SlideShare una empresa de Scribd logo

Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NET Tutorials 2017)

Descargar como PPTX, PDF
S
Scott Brady

This document discusses authentication and authorization standards including OAuth 2.0, OpenID Connect, and IdentityServer 4. It provides an overview of these specifications, how they relate, and how IdentityServer 4 can be used to implement authentication and authorization in ASP.NET Core applications using standards-based flows like authorization code flow and hybrid flow. Code samples and diagrams are included to demonstrate concepts like identity tokens, access tokens, and the roles of the authorization server and resource server.

Tecnología
1 de 31
https://rocksolidknowledge.com © 2017 Rock Solid Knowledge Scott Brady - @scottbrady91 Identity & Access Control Lead @ Rock Solid Knowledge https://rocksolidknowledge.com © 2017 Rock Solid Knowledge Modern Authentication for ASP.NET Core with IdentityServer 4
Scott Brady & Rock Solid Knowledge ● Identity & Access Control Lead @ Rock Solid Knowledge ○ scottbrady91.com ○ @scottbrady91 ● European Commercial Partners for the IdentityServer OSS Project ○ AdminUI ○ SAML2P ○ IdentityExpress ● Umbraco Gold Partner ● Xamarin Authorized Consulting Partner
Agenda ● OAuth 2.0 Recap ● OpenID Connect 1.0 ● IdentityServer 4 No GIFs...
.NET Core 1.1 SDK
Why? ● Things change… ● Modern Devices ○ Mobile ○ Client-side SPA ○ Microservices
Layers User Store Authentication Authorization
OAuth 2.0 ● Authorization Protocol ○ Delegation Protocol ● Designed for HTTP APIs ● Scoped Access ● User Authentication & Client Authentication scottbrady91.com/OAuth/The-Wrong-Ways-to-Protect-an-API
Resource Owner (User) Authorization Server Client Application Protected Resource (HTTP API) Authorization Request Authorization Grant Authorization Grant Access Token Request + Access Token Response
The Problems with OAuth ● Specification Issues ● Token Type ● OAuth != Authentication
OpenID Connect ● OAuth 2.0 + Authentication ● Formalises OAuth ○ Standard Token Type ○ Standard Cryptography ○ Standard Validation ● Authorization Server becomes an Identity provider ○ Identity Resource ○ Identity Tokens ● Designed to be simple for the client
OpenID Connect
OpenID Connect Core Endpoints Authorization Token User Info
OpenID Connect - Implicit Flow https://localhost:5000/callback #id_token=2YotnFZFEjr1zCsicMWpAA &state=123abc /authorize?client_id=oauth_client &response_type=id_token &scope=openid profile email &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
Demo!
Identity Tokens ● JSON Web Tokens (JWT) ○ Structured Data ○ Verifiable Digital Signature ● Represents the authentication event
Identity Token ● Used to represent an authenticated user ● Meant for the client application ● Short lived eyJhbGciOiJSUzI1NiIsImtpZCI6IjJhYTE3OWNhZGI2NmYwOTh hNDQ5MDk1MzU0NWY3MDE2IiwidHlwIjoiSldUIn0.eyJuYmYiOj E1MDUzMjg1NDMsImV4cCI6MTUwNTMyODg0MywiaXNzIjoiaH R0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoicHJvZ19uZXQiL CJub25jZSI6IjYzNjQwOTI1MzM5ODcyOTgwOC5aVFEwTkRoa0 1qa3RPV1ZpWlMwME1EaG1MV0ZpTXpRdFptUmtaRFF6TkRV ME0yTTNPRFU0TW1Zd1lURXRORFl3T0MwME1EQTVMV0V6 TlRFdE9UWmlNekU1Wmpjd05EaGkiLCJpYXQiOjE1MDUzMjg1 NDMsInNpZCI6IjM5NjRkZDg0MjZmMjE4MGY5MzkzOTEzNDg4 NTllMGQ0Iiwic3ViIjoiODg0MjExMTMiLCJhdXRoX3RpbWUiOjE1 MDUzMjg1NDMsImlkcCI6ImxvY2FsIiwibmFtZSI6IkJvYiBTbWl0a CIsImdpdmVuX25hbWUiOiJCb2IiLCJmYW1pbHlfbmFtZSI6IlNta XRoIiwid2Vic2l0ZSI6Imh0dHA6Ly9ib2IuY29tIiwiYW1yIjpbInB3Z CJdfQ.BP4- TV9zlTNPlM24QyILjnJxY0SJVPuBVdt12urGaezX8LiRZ8JQO1N xqiWVeEcZ8y5Vo1NVzZy2U8SrYRlHjG11Cg2UMmqqFxNFXTp urevNn-2QnD9QWRS00inuRZc-TmI2HeAvaVF- EerpEQY6Dnxw7Q4l0sI-veIxwKXKr2905UVOvj7D4wwGUF- lFMqaMI0wRPPyd5R18w38SHkzvbqO9LEO0gqTIneJPnRIhSRp iHweJW85g1WBnrMsikxVdCzEIGPbmJR- Khe8e2YUupB5vUAQzwHJmaieM89ikJde9G5T- nzzDSU4AzMdLDjlBkZyn1wPMq63bM9GFsa5RA
