ASP NET Core and Enterprise Security Admir Tuzovi

ASP. NET Core and Enterprise Security Admir Tuzović @woisttuza

/graph. microsoft. com/v 1. 0/me Chief Technology Officer Author Former Tech Evangelist The Art of Speaking Reach us with #ntk 17

Agenda Reach us with #ntk 17

Major changes Reach us with #ntk 17

What are claims? Reach us with #ntk 17

What are claims? Reach us with #ntk 17

What are claims? Reach us with #ntk 17

ASP. NET Core Request Pipeline Host (Console App, IIS, . . . ). NET Core ASP. NET Core REQUEST Middleware (static files) Middleware (session) RESPONSE Reach us with #ntk 17 Middleware (auth) MVC

ASP. NET Core Authentication Middleware Microsoft. Asp. Net. Core. Authentication. Jwt. Bearer Microsoft. Asp. Net. Core. Authentication. Cookies Microsoft. Asp. Net. Core. Authentication. Twitter Microsoft. Asp. Net. Core. Authentication. Open. Id. Connect Microsoft. Asp. Net. Core. Authentication. OAuth Reach us with #ntk 17 Microsoft. Asp. Net. Core. Authentication. Microsoft. Account Microsoft. Asp. Net. Core. Authentication. Facebook Microsoft. Asp. Net. Core. Authentication. Google

OAuth 2 vs Open. ID Connect scope=contacts timeline images scope=openid profile scope=openid email Reach us with #ntk 17

Json Web Token (JWT) Anatomy of a token: header. body. signature "typ" : "JWT", "alg" : "HS 256" Header is JSON object base 64 encoded and defines token type and algorithm used for signature. "iss" : "exp" : "sub" : "scope" Body is JSON object base 64 encoded and contains collection of claims representing a subject. { } { "http: //myidsr. com", 1300889380, "darthvader", : "profile" } h 29324 jkasjv 8 asdf 234 klkl 234 Signature protects JWT contents from tampering and is validated on server. Reach us with #ntk 17

Open. ID Connect Flows Auth. Z Code All tokens returned from Authorization Endpoint All tokens returned from Token Endpoint Tokens not revealed to User Agent Client can be authenticated Refresh Token possible Implicit Hybrid Communication in one round trip Most communication server-to-server Reach us with #ntk 17 ?

Cloud Based Identity Services Reach us with #ntk 17

What is the Azure AD v 2 Endpoint? v 2

When to Use v 1 Versus v 2 (currently) Reach us with #ntk 17

What is Coming Next in v 2 Feature v 1 Endpoint (Azure AD only) v 2 Endpoint (Azure AD + MSA) Open. ID Connect 1. 0 GA GA OAuth 2. 0: authorization code grant – used by native and web apps GA GA OAuth 2. 0: client credentials grant (secret or certificate) – used by daemon apps GA GA OAuth 2. 0: implicit grant – used by single page apps GA GA OAuth 2. 0: On Behalf Of exchange – used by web APIs calling other web APIs GA GA Admin consent and admin-only scopes GA GA Conditional Access including device health rules GA GA Register scopes for your own web API GA Soon Get access tokens to Azure AD-only scopes e. g. Azure ARM GA Soon Group claims, role claims, email claim GA Later Sovereign cloud endpoints GA Later OAuth 2. 0: device profile – used with limited UI devices GA Later Preserve user session state from ADAL to MSAL N/A Later Reach us with #ntk 17 Update Azure AD-only app registration to Azure AD+MSA N/A Later

State of the world before Microsoft Graph Work and school Personal Reach us with #ntk 17

Diverse API styles and endpoints https: //graph. windows. net/contoso. com/users https: //graph. windows. net/contoso. com/groups https: //apis. live. net/v 5. 0/me https: //contoso. sharepoint. com/_api/SP. User. Profiles. People. Manager/Get. My. Properties https: //graph. microsoft. com/v 1. 0/me/photo https: //outlook. office. com/api/v 2. 0/me/Messages https: //outlook. office. com/api/v 2. 0/me/Events https: //contoso. sharepoint. com/_api/search/query? Querytext='*'&Prop erties='Graph. Query: actor(ME, action: 1020, or(action: 1020, action: 1003, action: 1001, action: 1024, action: 1005, action: 1037, action: 1039, action: 1036)'&Select. Properties='Docid, Title https: //contoso-my. sharepoint. com/personal /yina_contoso_com/_api/v 2. 0/drive https: //contoso. sharepoint. com/sites /design. Council/_api/v 2. /drive https: //api. onedrive. com/v 1. 0/drive Reach us with #ntk 17

