SlideShare une entreprise Scribd logo

Wso2 is integration with .net core

Télécharger en tant que PPTX, PDF
Ismaeel Enjreny
Ismaeel Enjreny

In this slide will explain how we can use .NET Core with WSO2 Identity Server to build a secure Web Application based on OAuth2 and OpenID Connect

Logiciels
1  sur  19
WSO2 - IDENTITY SERVER Integration with .NET Core ENG. Ahmed Abouelenein 15 Dec-2021
Notes Demo App • Demo Web Application to add your notes • Plans • Free Add Notes By Title & Details • Sliver Categorized Notes • Gold Fancy Color • Users authenticated By WSO2 • Client : ASP.NET Core MVC Web Application • API : ASP.NET Core Web API • https://github.com/ahmedabouelenein/Notes
OAuth2 • OAuth2 is open protocol to allow secure authorization in simple and standard method from web , mobile and desktop applications • OAuth for authorization used for issuing and validating access tokens on the internet • WSO2 implement OAuth2 standard like other Identity providers (Identity server , Ping , Trustbuilder , Azure AD …)
OpenID Connect • OpenID Connect is simple identity layer on top of OAuth2 protocol • OpenID Connect extend OAuth2 • Used for verifying the identity of end user based on authentication performed by authorization server • OpenID Connect fills the OAuth2.0 gap which is intended to provide authorization but not authentication
OAuth2 Participants • Resource Owner • The identity who own the data • Grants access to protected resources • Client Application • App that makes protected resource resquests on behalf of the resource owner and with its authorization • Authorization Server • Server issuing access tokens to the clients • Authenticates the resource owner and obtains authorization • Resource Server • Server that hosts protected resources • Handle protected resource requests using access tokens
Public and Confidential Clients • Confidential Client : • Capable of maintaining the confidentiality of their credentials eg ( client ID, Client Secret ) • Live on server • Server side web apps (MVC web Application) • Public client • Incapable of maintaining their credentials client ID , client secrets • Live on user device ( web browser , mobile device ..) • Javascript applications and mobile applications
Authorization Code flow • Flow determine how code and / or token(s) are returned to the client • How communication between IDP and Client • Depend on Application Type (public or confidential) we must use different flow • Flow types • Implicit flow • Hybrid flow • Resource owner (Password credential ) flow • Client credential flow
Authorization endpoint • Used by client application to obtain authentication and /or authorization via redirection • Identity Provider Level
Redirection endpoint • Used by IDP to return code & token(s) to the client application • Client Level
Token endpoint • Used by client application to request tokens (without redirection) from the IDP • IDP Level • Communication Types: • Front Channel Communication Browser URL or Form POST • Back Channel Communication Server to Server communication (Token end point)
Authorization Code Flow
Authorization Code flow With PKCE • Authorization code flow is vulnerable to injection attacks • Attacker can use code to get token and has all privilages of the victim • PKCE (Proof Key for Code Exchange)
Authorization Code flow With PKCE
Tokens • Types • Identity Token (proves that the user has been authenticated) • Access Token (allows the client application to access the user's resource) • Refresh Token (offline access) • Format • JWT Token (self hosting web token) • Reference Token
Claims and Scopes • Claims is a name value pair that represents what the subject is • Scopes are used to request specific sets of claims. • OpenId scope is mandatory scope to specify that OpenID Connect should be used.
Inspecting Tokens
Other endpoints • UserInfo Endpoint • Introspect Endpoint
Token Validation • Check that the JWT is well formed. • Check the signature. • Check the standard claims. • Verify token audience claims
Q & A

Recommandé

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Flask
FlaskFlask
Flask
Mamta Kumari
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
Adam Paxton
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
KhaqanAshraf
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 

Recommandé

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Flask
FlaskFlask
Flask
Mamta Kumari
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
Adam Paxton
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
KhaqanAshraf
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Rest web services
Rest web servicesRest web services
Rest web services
Paulo Gandra de Sousa
 
Rest API
Rest APIRest API
Rest API
Rohana K Amarakoon
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
Prem Sanil
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Understanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring BootUnderstanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring Boot
Kashif Ali Siddiqui
 
Django for Beginners
Django for BeginnersDjango for Beginners
Django for Beginners
Jason Davies
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Soap and Rest
Soap and RestSoap and Rest
Soap and Rest
Edison Lascano
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
Kong Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Authentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVCAuthentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVC
Mindfire Solutions
 
Presentation swagger
Presentation swaggerPresentation swagger
Presentation swagger
François Robert
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
Ismaeel Enjreny
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Flask Basics
Flask BasicsFlask Basics
Flask Basics
Eueung Mulyana
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
Mark Bate
 
Proxy Servers & Firewalls
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
Mehdi Poustchi Amin
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecture
jessepollak
 

Contenu connexe

Tendances

Tendances (20)

Rest web services
Rest web servicesRest web services
Rest web services
 
Rest API
Rest APIRest API
Rest API
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Understanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring BootUnderstanding MicroSERVICE Architecture with Java & Spring Boot
Understanding MicroSERVICE Architecture with Java & Spring Boot
 
Django for Beginners
Django for BeginnersDjango for Beginners
Django for Beginners
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Soap and Rest
Soap and RestSoap and Rest
Soap and Rest
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Authentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVCAuthentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVC
 
Presentation swagger
Presentation swaggerPresentation swagger
Presentation swagger
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Flask Basics
Flask BasicsFlask Basics
Flask Basics
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Proxy Servers & Firewalls
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
 

Similaire à Wso2 is integration with .net core

Similaire à Wso2 is integration with .net core (20)

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecture
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 

Plus de Ismaeel Enjreny

Plus de Ismaeel Enjreny (20)

Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
 
Elastic 101 ingest manager
Elastic 101 ingest managerElastic 101 ingest manager
Elastic 101 ingest manager
 
Elastic 101 - API Logs
Elastic 101 - API Logs Elastic 101 - API Logs
Elastic 101 - API Logs
 
Elasticsearch k8s
Elasticsearch k8sElasticsearch k8s
Elasticsearch k8s
 
ELK Observability 1
ELK Observability 1ELK Observability 1
ELK Observability 1
 
ELK observability 2
ELK observability 2ELK observability 2
ELK observability 2
 
Deploy Elasticsearch Cluster on Kubernetes
Deploy Elasticsearch Cluster on KubernetesDeploy Elasticsearch Cluster on Kubernetes
Deploy Elasticsearch Cluster on Kubernetes
 
Redis 101 Data Structure
Redis 101 Data StructureRedis 101 Data Structure
Redis 101 Data Structure
 
Redis 101 - INTRO
Redis 101 - INTRORedis 101 - INTRO
Redis 101 - INTRO
 
Elastic 101 ingest manager
Elastic 101 ingest managerElastic 101 ingest manager
Elastic 101 ingest manager
 
Getting started with Elasticsearch in .net
Getting started with Elasticsearch in .netGetting started with Elasticsearch in .net
Getting started with Elasticsearch in .net
 
Elastic 101 log enrichment
Elastic 101 log enrichmentElastic 101 log enrichment
Elastic 101 log enrichment
 
Elastic 101 index operations
Elastic 101 index operationsElastic 101 index operations
Elastic 101 index operations
 
Elastic 101 - Get started
Elastic 101 - Get startedElastic 101 - Get started
Elastic 101 - Get started
 
دليل البرمجة باستخدام Dynamo DB للمبتدئين
دليل البرمجة باستخدام Dynamo DB للمبتدئيندليل البرمجة باستخدام Dynamo DB للمبتدئين
دليل البرمجة باستخدام Dynamo DB للمبتدئين
 
Amazon services iam
Amazon services iamAmazon services iam
Amazon services iam
 
Amazon services ec2
Amazon services ec2Amazon services ec2
Amazon services ec2
 
Redis - Partitioning
Redis - PartitioningRedis - Partitioning
Redis - Partitioning
 
Redis Clients Handling
Redis Clients HandlingRedis Clients Handling
Redis Clients Handling
 

Dernier

From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
Inflectra
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
Roberto Bettazzoni
 

Dernier (20)

From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 

Wso2 is integration with .net core

  • 1. WSO2 - IDENTITY SERVER Integration with .NET Core ENG. Ahmed Abouelenein 15 Dec-2021
  • 2. Notes Demo App • Demo Web Application to add your notes • Plans • Free Add Notes By Title & Details • Sliver Categorized Notes • Gold Fancy Color • Users authenticated By WSO2 • Client : ASP.NET Core MVC Web Application • API : ASP.NET Core Web API • https://github.com/ahmedabouelenein/Notes
  • 3. OAuth2 • OAuth2 is open protocol to allow secure authorization in simple and standard method from web , mobile and desktop applications • OAuth for authorization used for issuing and validating access tokens on the internet • WSO2 implement OAuth2 standard like other Identity providers (Identity server , Ping , Trustbuilder , Azure AD …)
  • 4. OpenID Connect • OpenID Connect is simple identity layer on top of OAuth2 protocol • OpenID Connect extend OAuth2 • Used for verifying the identity of end user based on authentication performed by authorization server • OpenID Connect fills the OAuth2.0 gap which is intended to provide authorization but not authentication
  • 5. OAuth2 Participants • Resource Owner • The identity who own the data • Grants access to protected resources • Client Application • App that makes protected resource resquests on behalf of the resource owner and with its authorization • Authorization Server • Server issuing access tokens to the clients • Authenticates the resource owner and obtains authorization • Resource Server • Server that hosts protected resources • Handle protected resource requests using access tokens
  • 6. Public and Confidential Clients • Confidential Client : • Capable of maintaining the confidentiality of their credentials eg ( client ID, Client Secret ) • Live on server • Server side web apps (MVC web Application) • Public client • Incapable of maintaining their credentials client ID , client secrets • Live on user device ( web browser , mobile device ..) • Javascript applications and mobile applications
  • 7. Authorization Code flow • Flow determine how code and / or token(s) are returned to the client • How communication between IDP and Client • Depend on Application Type (public or confidential) we must use different flow • Flow types • Implicit flow • Hybrid flow • Resource owner (Password credential ) flow • Client credential flow
  • 8. Authorization endpoint • Used by client application to obtain authentication and /or authorization via redirection • Identity Provider Level
  • 9. Redirection endpoint • Used by IDP to return code & token(s) to the client application • Client Level
  • 10. Token endpoint • Used by client application to request tokens (without redirection) from the IDP • IDP Level • Communication Types: • Front Channel Communication Browser URL or Form POST • Back Channel Communication Server to Server communication (Token end point)
  • 12. Authorization Code flow With PKCE • Authorization code flow is vulnerable to injection attacks • Attacker can use code to get token and has all privilages of the victim • PKCE (Proof Key for Code Exchange)
  • 14. Tokens • Types • Identity Token (proves that the user has been authenticated) • Access Token (allows the client application to access the user's resource) • Refresh Token (offline access) • Format • JWT Token (self hosting web token) • Reference Token
  • 15. Claims and Scopes • Claims is a name value pair that represents what the subject is • Scopes are used to request specific sets of claims. • OpenId scope is mandatory scope to specify that OpenID Connect should be used.
  • 17. Other endpoints • UserInfo Endpoint • Introspect Endpoint
  • 18. Token Validation • Check that the JWT is well formed. • Check the signature. • Check the standard claims. • Verify token audience claims
  • 19. Q & A