Identity Token ● Used to represent an authenticated user ● Meant for the client application ● Short lived { "alg": "RS256", "kid": "2aa179cadb66f098a4490953545f7016", "typ": "JWT" } { "nbf": 1505328543, "exp": 1505328843, "iss": "http://localhost:5000", "aud": "prog_net", "nonce": "636409253398729808.ZTQ0NDhkMjktOWViZS00Msdfji", "iat": 1505328543, "sid": "3964dd8426f2180f939391348859e0d4", "sub": "88421113", "auth_time": 1505328543, "idp": "local", "name": "Bob Smith", "given_name": "Bob", "family_name": "Smith", "website": "http://bob.com", "amr": [ "pwd" ] }
Identity != Permissions
Identity
OpenID Connect Identity Scopes openid sub profile name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at email email, email_verified address address phone phone_number, phone_number_verified
{ "code": "asdhjbpeivdafgj", "state": "123abc" } OpenID Connect - Authorization Code Flow /authorize?client_id=oauth_client &response_type=code &scope=openid profile api1 &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
OpenID Connect - Authorization Code Flow POST /token { grant_type=authorization_code &client_id=oauth_client &client_secret=supersecret &code=asdhjbpeivdafgj &redirect_uri=https://localhost:5000/callback } { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOW..." }
OpenID Connect - Implicit Flow https://localhost:5000/callback #id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOW... &access_token=2YotnFZFEjr1zCsicMWpAA &token_type=Bearer &expires_in=3600 &state=123abc /authorize?client_id=oauth_client &response_type=id_token token &scope=openid profile email api1 &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
{ "code": "asdhjbpeivdafgj", "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOW...", "state": "123abc" } OpenID Connect - Hybrid Flow /authorize?client_id=oauth_client &response_type=code id_token &scope=openid profile api1 &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
Response Types Authorization Code code Implicit id_token Implicit id_token token Hybrid code id_token Hybrid code token Hybrid code id_token token
OAuth Grant Types - Client Credentials POST /token { grant_type=client_credentials &client_id=oauth_client &client_secret=supersecret } { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 }
OAuth Grant Types - Resource Owner Password Credentials /token { grant_type=password &client_id=oauth_client &client_secret=supersecret &username=scott &password=Password123! } { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 } DO NOT USE THIS
Refresh Tokens ● Request the offline_access scope ● Can swap refresh tokens for new access tokens ● Does not require user interaction POST /token { grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2Tl &client_id=oauth_client &client_secret=supersecret } { "access_token": "2YotnFZFEjsWpAA", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "cHafsg2OkgoBtgh" }
IdentityServer 4 ● Implements OAuth 2.0 & OpenID Connect 1.0 ○ An “OpenID Provider” ● Open Source & Part of the .NET Foundation ● Framework
IdentityServer 4
Next Steps ● ASP.NET Core Identity ● User Management Functionality ● identityserver.com ● scottbrady91.com

Recomendados

DCC17 - Identity Server 4
DCC17 - Identity Server 4DCC17 - Identity Server 4
DCC17 - Identity Server 4
Chris Holwerda
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
Aaron Ralls
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 

Recomendados

DCC17 - Identity Server 4
DCC17 - Identity Server 4DCC17 - Identity Server 4
DCC17 - Identity Server 4
Chris Holwerda
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
Aaron Ralls
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Dalton Valadares
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
JSON Array Indexes in MySQL
JSON Array Indexes in MySQLJSON Array Indexes in MySQL
JSON Array Indexes in MySQL
Norvald Ryeng
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
NSConclave
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
Andreas Åkre Solberg
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...
Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...
Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...
WSO2
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice Architecture
WSO2
 

