Authenticating users and checking their permissions to perform certain actions are the ABC of any software and real-life process. ASP.NET as a long record of successful applications yet the overall API it always offered is quite simple for the needs of today. These has brought to a variety of additional best practices that for the most part have been incorporated in ASP.NET Core. In this session we’ll first look at the basic facts of claims and core authentication and then move to authorization policies and authentication in the context of Web APIs. By attending the session you’ll figure out the differences between old and new ASP.NET authentication, old and new ASP.NET authorization and common steps to control access to a Web API.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Dino Esposito "Security is a matter of success"
1. Security is a Matter of
Success
Dino Esposito
Digital Strategist, BaxEnergy
2. AUTHENTICATION
▰ Cookie-based authentication (without web.config)
▰ IPrincipal based on claims (not just username)
▰ Enable authentication middleware and use it
▻ Cookie name, login path, return-url, sliding expiration
▰ Multiple authentication schemes supported
▻ Cookie, bearer token, social networks
2
3. AUTHENTICATION: CLAIMS
▰ All claims stored in the authentication item
(cookie)
▰ Information not retrieved but possibly in the need
of updates if changed
▰ Username and role, plus everything else
▰ Different API for sign-in/sign-out
▰ LINQ-style API to read claims
3
6. POLICY-BASED AUTHORIZATION
▰ Policy is a collection of requirements
▰ More flexible than just roles
▰ Register policies in startup
▰ Apply through Policy attribute of Authorize
6
7. var policy = new AuthorizationPolicyBuilder()
.AddAuthenticationScheme("Cookie", "Bearer")
.RequireAuthenticatedUser()
.RequireRole("Admin")
.RequireClaim("editor", "contents")
.RequireClaim("level", "Senior")
.Build();
8. POLICY-BASED AUTHORIZATION
8
// IAuthorizationService injected in controller
public async Task<IActionResult> Save(Article article)
{
var allowed = await _authorization.AuthorizeAsync(User, ...);
if (!allowed)
return new ForbiddenResult();
// Proceed
}
9. SECURING WEB API
▰ Authorize works as long as cookies are OK
▰ Basic authentication
▻ User credentials packed with request
▰ Token-based authentication
▻ Token associated with a given user
▰ Identity Management Server
9