2. Content
• 01 | Identity Overview
• 02 | Locally Authenticated Users
• 03 | oAuth and Social Providers
• 04 | Two Factor Authentication
• 05 | Asp.Net Identity with Webapi
• 06 | Identity Tips & Recommendations
2
3. 01 | Identity Overview
• What is Identity ?
• History overview
• Architecture of ASP.NET Identity
• ASP.NET Identity Customization
3
4. What is Identity?
o Identity is Users, Authentication, Authorization.
It is a claims based system; stores login, roles, claims
o Supports claims, roles, custom data stores, individual database
backed auth, Oauth/OpenId, Organizational –AD,
Azure AD, Single Sign On (SSO), Social Login providers
4
5. History Overview
Nov 2005 ASP.NET 2.0 – Introducing Membership!
• SQL Server, SQL Express
Oct 2013 ASP.NET Identity v1
• Completely new model
May 2012 Universal Providers (First NuGet)
• SQL CE, Azure, one provider to access all SQL
Mar 2014 ASP.NET Identity v2
• VS 2013 Update 2.
Two factor authN, account lockout,
confirmation, reset, etc
Aug 2012 Simple Membership
• Sourced in Web Pages, came to MVC / Web Forms
Oct 2014 (alpha) ASP.NET 5 – Identity v3
• VS 2013 Update 3.
Changes to work with ASP.NET 5
5
6. ASP.NET Identity Architecture
o Consists of Managers & Stores
o Managers
o High-level classes; not concerned with how user info
is stored, registering new users, validating credentials
and loading user information
o Ex: SigninManager, RoleManager, UserManager
6
7. ASP.NET Identity Architecture (cont.)
• Stores
o Deals with DAL; CRUD functionality
o Closely coupled with the persistence mechanism
o By default EF Code First used to create tables
SQL Server
o Implementations available for Azure Table Storage,
RavenDB and MongoDB
7
12. Content
• 01 | Identity Overview
• 02 | Locally Authenticated Users
• 03 | oAuth and Social Providers
• 04 | Two Factor Authentication
• 05 | Asp.Net Identity with Webapi
• 06 | Identity Tips & Recommendations
12
13. 02 | Locally Authenticated Users
• What are locally authenticated users?
o Uses DB to authenticate; no third party i.e. authentication is on the same server (AspNetUsers table)
• Customizing the SQL database & entities
ApplicationUser : IdentityUser
• Customizing the type of user store
o Create your own UserStore and IdentityUser. RoleStore as well if you want that.
Storage provider custom implementations exist(MySql, Azure Table Storage, RavenDB, etc
13
14. Content
• 01 | Identity Overview
• 02 | Locally Authenticated Users
• 03 | oAuth and Social Providers
• 04 | Two Factor Authentication
• 05 | Asp.Net Identity with Webapi
• 06 | Identity Tips & Recommendations
14
15. 03 | oAuth and Social Providers
• What is oAuth?
o oAuth is a protocol
o The protocol allows for third party applications to access resources without users giving
credentials to third party
o Supports desktop, web, mobile, etc
• How does Identity use oAuth?
• Integrating with social/other providers
15
16. 03 | oAuth and Social Providers (cont.)
• How does Identity use oAuth?
16
17. Content
• 01 | Identity Overview
• 02 | Locally Authenticated Users
• 03 | oAuth and Social Providers
• 04 | Two Factor Authentication
• 05 | Asp.Net Identity with Webapi
• 06 | Identity Tips & Recommendations
17
19. Content
• 01 | Identity Overview
• 02 | Locally Authenticated Users
• 03 | oAuth and Social Providers
• 04 | Two Factor Authentication
• 05 | Asp.Net Identity with Webapi
• 06 | Identity Tips & Recommendations
19
20. Asp.Net Identity with Webapi
• Webapi2 Security AutheN Bearer Token tutorial; useful video; 2 mins only!
• Works with Framework 4.5, AspNet.Identity.Core 2.2.1, AspNet.Identity.EntityFramework 2.2.1, AspNet.Identity.WebApi
5.2.3
• Steps:
• Create new Webapi project with Individual account authentication type
• Run the project
• Use Fiddler, call the Register endpoint; Ex: http://localhost:8070/api/Account/Register
Request post body: then excute
{"Email": “myemail@gmail.com",
"Password": "Pa$$w0rd",
"ConfirmPassword": "Pa$$w0rd"}
• User fiddler: http://localhost:8070/token
Request body:
username=myemail@gmail.com&grant_type=password&Password=Pa$$w0rd
• Now you are authorized to user any endpoint which requires [Authorize] 20
22. Content
• 01 | Identity Overview
• 02 | Locally Authenticated Users
• 03 | oAuth and Social Providers
• 04 | Two Factor Authentication
• 05 | Asp.Net Identity with Webapi
• 06 | Identity Tips & Recommendations
22
23. 05 | Identity Tips & Recommendations
• Utilize SSL everywhere. Never run without it
o Attacker on network can steal your cookies and hijack your session
o Yes, even login page needs to be protected
o Any page user can access while logged in should be protected
• Enforce a strong password policy!
o Increase default values on manager.PasswordValidator
• Use Xsrf tokens everywhere for post methods
• Do not allow for unlimited login attempts
o Brute forcers dream.