Más contenido relacionado

La actualidad más candente

Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 

La actualidad más candente (20)

OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
JSON Array Indexes in MySQL
JSON Array Indexes in MySQLJSON Array Indexes in MySQL
JSON Array Indexes in MySQL
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 

Similar a Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NET Tutorials 2017)

MongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected CarMongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected Car
MongoDB
 
1000 things-sso-code-one
1000 things-sso-code-one1000 things-sso-code-one
1000 things-sso-code-one
gauchoproluanco
 
Training Webinar: Troubleshooting Mobile Apps Performance
Training Webinar: Troubleshooting Mobile Apps Performance Training Webinar: Troubleshooting Mobile Apps Performance
Training Webinar: Troubleshooting Mobile Apps Performance
OutSystems
 
Service Provisioning for the Residential Environment - M I Lequerica
Service Provisioning for the Residential Environment - M I LequericaService Provisioning for the Residential Environment - M I Lequerica
Service Provisioning for the Residential Environment - M I Lequerica
mfrancis
 
Nurturing API Platforms with API Analytics
Nurturing API Platforms with API AnalyticsNurturing API Platforms with API Analytics
Nurturing API Platforms with API Analytics
WSO2
 

Similar a Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NET Tutorials 2017) (20)

Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...
Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...
Secure and Accelerated PSD2 Compliance with WSO2 Open Banking - A Technical D...
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice Architecture
 
Multi-Sig Recipes
Multi-Sig RecipesMulti-Sig Recipes
Multi-Sig Recipes
 
MongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected CarMongoDB .local London 2019: The Tech Behind Connected Car
MongoDB .local London 2019: The Tech Behind Connected Car
 
Api best practices
Api best practicesApi best practices
Api best practices
 
Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...
 
MongoDB Company Report & Analysis
MongoDB Company Report & AnalysisMongoDB Company Report & Analysis
MongoDB Company Report & Analysis
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Monolith vs Microservices with Golang at practice - Ivan Kutuzov
Monolith vs Microservices with Golang at practice - Ivan Kutuzov Monolith vs Microservices with Golang at practice - Ivan Kutuzov
Monolith vs Microservices with Golang at practice - Ivan Kutuzov
 
API REST para conectar Odoo
API REST para conectar Odoo API REST para conectar Odoo
API REST para conectar Odoo
 
1000 things-sso-code-one
1000 things-sso-code-one1000 things-sso-code-one
1000 things-sso-code-one
 
Airframe RPC
Airframe RPCAirframe RPC
Airframe RPC
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
 
OutSystems Webinar - Troubleshooting Mobile Apps Performance
OutSystems Webinar - Troubleshooting Mobile Apps PerformanceOutSystems Webinar - Troubleshooting Mobile Apps Performance
OutSystems Webinar - Troubleshooting Mobile Apps Performance
 
Training Webinar: Troubleshooting Mobile Apps Performance
Training Webinar: Troubleshooting Mobile Apps Performance Training Webinar: Troubleshooting Mobile Apps Performance
Training Webinar: Troubleshooting Mobile Apps Performance
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radius
 
Zukunftsfähige Softwarearchitekturen
Zukunftsfähige SoftwarearchitekturenZukunftsfähige Softwarearchitekturen
Zukunftsfähige Softwarearchitekturen
 
Service Provisioning for the Residential Environment - M I Lequerica
Service Provisioning for the Residential Environment - M I LequericaService Provisioning for the Residential Environment - M I Lequerica
Service Provisioning for the Residential Environment - M I Lequerica
 
Anypoint new features_coimbatore_mule_meetup
Anypoint new features_coimbatore_mule_meetupAnypoint new features_coimbatore_mule_meetup
Anypoint new features_coimbatore_mule_meetup
 
Nurturing API Platforms with API Analytics
Nurturing API Platforms with API AnalyticsNurturing API Platforms with API Analytics
Nurturing API Platforms with API Analytics
 

Más de Scott Brady

Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
Scott Brady
 
Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...
Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...
Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...
Scott Brady
 
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Scott Brady
 

Más de Scott Brady (6)

Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
 
Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...
Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...
Open Source Identity: Building Your Own Enterprise Identity Platform (Europea...
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
 
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
 
Lessons Learned from Integrating with Blockchain Identity Providers (European...
Lessons Learned from Integrating with Blockchain Identity Providers (European...Lessons Learned from Integrating with Blockchain Identity Providers (European...
Lessons Learned from Integrating with Blockchain Identity Providers (European...
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Último (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NET Tutorials 2017)

  • 1. https://rocksolidknowledge.com © 2017 Rock Solid Knowledge Scott Brady - @scottbrady91 Identity & Access Control Lead @ Rock Solid Knowledge https://rocksolidknowledge.com © 2017 Rock Solid Knowledge Modern Authentication for ASP.NET Core with IdentityServer 4
  • 2. Scott Brady & Rock Solid Knowledge ● Identity & Access Control Lead @ Rock Solid Knowledge ○ scottbrady91.com ○ @scottbrady91 ● European Commercial Partners for the IdentityServer OSS Project ○ AdminUI ○ SAML2P ○ IdentityExpress ● Umbraco Gold Partner ● Xamarin Authorized Consulting Partner
  • 3. Agenda ● OAuth 2.0 Recap ● OpenID Connect 1.0 ● IdentityServer 4 No GIFs...
  • 5. Why? ● Things change… ● Modern Devices ○ Mobile ○ Client-side SPA ○ Microservices
  • 7. OAuth 2.0 ● Authorization Protocol ○ Delegation Protocol ● Designed for HTTP APIs ● Scoped Access ● User Authentication & Client Authentication scottbrady91.com/OAuth/The-Wrong-Ways-to-Protect-an-API
  • 8. Resource Owner (User) Authorization Server Client Application Protected Resource (HTTP API) Authorization Request Authorization Grant Authorization Grant Access Token Request + Access Token Response
  • 9. The Problems with OAuth ● Specification Issues ● Token Type ● OAuth != Authentication
  • 10. OpenID Connect ● OAuth 2.0 + Authentication ● Formalises OAuth ○ Standard Token Type ○ Standard Cryptography ○ Standard Validation ● Authorization Server becomes an Identity provider ○ Identity Resource ○ Identity Tokens ● Designed to be simple for the client
  • 12. OpenID Connect Core Endpoints Authorization Token User Info
  • 13. OpenID Connect - Implicit Flow https://localhost:5000/callback #id_token=2YotnFZFEjr1zCsicMWpAA &state=123abc /authorize?client_id=oauth_client &response_type=id_token &scope=openid profile email &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
  • 14. Demo!
  • 15. Identity Tokens ● JSON Web Tokens (JWT) ○ Structured Data ○ Verifiable Digital Signature ● Represents the authentication event
  • 16. Identity Token ● Used to represent an authenticated user ● Meant for the client application ● Short lived eyJhbGciOiJSUzI1NiIsImtpZCI6IjJhYTE3OWNhZGI2NmYwOTh hNDQ5MDk1MzU0NWY3MDE2IiwidHlwIjoiSldUIn0.eyJuYmYiOj E1MDUzMjg1NDMsImV4cCI6MTUwNTMyODg0MywiaXNzIjoiaH R0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoicHJvZ19uZXQiL CJub25jZSI6IjYzNjQwOTI1MzM5ODcyOTgwOC5aVFEwTkRoa0 1qa3RPV1ZpWlMwME1EaG1MV0ZpTXpRdFptUmtaRFF6TkRV ME0yTTNPRFU0TW1Zd1lURXRORFl3T0MwME1EQTVMV0V6 TlRFdE9UWmlNekU1Wmpjd05EaGkiLCJpYXQiOjE1MDUzMjg1 NDMsInNpZCI6IjM5NjRkZDg0MjZmMjE4MGY5MzkzOTEzNDg4 NTllMGQ0Iiwic3ViIjoiODg0MjExMTMiLCJhdXRoX3RpbWUiOjE1 MDUzMjg1NDMsImlkcCI6ImxvY2FsIiwibmFtZSI6IkJvYiBTbWl0a CIsImdpdmVuX25hbWUiOiJCb2IiLCJmYW1pbHlfbmFtZSI6IlNta XRoIiwid2Vic2l0ZSI6Imh0dHA6Ly9ib2IuY29tIiwiYW1yIjpbInB3Z CJdfQ.BP4- TV9zlTNPlM24QyILjnJxY0SJVPuBVdt12urGaezX8LiRZ8JQO1N xqiWVeEcZ8y5Vo1NVzZy2U8SrYRlHjG11Cg2UMmqqFxNFXTp urevNn-2QnD9QWRS00inuRZc-TmI2HeAvaVF- EerpEQY6Dnxw7Q4l0sI-veIxwKXKr2905UVOvj7D4wwGUF- lFMqaMI0wRPPyd5R18w38SHkzvbqO9LEO0gqTIneJPnRIhSRp iHweJW85g1WBnrMsikxVdCzEIGPbmJR- Khe8e2YUupB5vUAQzwHJmaieM89ikJde9G5T- nzzDSU4AzMdLDjlBkZyn1wPMq63bM9GFsa5RA
