End to End Security with MVC and Web API
Download as PPTX, PDF2 likes5,050 views
The document outlines an end-to-end security approach for web API and MVC applications, focusing on authentication, authorization, and message protection techniques. It covers various authentication methods, token formats, and provides best practices for implementing Windows Identity Foundation (WIF) sessions and API calls. Additionally, it discusses social login integration and identity management tools, emphasizing the importance of user consent in contemporary application environments.
End to End Security with MVC and Web API
- 1. DEVintersection Session AS17 End-to-End Security for Your Web API and MVC Applications Michele Leroux Bustamante [email protected]
- 2. Michele Leroux Bustamante Managing Partner Solliance (solliance.net) CEO and Cofounder Snapboard (snapboard.com) Microsoft Regional Director Microsoft MVP Author, Speaker Pluralsight courses on the way! Blog: michelebusta.com [email protected] @michelebusta 2 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 4. Hello World!
- 6. WPF Client Windows Phone 8 Windows Phone 7 iPhone Windows 8/Surface Android Mobile Browsers iPad Web API Web API (mobile) (ajax) Web API (business) MVC Web
- 7. Things are complicated… So we seek simplicity where we can
- 8. WS-Federation WS-ReliableMessaging WS-PolicyAttachment OASIS Web Services Security WS* HELL WSDL WS-Coordination WS-CAF MTOM WS-Transfer WS-Eventing WS-BusinessActivity WS-ResourceTransfer WSRF DIME WS-Addressing SOAP
- 9. WS-Federation WS-ReliableMessaging WS-PolicyAttachment OASIS Web Services Security WS* HELL WSDL WS-Coordination WS-CAF MTOM WS-Transfer WS-Eventing WS-BusinessActivity WS-ResourceTransfer WSRF DIME WS-Addressing SOAP
- 10. Authentication / Authorization Considerations Authentication Windows, username/password, cert WS-Federation, SAML 2.0, OAuth2 w/ OpenID Connect Token Formats Windows, Basic SAML 1.1, SAML 2.0, JSON Web Token (JWT), SWT (legacy) Authorization Roles, Claims, social scenarios and architecture Message Protection (TLS / SSL / WS*) 10 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 12. Mobile Browsers Devices HTML View JS OK ajax View Controller View/API Controller View View Views MVC
- 14. Windows Clients OK Windows Mobile Devices OK Other Clients OK iOS Mobile Android Mobile Devices Devices OK OK API Controller Web API
- 15. Wherever possible choose the lowest common denominator
- 17. POINTS: WebSecurity and Claims Initialize WebSecurity early Use ClaimsPrincipal to get all claims (Roles) Install AuthorizationAttribute as a filter, use AllowAnonymousAttribute Use AuthorizationAttribute to prevent access by roles Create utilities to streamline use of claims 17 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 19. POINTS: WIF Sessions Create a custom SessionAuthenticationModule Encapsulate cookie write/delete, ClaimsPrincipal create For Forms redirect, need WebSecurity enabled Must delete forms cookie + session cookie Other WIF best practices Use SSL Server side session cookies (space, load balancing) Shared token cache (replay detection, load balancing) 19 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 20. POINTS: Additional WIF Techniques ClaimsAuthenticationManager Transform claims from user authentication into application claims (assumes stored by app) ClaimsAuthorizationManager Use with custom AuthorizationAttribute See Thinktecture library ClaimsPrincipalPermission DO NOT USE 20 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 22. POINTS: Web API Calls Must authenticate calls to Web API Trusted Subsystem No need to authenticate the user again Provide a key (Windows, Certificate, signed token) JWT New preferred way to send lightweight token Pass user claims relevant to downstream services 22 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 23. Social Login and User Consent OAuth 2.0 Supports variations of passive and active federation Popular for used for user consent flows where an applications wants access to user information from another applications Sharing flickr photos Sharing tweets Facebook integration NOT for authentication Authentication Twitter Facebook Connect OpenID Connect 23 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 24. User Consent Browser 3 Login Page 11 Requested Information 1 5 4 Authorization Code 6 Client Application 8 Store Tokens 2 Get access token 7 Access + refresh token 9 Authorization Server Request information 10 Requested Information Resource Server
- 25. Social Login / Delegated Authorization Typical choices for B-to-B Username/password Twitter Linked In Typical choices for B-to-C Username/password Twitter Facebook (maybe) Google+ Corporate environments Windows Username/password Live ID 25 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 27. Create Account
- 31. Social Login
- 33. Login or Register? Make both available Make it obvious Navigation bar is one option 33 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 34. Access Control & Twitter Browser 3 Google 1 6 2 FaceBook Yahoo! Windows Live 5 Access Control Your App Twitter 4 Your STS
- 35. Your App & Facebook / Twitter Browser FaceBook Twitter Your App OAuthWebSecurity
- 36. Access Control, Social & Azure AD (vision) Browser Google Yahoo! Access Control Your App User Profile Azure AD FaceBook Windows Live Twitter
- 37. Identity and Access Management Tools Windows Azure Active Directory Sync directories with domain Spin up new directories Connect with other IdP Thinktecture Code base for IdP and Authorization Server Fully functional, you own it, you can edit it WS-Fed and OAuth2, SAML2 coming Auth0 Hosted model, affordable, from small bus to enterprise When you don’t want to own the code, need IdP, Authorization Server/OpenID Connect support 37 © DEVintersection. All rights reserved. http://www.DEVintersection.com
- 38. References Conference resources: http://michelebusta.com See my snapboards: Currently at the alpha site: http://snapboardalpha.cloudapp.net/michelebusta Will move these to snapboard.com/michelebusta when we go live on the main site (SOON watch my blog for announcement) Contact me: [email protected] @michelebusta 38 © DEVintersection. All rights reserved. http://www.DEVintersection.com