraTiradoMicha

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

masabamasaba

Many specialized tools cater to distinct stages within the software development lifecycle (SDLC). These tools target various aspects of development, delivery, and operations, each with its unique strengths. Uniting these diverse testing needs into a single continuous testing platform presents several challenges. Such a platform must seamlessly integrate with various development tools and environments, accommodate different testing methodologies, and remain flexible to adapt to organizational processes and quality standards.

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

kalichargn70th171

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

Dernier (20)

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

A Secure and Reliable Document Management System is Essential.docx

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

VTU technical seminar 8Th Sem on Scikit-learn

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

Unlocking the Future of AI Agents with Large Language Models

Pharm-D Biostatistics and Research methodology

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Application Security in ASP.NET Core

1. ASP.NET Core Security • Damien Bowden Microsoft MVP • https://damienbod.com • @damien_bod

2. https://github.com/damienbod ASP.NET Core, OpenID Connect, OAuth, Identity, Azure Angular, angular-auth-oidc-client npm

3. Security & Applications today OpenID Connect, OAuth2 Protecting APIs Authorization: ASP.NET Core Policies

4. Security & Applications today

5. Application

6. Application Authentication Business Data Access Authorization Identity

7. Application Authentication Business Data Access Authorization Identity Application 2 Authentication Business Data Access Authorization Identity

8. Application Authentication Business Data Access Authorization Identity Application 2 Authentication Business Data Access Authorization Identity

10.

11. HTTPS everywhere, Certs

12. WAF HTTPS everywhere, Certs Protected Zone

13. WAF HTTPS everywhere, Certs Protected Zone

14. Authentication, Authorization, Accounting Session Protection HTTP headers HTTPS Certs TLS 1.2, 1.3 WAF Web Application Firewall

15. Authentication Authorization Signout Session

16. USE Standards Don’t implement this yourself, use certified libs, packages, tested

17.

18. OAuth2 OpenID Connect Authentication Authorization Delegated

19. OpenID Connect http://openid.net/connect/ • Standard, Specification • Authentication and Authorization • built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint

20. Open ID Connect (OIDC) is supported by almost all systems. Azure AD, Azure B2C, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider

21. Authentication Authorization Signout Session

22. OpenID Connect Flows OAuth2 Flows http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner Credentials Flow OpenID Connect Code flow OpenID Connect Hybrid flow OpenID Connect PKCE Authorization Code Flow RFC 7636 OAuth Device Flow

23. id token token (access token) reference / self contained token refresh token scope Back-Channel Front-Channel User Agent

24. OAuth2 Resource Owner Credentials Flow • MC to MC applications • trusted client • grant_type=client_cred ential&client_id=xxxxx xxxxx&client_secret=xx xxxxxxxx • Limited user cases

25. OAuth2 Resource Owner Credentials Flow

26. OpenID Connect Authorization Code flow • Server to server applications with User • Can keep secrets, is trusted • Client is authenticated • response_type = code

27. OIDC Authorization Code flow

28. OIDC Authorization Hybrid flow • Mix of the Code and Implicit Flow • Can be used for Web applications with server side rendering. • response_type = code id_token | code id_token token | code token

29. OIDC Hybrid flow

30. Native App PKCE Authorization Code Flow RFC 7636 https://tools.ietf.org/html/rfc 7636

31.

32. Single Page Applications Cookies OIDC Code Flow with PKCE OIDC Implicit Flow

33. OpenID Connect Code flow with PKCE • For browser applications, SPAs • Client is not authenticated, or trusted • response_type = code • NO SECRET

34. OAuth Device Flow RFC 7636 https://tools.ietf.org/html/dra ft-ietf-oauth-device-flow-12

35.

36. https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OpenID Connect Hybrid Flow Code examples

37.

38. https://github.com/damienbod/AspNetCoreHybridFlowWithApi https://github.com/damienbod/AspNetCoreWindowsAuth OAuth2 Resource Owner Credentials Flow Code examples

39.

40.

41.

42. Protecting APIs

43. JWT Bearer Authentication Introspection Cookies … not for APIs mostly...

44. Public APIs use same access_token Private APIs, APIs in protected Zones use a new access_token, not the public access_token

45. Authorization: ASP.NET Core Policies

46. Authorization is the responsibility of the Application / API, not the STS. This can be implemented in an separate library.

47. Standard Requirements Complex Requirements Policies uses Requirements Authorization Handlers

48. Create a Requirement

49. Make a Handler

50. Create a Policy

51. Apply the Policy (Controller)

52. Apply the Policy (Razor Page)

53. Apply a Requirement directly

54. Handler with Resource

55. ASP.NET Core Policies, Handlers and Requirements makes it easy to focus on Authorization

56. Thank you @damienbod

57. https://openid.net/developers/specs/ https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660 https://www.npmjs.com/package/angular-auth-oidc-client https://openid.net https://auth0.com/blog/cookies-vs-tokens-definitive-guide https://www.npmjs.com/package/angular-auth-oidc-client https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/authenticate https://scotthelme.co.uk/say-hello-to-security-txt https://csp-evaluator.withgoogle.com/

Application Security in ASP.NET Core

Recommandé

Recommandé

Contenu connexe

Similaire à Application Security in ASP.NET Core

Similaire à Application Security in ASP.NET Core (20)

Plus de NETUserGroupBern

Plus de NETUserGroupBern (20)

Dernier

Dernier (20)

Application Security in ASP.NET Core