ASP NET Core and Enterprise Security Admir Tuzovi
- Slides: 37
ASP. NET Core and Enterprise Security Admir Tuzović @woisttuza
/graph. microsoft. com/v 1. 0/me Chief Technology Officer Author Former Tech Evangelist The Art of Speaking Reach us with #ntk 17
Agenda Reach us with #ntk 17
Major changes Reach us with #ntk 17
What are claims? Reach us with #ntk 17
What are claims? Reach us with #ntk 17
What are claims? Reach us with #ntk 17
ASP. NET Core Request Pipeline Host (Console App, IIS, . . . ). NET Core ASP. NET Core REQUEST Middleware (static files) Middleware (session) RESPONSE Reach us with #ntk 17 Middleware (auth) MVC
ASP. NET Core Authentication Middleware Microsoft. Asp. Net. Core. Authentication. Jwt. Bearer Microsoft. Asp. Net. Core. Authentication. Cookies Microsoft. Asp. Net. Core. Authentication. Twitter Microsoft. Asp. Net. Core. Authentication. Open. Id. Connect Microsoft. Asp. Net. Core. Authentication. OAuth Reach us with #ntk 17 Microsoft. Asp. Net. Core. Authentication. Microsoft. Account Microsoft. Asp. Net. Core. Authentication. Facebook Microsoft. Asp. Net. Core. Authentication. Google
OAuth 2 vs Open. ID Connect scope=contacts timeline images scope=openid profile scope=openid email Reach us with #ntk 17
Json Web Token (JWT) Anatomy of a token: header. body. signature "typ" : "JWT", "alg" : "HS 256" Header is JSON object base 64 encoded and defines token type and algorithm used for signature. "iss" : "exp" : "sub" : "scope" Body is JSON object base 64 encoded and contains collection of claims representing a subject. { } { "http: //myidsr. com", 1300889380, "darthvader", : "profile" } h 29324 jkasjv 8 asdf 234 klkl 234 Signature protects JWT contents from tampering and is validated on server. Reach us with #ntk 17
Open. ID Connect Flows Auth. Z Code All tokens returned from Authorization Endpoint All tokens returned from Token Endpoint Tokens not revealed to User Agent Client can be authenticated Refresh Token possible Implicit Hybrid Communication in one round trip Most communication server-to-server Reach us with #ntk 17 ?
Cloud Based Identity Services Reach us with #ntk 17
What is the Azure AD v 2 Endpoint? v 2
When to Use v 1 Versus v 2 (currently) Reach us with #ntk 17
What is Coming Next in v 2 Feature v 1 Endpoint (Azure AD only) v 2 Endpoint (Azure AD + MSA) Open. ID Connect 1. 0 GA GA OAuth 2. 0: authorization code grant – used by native and web apps GA GA OAuth 2. 0: client credentials grant (secret or certificate) – used by daemon apps GA GA OAuth 2. 0: implicit grant – used by single page apps GA GA OAuth 2. 0: On Behalf Of exchange – used by web APIs calling other web APIs GA GA Admin consent and admin-only scopes GA GA Conditional Access including device health rules GA GA Register scopes for your own web API GA Soon Get access tokens to Azure AD-only scopes e. g. Azure ARM GA Soon Group claims, role claims, email claim GA Later Sovereign cloud endpoints GA Later OAuth 2. 0: device profile – used with limited UI devices GA Later Preserve user session state from ADAL to MSAL N/A Later Reach us with #ntk 17 Update Azure AD-only app registration to Azure AD+MSA N/A Later
State of the world before Microsoft Graph Work and school Personal Reach us with #ntk 17
Diverse API styles and endpoints https: //graph. windows. net/contoso. com/users https: //graph. windows. net/contoso. com/groups https: //apis. live. net/v 5. 0/me https: //contoso. sharepoint. com/_api/SP. User. Profiles. People. Manager/Get. My. Properties https: //graph. microsoft. com/v 1. 0/me/photo https: //outlook. office. com/api/v 2. 0/me/Messages https: //outlook. office. com/api/v 2. 0/me/Events https: //contoso. sharepoint. com/_api/search/query? Querytext='*'&Prop erties='Graph. Query: actor(ME, action: 1020, or(action: 1020, action: 1003, action: 1001, action: 1024, action: 1005, action: 1037, action: 1039, action: 1036)'&Select. Properties='Docid, Title https: //contoso-my. sharepoint. com/personal /yina_contoso_com/_api/v 2. 0/drive https: //contoso. sharepoint. com/sites /design. Council/_api/v 2. /drive https: //api. onedrive. com/v 1. 0/drive Reach us with #ntk 17
Today’s world with Microsoft Graph https: //graph. microsoft. com Work and school Personal … Reach us with #ntk 17
Microsoft Graph ACTIVITY CONVERSATIONS INSIGHTS CONTENT ME TRENDING ORGANIZATION GROUPS CHATS DOCUMENTS REPORTS EVENTS DEVICES SHARED EMAIL COLLABORATION PEOPLE CONTACTS TASKS
Data - User, group and organizational One endpoint One token preview GA GA GA Your app All users https: //graph. microsoft. com Users Groups Excel Outlook Calendar One. Note Teams Planner Intune Azure AD Share. Point