  • 17. Identity Token ● Used to represent an authenticated user ● Meant for the client application ● Short lived { "alg": "RS256", "kid": "2aa179cadb66f098a4490953545f7016", "typ": "JWT" } { "nbf": 1505328543, "exp": 1505328843, "iss": "http://localhost:5000", "aud": "prog_net", "nonce": "636409253398729808.ZTQ0NDhkMjktOWViZS00Msdfji", "iat": 1505328543, "sid": "3964dd8426f2180f939391348859e0d4", "sub": "88421113", "auth_time": 1505328543, "idp": "local", "name": "Bob Smith", "given_name": "Bob", "family_name": "Smith", "website": "http://bob.com", "amr": [ "pwd" ] }
  • 20. OpenID Connect Identity Scopes openid sub profile name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at email email, email_verified address address phone phone_number, phone_number_verified
  • 21. { "code": "asdhjbpeivdafgj", "state": "123abc" } OpenID Connect - Authorization Code Flow /authorize?client_id=oauth_client &response_type=code &scope=openid profile api1 &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
  • 22. OpenID Connect - Authorization Code Flow POST /token { grant_type=authorization_code &client_id=oauth_client &client_secret=supersecret &code=asdhjbpeivdafgj &redirect_uri=https://localhost:5000/callback } { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOW..." }
  • 23. OpenID Connect - Implicit Flow https://localhost:5000/callback #id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOW... &access_token=2YotnFZFEjr1zCsicMWpAA &token_type=Bearer &expires_in=3600 &state=123abc /authorize?client_id=oauth_client &response_type=id_token token &scope=openid profile email api1 &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
  • 24. { "code": "asdhjbpeivdafgj", "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjdlOW...", "state": "123abc" } OpenID Connect - Hybrid Flow /authorize?client_id=oauth_client &response_type=code id_token &scope=openid profile api1 &redirect_uri=https://localhost:5000/callback &state=123abc &nonce=789xyz
  • 25. Response Types Authorization Code code Implicit id_token Implicit id_token token Hybrid code id_token Hybrid code token Hybrid code id_token token
  • 26. OAuth Grant Types - Client Credentials POST /token { grant_type=client_credentials &client_id=oauth_client &client_secret=supersecret } { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 }
  • 27. OAuth Grant Types - Resource Owner Password Credentials /token { grant_type=password &client_id=oauth_client &client_secret=supersecret &username=scott &password=Password123! } { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 } DO NOT USE THIS
  • 28. Refresh Tokens ● Request the offline_access scope ● Can swap refresh tokens for new access tokens ● Does not require user interaction POST /token { grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2Tl &client_id=oauth_client &client_secret=supersecret } { "access_token": "2YotnFZFEjsWpAA", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "cHafsg2OkgoBtgh" }
  • 29. IdentityServer 4 ● Implements OAuth 2.0 & OpenID Connect 1.0 ○ An “OpenID Provider” ● Open Source & Part of the .NET Foundation ● Framework
  • 31. Next Steps ● ASP.NET Core Identity ● User Management Functionality ● identityserver.com ● scottbrady91.com

Notas del editor

  1. Identity token sent alongside access token Intended audience is the client application Never sent to resource Signed within the authorization server (always a JWT), typically using RS256 (public key crypto, asymmetric). Only private key can generate tokens & signature, public key can verify. 3 parts: Header (about token & how signed), Body (claims), and Signature Kid: key identifier (which key to use to verify signature Sub: unique to that user within that client. Always the same in that client amr: authentication method reference at_hash: access token hash c_hash: authorization code hash