Upgrade to Pro — share decks privately, control downloads, hide ads and more …

.NET Day 2023: The state of the .NET Auth, Clou...

dotnetday
September 01, 2023

.NET Day 2023: The state of the .NET Auth, Cloud Security

A lot is changing in how we implement security in our .NET applications. Traditional approaches are still applied, as are modern authentication solutions built using a Zero Trust strategy. This talk looks at what is considered best practice, emerging identity solutions such as SSI and how we can improve the security in the solutions we build today.

dotnetday

September 01, 2023
Tweet

More Decks by dotnetday

Other Decks in Technology

Transcript

  1. State of ASP.NET Core, .NET authentication Trends from OAuth2 and

    OpenID Connect passkeys, FIDO2 Self Sovereign Identity, E-ID Schweiz, eIDAS Some security recommendations
  2. .NET 7 & .NET 8 A big push in authentication,

    new APIs, docs in .NET 8 Still using tokens in the browser  The time for secure cookies in now. Too many solutions in .NET and not sticking to the standards. Every producer seems to make different client library wrappers
  3. .NET 8 templates, solutions Moving back to less secure solutions

    with weak interoperability  OIDC, OAuth2 client templates are missing (Apart from Microsoft Entra ID)
  4. ASP.NET Core Identity APIs Using a username, password to request

    an access token for a public client is a bad idea Simple but unsecure! - Impersonation - Phishing - Access token storage problems - Client hijacking - MFA
  5. ASP.NET 8 security docs • New docs in the making,

    looking good already • Feedback is wanted, get involved • Decision flow chart
  6. .NET YARP reverse proxy • Isolate your legacy solutions •

    Great solution for implementing app moderization • Downstream APIs • Just awesome in so many ways ☺
  7. Backend for frontend security • Improved security • Recommended security

    architecture for modern Web UIs • Industry is moving on from tokens for web applications • Not all services, cloud solutions have adopted, (Or want to adopt)
  8. OAuth 2.0 Demonstrating Proof-of- Possession at the Application Layer (DPoP)

    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop
  9. Cross Device authentication • Never trust a QR Code •

    Mind the GAP problem • Open to phishing attacks • Aim for phishing resistant authentication! • Certificate authentication • FIDO2, passkeys • Windows for business
  10. Schweiz E-ID 2025+ • PoC built using legacy Hyperledger Aries,

    new Swiss Wallet • Unknown which VC types, standards will be supported • SIOP V2, Didcomm V1, Didcomm V2? • Over consent credential theft problem unsolved, Verifiers will collect data. • Less secure compared to existing systems (open to phishing attacks) • More complexity, identity solutions require a ledger layer to use SSI • Interop between SSI solutions, ledgers, wallets has no solution, vendor lockdown
  11. Self Sovereign Identity is NOT a good solution for authentication

    It is a good solution for online identity
  12. Cross device authentication that starts from a QR Code is

    UNSECURE Near device authentication which starts from a QR Code is secure (passkeys)
  13. Network/IT security versus App Security • One does not replace

    the other! • Use both • Do not use setups which prevent doing one or the other correctly!
  14. Good security is not complex to implement or use •

    Less is more • KISS • Do not create custom solutions, complex solutions • Useability
  15. Use a Zero Trust Strategy • Verify locally, implement security

    at the app and at the source • In production even when you use a WAF and K8s, use HTTPS • Do not use setups which prevent application security • Avoid moving the security to gateways, Firewalls, WAF • (You can do this as well)
  16. Use a single cloud identity provider Use a single cloud

    identity provider for applications.
  17. Never implement a username/password You should never need to implement

    a username/password request Use ASP.NET Core Identity if implementing your own identity provider and token server Always delegate the IAM management to an existing system if possible or use a solution based on standards • Azure AD (Azure AD B2C) • Auth0 • Keycloak • OpenIddict with ASP.NET Core Identity • IdentityServer with ASP.NET Core Identity
  18. Team of 50 people focused on developing business solutions Security

    workshops, security consulting, DevOps Security Focus on hand crafted solutions generating business value .NET, Azure, App security, React, Blazor, Angular, Power Apps, Power BI & data