End to End Security with MVC and Web API
-
Upload
michele-bustamante -
Category
Technology
-
view
2.492 -
download
4
description
Transcript of End to End Security with MVC and Web API
DEVintersectionSession AS17
End-to-End Security for Your Web API and MVC Applications
Michele Leroux [email protected]
2© DEVintersection. All rights reserved.
http://www.DEVintersection.com
Michele Leroux BustamanteManaging Partner
Solliance (solliance.net) CEO and Cofounder
Snapboard (snapboard.com)
Microsoft Regional Director Microsoft MVP
Author, SpeakerPluralsight courses on the way!Blog: michelebusta.com
@michelebusta
Hello World!1992
HelloWorld!
Hello World!2013
iPhoneWindowsPhone 8
Windows8/Surface
WPFClient
WindowsPhone 7
Android
iPad
Web API(mobile)
MVC Web
MobileBrowsers
Web API(business)
Web API(ajax)
Things are complicated…
So we seek simplicity where we can
WS*
HELL
WS-Eventing
WS-Addressing
SOAP
MTOM
sWa
WS-Transfer
WS-Enum
eration
DIME
WSNWS-ResourceTransfer
WSRF
OASIS Web Services Security
WS-SecurityPolicy
WS-Federation
SAML
WS-SecureConversation
WS-
Trus
t
WS-ReliableMessaging
WS-RM
Policy
WS-
Relia
bilit
y
WS-CAF
WS-BusinessActivity
WS-Coordination
WS-A
tom
icTr
ansa
ctio
n
WS-Policy
WSDL
WS-PolicyAttachment
WS-Discovery
WS-M
etadataExchange
WS*
HELL
WS-Eventing
WS-Addressing
SOAP
MTOM
sWa
WS-Transfer
WS-Enum
eration
DIME
WSNWS-ResourceTransfer
WSRF
OASIS Web Services Security
WS-SecurityPolicy
WS-Federation
SAML
WS-SecureConversation
WS-
Trus
t
WS-ReliableMessaging
WS-RM
Policy
WS-
Relia
bilit
y
WS-CAF
WS-BusinessActivity
WS-Coordination
WS-A
tom
icTr
ansa
ctio
n
WS-Policy
WSDL
WS-PolicyAttachment
WS-Discovery
WS-M
etadataExchange
10© DEVintersection. All rights reserved.
http://www.DEVintersection.com
Authentication / Authorization Considerations
Authentication Windows, username/password, cert WS-Federation, SAML 2.0, OAuth2 w/ OpenID
Connect Token Formats
Windows, Basic SAML 1.1, SAML 2.0, JSON Web Token (JWT),
SWT (legacy) Authorization
Roles, Claims, social scenarios and architecture Message Protection (TLS / SSL / WS*)
Browsers
HTML
View JS
OK ajax
MVC
ViewController
Web APIController
Web API
Web APIController
HTML
Browsers
View JS
OK ajax
MVCView
ViewViews
ViewController
View/APIController
Mobile
Devices
WPF
Client
OK
Web API
APIController
Windows Mobile Devices
OK
Web API
APIController
iOS Mobile Devices
OK
Android Mobile Devices
OK
WindowsClients
OK
OtherClients
OK
Wherever possible choose the lowest
common denominator
Demo
WebSecurity and Claims
17© DEVintersection. All rights reserved.
http://www.DEVintersection.com
POINTS: WebSecurity and Claims
Initialize WebSecurity early Use ClaimsPrincipal to get all claims (Roles) Install AuthorizationAttribute as a filter, use
AllowAnonymousAttribute Use AuthorizationAttribute to prevent access by roles Create utilities to streamline use of claims
Demo
Enabling WIF Sessions
19© DEVintersection. All rights reserved.
http://www.DEVintersection.com
POINTS: WIF Sessions
Create a custom SessionAuthenticationModule Encapsulate cookie write/delete,
ClaimsPrincipal create For Forms redirect, need WebSecurity enabled
Must delete forms cookie + session cookie Other WIF best practices
Use SSL Server side session cookies (space, load
balancing) Shared token cache (replay detection, load
balancing)
20© DEVintersection. All rights reserved.
http://www.DEVintersection.com
POINTS: Additional WIF Techniques
ClaimsAuthenticationManager Transform claims from user authentication
into application claims (assumes stored by app)
ClaimsAuthorizationManager Use with custom AuthorizationAttribute See Thinktecture library
ClaimsPrincipalPermission DO NOT USE
Demo
Calling Web API
22© DEVintersection. All rights reserved.
http://www.DEVintersection.com
POINTS: Web API Calls
Must authenticate calls to Web API Trusted Subsystem
No need to authenticate the user again Provide a key (Windows, Certificate, signed
token) JWT
New preferred way to send lightweight token Pass user claims relevant to downstream
services
23© DEVintersection. All rights reserved.
http://www.DEVintersection.com
Social Login and User Consent
OAuth 2.0 Supports variations of passive and active federation Popular for used for user consent flows where an applications
wants access to user information from another applications Sharing flickr photos Sharing tweets Facebook integration
NOT for authentication Authentication
Twitter Facebook Connect OpenID Connect
User Consent
Browser
ClientApplication
Authorization Server
LoginPage
1
2
5
3
4
ResourceServer
Authorization Code
Store Tokens
Get access token
Access + refresh token
Request information
Requested Information
6
7
98
10
Requested Information
11
25© DEVintersection. All rights reserved.
http://www.DEVintersection.com
Social Login / Delegated Authorization
Typical choices for B-to-B Username/password Twitter Linked In
Typical choices for B-to-C Username/password Twitter Facebook (maybe) Google+
Corporate environments Windows Username/password Live ID
Registration Options
Create Account
Facebook Registration
Facebook Registration (2)
Twitter Registration
Social Login
Demo
Social Login
33© DEVintersection. All rights reserved.
http://www.DEVintersection.com
Login or Register?
Make both available Make it obvious Navigation bar is one option
Access Control & Twitter
Your App
AccessControl
Yahoo!Windows
Live
Browser
1 26 5
Your STS
3
Twitter4
Your App & Facebook / Twitter
Your App
Browser
OAuthWebSecurity
Access Control, Social & Azure AD (vision)
Your App
AccessControl
Yahoo!Windows
Live
Browser
UserProfile
AzureAD
37© DEVintersection. All rights reserved.
http://www.DEVintersection.com
Identity and Access Management Tools
Windows Azure Active Directory Sync directories with domain Spin up new directories Connect with other IdP
Thinktecture Code base for IdP and Authorization Server Fully functional, you own it, you can edit it WS-Fed and OAuth2, SAML2 coming
Auth0 Hosted model, affordable, from small bus to enterprise When you don’t want to own the code, need IdP, Authorization
Server/OpenID Connect support
38© DEVintersection. All rights reserved.
http://www.DEVintersection.com
References
Conference resources: http://michelebusta.com
See my snapboards: Currently at the alpha site:
http://snapboardalpha.cloudapp.net/michelebusta Will move these to snapboard.com/michelebusta when we go
live on the main site (SOON watch my blog for announcement) Contact me:
[email protected] @michelebusta