ASP.NET Core Security Overview

Transcript

1. ASP.NET Core & ASP.NET Core MVC What's new in Security?

   Dominick Baier [email protected] http://leastprivilege.com @leastprivilege

2. 2 @leastprivilege Dominick Baier • Independent Consultant – Specializing in

   Identity & Access Control – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – OpenID Connect & OAuth 2.0 Implementation ASP.NET – https://identityserver.io [email protected] http://leastprivilege.com slides: https://speakerdeck.com/leastprivilege

3. 3 @leastprivilege The new .NET

4. 4 @leastprivilege Console Application ASP.NET Core Architecture • ASP.NET Core

   is the HTTP runtime • MVC is Microsoft's primary application framework – combines web UI & API .NET (Core) ASP.NET Core Middleware Middleware User Agent MVC DI

5. 5 @leastprivilege How ASP.NET Core Applications start dotnet run Application.dll

   ASP.NET Core Module IIS Startup.cs ConfigureServices(… ) Configure(…) start process

6. 6 @leastprivilege Security Architecture in ASP.NET Core • Everything is

   based on ClaimsPrincipal – no more custom IPrincipal • Authentication is implemented as middleware – cookies – external authentication • Other security related services – CORS, logging, encoding, anti-forgery • New data protection API • New authorization API

7. 7 @leastprivilege Identity & Authentication APIs • The new HttpContext

   – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/HttpContext.cs • AuthenticationManager – https://github.com/aspnet/HttpAbstractions/blob/dev/src /Microsoft.AspNetCore.Http.Abstractions/Authentication/ AuthenticationManager.cs

8. 8 @leastprivilege Cookie Authentication Middleware • Triggered with HttpContext.Authentication.SignInAsync app.UseCookieAuthentication(new

   CookieAuthenticationOptions { AuthenticationScheme = "Cookies", LoginPath = new PathString("/account/login"), AccessDeniedPath = new PathString("/account/forbidden") });

9. 9 @leastprivilege Claims Transformation • Per-request manipulation of principal &

   claims app.UseClaimsTransformation(context => { if (context.Principal.Identity.IsAuthenticated) { CreateApplicationPrincipal(context); } return Task.FromResult(context.Principal); });

10. 10 @leastprivilege External Authentication • In the box – Google,

    Twitter, Facebook, Microsoft Account – OpenID Connect & JSON Web Tokens • New generic OAuth 2.0 middleware makes on-boarding other proprietary providers easier – LinkedIn, Slack, Spotify, WordPress, Yahoo, Github, Instragram, BattleNet, Dropbox, Paypal, Vimeo… https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers

11. 11 @leastprivilege External Authentication • Triggered with HttpContext.Authentication.ChallengeAsync app.UseGoogleAuthentication(new GoogleOptions

    { AuthenticationScheme = "Google", SignInScheme = "Cookies", ClientId = "43…43", ClientSecret = "3g…Wo" }); * turns external identity automatically into a trusted application cookie

12. 12 @leastprivilege External Authentication w/ Callback • HttpContext.Authentication.ChallengeAsync • HttpContext.Authentication.AuthenticateAsync

    app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Temp", AutomaticAuthenticate = false }); app.UseGoogleAuthentication(new GoogleOptions { AuthenticationScheme = "Google", SignInScheme = "Temp" });

13. 13 @leastprivilege The way forward… Browser Native App Server App

    "Thing" Web App Web API Web API Web API Security Token Service Authentication, SSO, account linking, federation, social logins…

14. 14 @leastprivilege Security Protocols Browser Native App Server App "Thing"

    Web App Web API Web API Web API OpenID Connect* OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Security Token Service * *

15. 15 @leastprivilege OpenID Connect Middleware • Much improved – support

    for implicit, code and hybrid flow – support for userinfo endpoint & better token management app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "OIDC", SignInScheme = "Cookies", Authority = "https://demo.identityserver.io", ClientId = "mvc", ClientSecret = "secret" ResponseType = "code id_token", SaveTokens = true });

16. 16 @leastprivilege Web API Authentication • Middleware for JWT access

    tokens built-in – cookies not recommended app.UseJwtBearerAuthentication(new JwtBearerOptions { Authority = "https://localhost:44300", Audience = "my.api", options.AutomaticAuthenticate = true; });

17. 17 @leastprivilege Issuing Tokens • No built-in token issuance middleware

    anymore • IdentityServer is the recommended replacement – OpenID Connect and OAuth 2.0 token service http://github.com/identityserver

18. 18 @leastprivilege Data Protection • Who thought this would be

    a good idea?? For giggles: "https://www.google.com/#q=<machineKey filetype:config" <system.web> <!– copied from http://machinekeys.ru seemed legit --> <machineKey decryptionKey="656E7...617365206865726547A5" validationKey="07C1493415E4405F08...6EF8B1F" /> </system.web>

