WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
Wso2 is integration with .net core
1. WSO2 - IDENTITY SERVER
Integration with .NET Core
ENG. Ahmed Abouelenein
15 Dec-2021
2. Notes Demo App
• Demo Web Application to add your notes
• Plans
• Free Add Notes By Title & Details
• Sliver Categorized Notes
• Gold Fancy Color
• Users authenticated By WSO2
• Client : ASP.NET Core MVC Web Application
• API : ASP.NET Core Web API
• https://github.com/ahmedabouelenein/Notes
3. OAuth2
• OAuth2 is open protocol to allow secure authorization in simple
and standard method from web , mobile and desktop applications
• OAuth for authorization used for issuing and validating access
tokens on the internet
• WSO2 implement OAuth2 standard like other Identity providers
(Identity server , Ping , Trustbuilder , Azure AD …)
4. OpenID Connect
• OpenID Connect is simple identity layer on top of OAuth2 protocol
• OpenID Connect extend OAuth2
• Used for verifying the identity of end user based on authentication
performed by authorization server
• OpenID Connect fills the OAuth2.0 gap which is intended to provide
authorization but not authentication
5. OAuth2 Participants
• Resource Owner
• The identity who own the data
• Grants access to protected resources
• Client Application
• App that makes protected resource resquests on behalf of the resource owner and
with its authorization
• Authorization Server
• Server issuing access tokens to the clients
• Authenticates the resource owner and obtains authorization
• Resource Server
• Server that hosts protected resources
• Handle protected resource requests using access tokens
6. Public and Confidential Clients
• Confidential Client :
• Capable of maintaining the confidentiality of their
credentials eg ( client ID, Client Secret )
• Live on server
• Server side web apps (MVC web Application)
• Public client
• Incapable of maintaining their credentials client ID , client
secrets
• Live on user device ( web browser , mobile device ..)
• Javascript applications and mobile applications
7. Authorization Code flow
• Flow determine how code and / or token(s) are returned to the
client
• How communication between IDP and Client
• Depend on Application Type (public or confidential) we must use
different flow
• Flow types
• Implicit flow
• Hybrid flow
• Resource owner (Password credential ) flow
• Client credential flow
8. Authorization endpoint
• Used by client application to obtain authentication and
/or authorization via redirection
• Identity Provider Level
10. Token endpoint
• Used by client application to request tokens (without
redirection) from the IDP
• IDP Level
• Communication Types:
• Front Channel Communication
Browser URL or Form POST
• Back Channel Communication
Server to Server communication (Token end point)
12. Authorization Code flow With PKCE
• Authorization code flow is vulnerable to injection attacks
• Attacker can use code to get token and has all privilages of the victim
• PKCE (Proof Key for Code Exchange)
14. Tokens
• Types
• Identity Token (proves that the user has been authenticated)
• Access Token (allows the client application to access the user's resource)
• Refresh Token (offline access)
• Format
• JWT Token (self hosting web token)
• Reference Token
15. Claims and Scopes
• Claims is a name value pair that represents what the subject is
• Scopes are used to request specific sets of claims.
• OpenId scope is mandatory scope to specify that OpenID Connect should be used.