• Two factor authentication highly recommended
• Caution – be wary of email as a second factor authentication
23
24. Finally
What’s Next?
• ASP.NET vNext (ASP.NET 5) being in development, Katana is slowly getting
retired. Version 3.0 will most likely be last major release of Katana as a standalone
framework
• vNext is the successor to Katana (which is why they look so similar). Katana was
the beginning of the break away from System.Web and to more modular
components for the web stack. You can see vNext as a continuation of that work
plus (new CLR, new Project System, new http abstractions)* David Fowler vNext
Architect
• Everything that exists today in Katana will make it's way into vNext
• ASP.NET vNext will be supported by .NET Framework 4.6
24
25. References
• Customizing asp.net authentication with Identity
• Securing web applications using asp.net identity
• Introduction to asp.net identity
• Creating web project; authentication modes
• Overview of custom storage provider of asp.net identity
• Asp.net identity releases
• Owin & Katana simplified
• Individual accounts in Webapi
• AspNet Identity 2.1 with AspNet WebApi 2.2; Accounts managemenet
• AspNet Identity 2.0 & WebApi- Customizing Identity Models & implementing Role-based Authorization
25
*Claims:
Key-Value pair per user; Role is single value “Admin”
Much more info about user as the user delivers claim to your app
Ex “Facebook Access Token”, “CAAVl6UvghVkBAIGZB…
*Single Sign On (SSO):
User provides same credentials multiple services.
User provides credentials once multiple services.
IdentityUser an EF implementation, EmailService, SmsService (twilio sms)
OWIN itself does not have any tools, libraries or anything else. It is just a specification. OWIN is not a framework. OWIN is a specification on how web servers and web applications should be built in order to decouple one from another and allow movement of ASP.NET applications to environments where at the current state it is not possible.
public class IdentityUser : IUser<int>
{
public IdentityUser() { ... }
public IdentityUser(string userName) { ... }
public int Id { get; set; }
public string UserName { get; set; }
// can also define optional properties such as:
// PasswordHash
// SecurityStamp
// Claims
// Logins
// Roles
} public class UserStore : IUserStore<IdentityUser, int>
{
public UserStore() { ... }
public UserStore(ExampleStorage database) { ... }
public Task CreateAsync(IdentityUser user) { ... }
public Task DeleteAsync(IdentityUser user) { ... }
public Task<IdentityUser> FindByIdAsync(int userId) { ... }
public Task<IdentityUser> FindByNameAsync(string userName) { ... }
public Task UpdateAsync(IdentityUser user) { ... }
public void Dispose() { ... }
}
*Reconfigure application to use new storage provider : Replace default storage provider in MVC project http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
Several custom implementations exist for storage providers
ASP.NET Identity Recommended Resources
Overview of Custom Storage Providers for ASP.NET Identity
Integrating with social/other providers (Demo + ..)
Works with oAuth 2.0
We’re making the OpenIDConnect middleware more generic to support more providers
We’ve added a generic OAuth2 middleware that works with many different providers
https://github.com/aspnet/Security/blob/dev/samples/SocialSample/Startup.cs#L116
AspNetUserLogin table
Tracks provider name
Tokens are not stored Your app requests a request token, gets one and URL
User goes to URL (with token) and authenticates & allows app
oAuth provider redirects back to your ‘success’ page with
Your code parses access token, potentially stores it
If user doesn’t have an account, prompt them to register with email (so we have something on hand). We could change code to auto create.
All requests to protected resources are done with access token that is stored in AspNetUserClaims
*totp: Time-based One-time Password Algorithm is an algorithm that computes a one-time password from a shared secret key and the current time. When developing remember…
Adding the phone number triggers the first verification
No phone #? SmsService code will never be called
Debug – you may not have all the code you need
Email will only be available if it’s verified
Identity is not multi-tenant or multi-app
Use SSO with Azure for multi tenant
https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet
Shared across apps via shared sql db with identity tables
**It’s extensible**
AspNet.Identity.EntityFramework.Multitenant on github
ASP.NET vNext will be built on top of .NET Core 5. .NET Core 5 is lightweight factored version of .NET Framework, designed to support goals of ASP.NET 5 and .NET Native.