With Microsoft Graph profile GET: /users/yina { "display. Name": "Yina", "job. Title": "PRINCIPAL PM MANAGER", } GET: /users/yina/photo/… {} GET: /users/yina/manager {"display. Name": "Tristan", …} Tristan Groups manager GET: /users/yina/direct. Reports member. Of "value" : [ {"display. Name": "Matt", …}, {"display. Name": "Dmitry", …}, ] direct. Reports Dmitry Matt GET: /me/member. Of/… "value" : [ {"display. Name": "Office engineering", …}, {"display. Name": "Women in tech", …}, ] Sudhi Reach us with #ntk 17
With Microsoft Graph content GET /me/drive/root/… "value" : [ {"name": "proposal. pptx", … }, {"name": "forecast. xlsx", … } ] GET /drives/items/{id}/workbook GET /me/messages Documents GET /me/events GET /me/contacts Calendar Sites GET /me/onenote/notebooks GET /me/planner/tasks Email Tasks GET /me/devices GET /sites: /teams/opg: / Contacts Meetings GET /sites: /teams/opg: /lists GET /groups/{id}/conversations Reach us with #ntk 17
With Microsoft Graph insights GET /me/insights/trending "value" : [ {"name": "presentation. pptx", …}, {"name": "forecast. xlsx", …} ] GET /me/drive/recent "value" : [ {"name": "guidelines. pptx", …}, {"name": "budget. xlsx", …} ] Out of office Trending Documents GET people/? $search="topic: planning" Search people based on topics Find me the best time to meet Ana "value" : [ {"display. Name": "Dan", …}, {"display. Name": "Sean", …}, ] POST: /me/find. Meeting. Times { "attendees": [ { "type": "required", "email. Address": { "address": "ana@contoso. com" } ], "meeting. Duration": "2 h" People I’m working with Recent Documents Reach us with #ntk 17 }
Calling the API /{version}/{resource}/{id}/{property} ? {query-parameters} /v 1. 0 /beta /users /groups /sites /drives /devices more… /users/AAA/department /users/AAA/events? $top=5 $select $orderby $top $filter $expand $skiptoken Reach us with #ntk 17
Common queries Scenario API - https: //graph. microsoft. com/ GET my profile /v 1. 0/me GET my files /v 1. 0/me/drive/root/children GET my photo /v 1. 0/me/photo/$value GET my high importance email /v 1. 0/me/messages? $filter=importance eq 'high' GET my calendar /v 1. 0/me/calendar GET my manager /v 1. 0/me/manager GET last user to modify foo. txt /v 1. 0/me/drive/root/children/foo. txt/last. Modified. By. User GET my recent files /v 1. 0/me/drive/recent GET Office 365 groups I’m member of /v 1. 0/me/member. Of/$/? $filter=group. Types/any(a: a eq 'unified') GET users in my organization /v 1. 0/users GET group conversations /v 1. 0/groups/<id>/conversations GET people relevant to me /beta/me/people GET files trending around me /beta/me/insights/trending GET the root Share. Point site /beta/sharepoint/sites/root GET my Planner tasks /beta/me/planner/tasks GET my notes /beta/me/onenote/notebooks https: //developer. microsoft. com/en-us/graph-explorer
Auth Microsoft Identity id_token access_token refresh_token YOUR APP MSAL access_token Register your app at https: //apps. dev. microsoft. com Reach us with #ntk 17 Microsoft Graph
Microsoft Authentication Library (MSAL) https: //www. nuget. org/packages/Microsoft. Identity. Client Reach us with #ntk 17
Dependency hell Your Data Access Layer project - App. Db. Context : Identity. Db. Context<App. User> Microsoft. Asp. Net. Core. Identity. Entity. Framework. Core Microsoft. Asp. Net. Core. Identity Microsoft. Asp. Net. Core. Authentication. Cookies What are cookie related assemblies and other HTTP related stuff doing in your data access layer ? Reach us with #ntk 17
Leaky abstraction Million dollar question: Which table should I use to store roles? Reach us with #ntk 17
When to use it? Reach us with #ntk 17
- Classic asp to asp.net migration
- Admir dzaferovic
- Azure bug bounty
- Asmx soap
- Fromservicesattribute
- Asp net core roadmap
- Asp.net tutorialspoint
- Asp.net web api 2
- Asp net core future
- Enterprise library configuration tool
- Asp.net mvc 5 identity authentication and authorization
- Private securit
- Imperva waf bypass xss
- Client server architecture in asp net
- Asp.net session management
- Asp.net execution model
- Asp.net agenda
- Asp net session state
- Asp.net timeline control
- Asp.net introduction
- Asp.net server controls
- Introduction to asp.net
- Asp custom control
- Agenda master page
- Validation controls in asp.net with examples
- Asp net load testing
- Crud asp.net c# web forms
- 大阪 microsoft asp.net
- Reflection net
- Feature flags asp net
- 大阪 microsoft asp
- Desarrollo de aplicaciones web con asp.net
- Iis php
- Inner core and outer core
- Crust earth definition
- Purpose of paradox
- Putting the enterprise into the enterprise system
- Enterprise