Today’s world with Microsoft Graph https: //graph. microsoft. com Work and school Personal … Reach us with #ntk 17

Microsoft Graph ACTIVITY CONVERSATIONS INSIGHTS CONTENT ME TRENDING ORGANIZATION GROUPS CHATS DOCUMENTS REPORTS EVENTS DEVICES SHARED EMAIL COLLABORATION PEOPLE CONTACTS TASKS

Data - User, group and organizational One endpoint One token preview GA GA GA Your app All users https: //graph. microsoft. com Users Groups Excel Outlook Calendar One. Note Teams Planner Intune Azure AD Share. Point

With Microsoft Graph profile GET: /users/yina { "display. Name": "Yina", "job. Title": "PRINCIPAL PM MANAGER", } GET: /users/yina/photo/… {} GET: /users/yina/manager {"display. Name": "Tristan", …} Tristan Groups manager GET: /users/yina/direct. Reports member. Of "value" : [ {"display. Name": "Matt", …}, {"display. Name": "Dmitry", …}, ] direct. Reports Dmitry Matt GET: /me/member. Of/… "value" : [ {"display. Name": "Office engineering", …}, {"display. Name": "Women in tech", …}, ] Sudhi Reach us with #ntk 17

With Microsoft Graph content GET /me/drive/root/… "value" : [ {"name": "proposal. pptx", … }, {"name": "forecast. xlsx", … } ] GET /drives/items/{id}/workbook GET /me/messages Documents GET /me/events GET /me/contacts Calendar Sites GET /me/onenote/notebooks GET /me/planner/tasks Email Tasks GET /me/devices GET /sites: /teams/opg: / Contacts Meetings GET /sites: /teams/opg: /lists GET /groups/{id}/conversations Reach us with #ntk 17

With Microsoft Graph insights GET /me/insights/trending "value" : [ {"name": "presentation. pptx", …}, {"name": "forecast. xlsx", …} ] GET /me/drive/recent "value" : [ {"name": "guidelines. pptx", …}, {"name": "budget. xlsx", …} ] Out of office Trending Documents GET people/? $search="topic: planning" Search people based on topics Find me the best time to meet Ana "value" : [ {"display. Name": "Dan", …}, {"display. Name": "Sean", …}, ] POST: /me/find. Meeting. Times { "attendees": [ { "type": "required", "email. Address": { "address": "ana@contoso. com" } ], "meeting. Duration": "2 h" People I’m working with Recent Documents Reach us with #ntk 17 }

Calling the API /{version}/{resource}/{id}/{property} ? {query-parameters} /v 1. 0 /beta /users /groups /sites /drives /devices more… /users/AAA/department /users/AAA/events? $top=5 $select $orderby $top $filter $expand $skiptoken Reach us with #ntk 17

Common queries Scenario API - https: //graph. microsoft. com/ GET my profile /v 1. 0/me GET my files /v 1. 0/me/drive/root/children GET my photo /v 1. 0/me/photo/$value GET my high importance email /v 1. 0/me/messages? $filter=importance eq 'high' GET my calendar /v 1. 0/me/calendar GET my manager /v 1. 0/me/manager GET last user to modify foo. txt /v 1. 0/me/drive/root/children/foo. txt/last. Modified. By. User GET my recent files /v 1. 0/me/drive/recent GET Office 365 groups I’m member of /v 1. 0/me/member. Of/$/? $filter=group. Types/any(a: a eq 'unified') GET users in my organization /v 1. 0/users GET group conversations /v 1. 0/groups/<id>/conversations GET people relevant to me /beta/me/people GET files trending around me /beta/me/insights/trending GET the root Share. Point site /beta/sharepoint/sites/root GET my Planner tasks /beta/me/planner/tasks GET my notes /beta/me/onenote/notebooks https: //developer. microsoft. com/en-us/graph-explorer

Auth Microsoft Identity id_token access_token refresh_token YOUR APP MSAL access_token Register your app at https: //apps. dev. microsoft. com Reach us with #ntk 17 Microsoft Graph

Microsoft Authentication Library (MSAL) https: //www. nuget. org/packages/Microsoft. Identity. Client Reach us with #ntk 17

Dependency hell Your Data Access Layer project - App. Db. Context : Identity. Db. Context<App. User> Microsoft. Asp. Net. Core. Identity. Entity. Framework. Core Microsoft. Asp. Net. Core. Identity Microsoft. Asp. Net. Core. Authentication. Cookies What are cookie related assemblies and other HTTP related stuff doing in your data access layer ? Reach us with #ntk 17

Leaky abstraction Million dollar question: Which table should I use to store roles? Reach us with #ntk 17

When to use it? Reach us with #ntk 17