19. 19 @leastprivilege Key Container Locations • On Azure Web Apps

    (no encryption) – %HOME%\ASP.NET\DataProtection-Keys • If user profile is loaded (encrypted) – %LOCALAPPDATA%\ASP.NET\DataProtection-Keys • IIS / no profile (encrypted) – Registry HKLM • In-Memory • Manual configuration <?xml version="1.0" encoding="utf-8"?> <key id="eacc6495-83a3-4aaf-ad29-fee164c69963" version="1"> <creationDate>2015-05-02T08:20:38.6577127Z</creationDate> <activationDate>2015-05-02T08:20:38.6424674Z</activationDate> <expirationDate>2015-07-31T08:20:38.6424674Z</expirationDate> <descriptor> <descriptor> <encryption algorithm="AES_256_CBC" /> <validation algorithm="HMACSHA256" /> <encryptedSecret> <encryptedKey xmlns=""> <!-- This key is encrypted with Windows DPAPI. --> <value>AQ...g==</value> </encryptedKey> </encryptedSecret> </descriptor> </descriptor> </key>

20. 20 @leastprivilege Authorization • Complete re-write – support for unauthorized

    vs forbidden – better separation of business code and authorization logic – re-usable policies – resource/action based authorization – DI enabled

21. 21 @leastprivilege [Authorize] • Similar syntax – roles still supported*

    [Authorize] public class HomeController : Controller { [AllowAnonymous] public IActionResult Index() { return View(); } [Authorize(Roles = "Sales")] public IActionResult About() { return View(User); } } * …and who thought that would be a good idea?

22. 22 @leastprivilege Authorization policies services.AddAuthorization(options => { options.AddPolicy("ManageCustomers", policy =>

    { policy.RequireAuthenticatedUser(); policy.RequireClaim("department", "sales"); policy.RequireClaim("status", "senior"); }); }; [Authorize("ManageCustomers")] public IActionResult Manage() { // stuff } Startup Controller

23. 23 @leastprivilege Programmatically using policies public class CustomerController : Controller

    { private readonly IAuthorizationService _authz; public CustomerController(IAuthorizationService authz) { _authz = authz; } public async Task<IActionResult> Manage() { var allowed = await _authz.AuthorizeAsync(User, "ManageCustomers"); if (!allowed) return Challenge(); return View(); } }

24. 24 @leastprivilege …or from a View @using Microsoft.AspNetCore.Authorization @inject IAuthorizationService

    _authz @if (await _authz.AuthorizeAsync(User, "ManageCustomers")) { <div> <a href="/customers/test">Manage</a> </div> }

25. 25 @leastprivilege Custom Requirements public class JobLevelRequirement : IAuthorizationRequirement {

    public JobLevel Level { get; } public JobLevelRequirement(JobLevel level) { Level = level; } } public static class StatusPolicyBuilderExtensions { public static AuthorizationPolicyBuilder RequireJobLevel( this AuthorizationPolicyBuilder builder, JobLevel level) { builder.AddRequirements(new JobLevelRequirement(level)); return builder; } }

26. 26 @leastprivilege Handling Requirements public class JobLevelRequirementHandler : AuthorizationHandler<JobLevelRequirement> {

    private readonly IOrganizationService _service; public JobLevelRequirementHandler(IOrganizationService service) { _service = service; } protected override void Handle( AuthorizationContext context, JobLevelRequirement requirement) { var currentLevel = _service.GetJobLevel(context.User); if (currentLevel == requirement.Level) { context.Succeed(requirement); } } }

27. 27 @leastprivilege Resource-based Authorization Subject Object Operation - client ID

    - subject ID - scopes - more claims + DI - read - write - send via email - ... - ID - owner - more properties + DI

28. 28 @leastprivilege Example: Document resource public class DocumentAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement,

    Document> { public override Task HandleRequirementAsync( AuthorizationHandlerContext context, OperationAuthorizationRequirement operation, Document resource) { // authorization logic } } services.AddTransient<IAuthorizationHandler, DocumentAuthorizationHandler>(); Add handler in DI:

29. 29 @leastprivilege Invoking the authorization handler public class DocumentController :

    Controller { private readonly IAuthorizationService _authz; public DocumentController(IAuthorizationService authz) { _authz = authz; } public async Task<IActionResult> Update(Document doc) { if (!await _authz.AuthorizeAsync(User, doc, Operations.Update)) { // forbidden return new ChallengeResult(); } // do stuff } }

30. 30 @leastprivilege Resources • https://github.com/leastprivilege/ – AspNetCoreSecuritySamples • https://github.com/aspnet –

    home – security – announcements • http://docs.asp.net

31. 31 @leastprivilege thank you!