End to End Security with MVC and Web API

DEVintersectionSession AS17

End-to-End Security for Your Web API and MVC Applications

Michele Leroux [email protected]

2© DEVintersection. All rights reserved.

http://www.DEVintersection.com

Michele Leroux BustamanteManaging Partner

Solliance (solliance.net) CEO and Cofounder

Snapboard (snapboard.com)

Microsoft Regional Director Microsoft MVP

Author, SpeakerPluralsight courses on the way!Blog: michelebusta.com

[email protected]

@michelebusta

mailto:[email protected]

mailto:[email protected]

Hello World!1992

HelloWorld!

Hello World!2013

iPhoneWindowsPhone 8

Windows8/Surface

WPFClient

WindowsPhone 7

Android

iPad

Web API(mobile)

MVC Web

MobileBrowsers

Web API(business)

Web API(ajax)

Things are complicated…

So we seek simplicity where we can

WS*

HELL

WS-Eventing

WS-Addressing

SOAP

MTOM

sWa

WS-Transfer

WS-Enum

eration

DIME

WSNWS-ResourceTransfer

WSRF

OASIS Web Services Security

WS-SecurityPolicy

WS-Federation

SAML

WS-SecureConversation

WS-

Trus

t

WS-ReliableMessaging

WS-RM

Policy

WS-

Relia

bilit

y

WS-CAF

WS-BusinessActivity

WS-Coordination

WS-A

tom

icTr

ansa

ctio

n

WS-Policy

WSDL

WS-PolicyAttachment

WS-Discovery

WS-M

etadataExchange



Authentication / Authorization Considerations

Authentication Windows, username/password, cert WS-Federation, SAML 2.0, OAuth2 w/ OpenID

Connect Token Formats

Windows, Basic SAML 1.1, SAML 2.0, JSON Web Token (JWT),

SWT (legacy) Authorization

Roles, Claims, social scenarios and architecture Message Protection (TLS / SSL / WS*)

Browsers

HTML

View JS

OK ajax

MVC

ViewController

Web APIController

Web API

Web APIController

HTML

Browsers

View JS

OK ajax

MVCView

ViewViews

ViewController

View/APIController

Mobile

Devices

WPF

Client

OK

Web API

APIController

Windows Mobile Devices

OK

Web API

APIController

iOS Mobile Devices

OK

Android Mobile Devices

OK

WindowsClients

OK

OtherClients

OK

Wherever possible choose the lowest

common denominator

Demo

WebSecurity and Claims



POINTS: WebSecurity and Claims

Initialize WebSecurity early Use ClaimsPrincipal to get all claims (Roles) Install AuthorizationAttribute as a filter, use

AllowAnonymousAttribute Use AuthorizationAttribute to prevent access by roles Create utilities to streamline use of claims

Demo

Enabling WIF Sessions



POINTS: WIF Sessions

Create a custom SessionAuthenticationModule Encapsulate cookie write/delete,

ClaimsPrincipal create For Forms redirect, need WebSecurity enabled

Must delete forms cookie + session cookie Other WIF best practices

Use SSL Server side session cookies (space, load

balancing) Shared token cache (replay detection, load

balancing)



POINTS: Additional WIF Techniques

ClaimsAuthenticationManager Transform claims from user authentication

into application claims (assumes stored by app)

ClaimsAuthorizationManager Use with custom AuthorizationAttribute See Thinktecture library

ClaimsPrincipalPermission DO NOT USE

Demo

Calling Web API



POINTS: Web API Calls

Must authenticate calls to Web API Trusted Subsystem

No need to authenticate the user again Provide a key (Windows, Certificate, signed

token) JWT

New preferred way to send lightweight token Pass user claims relevant to downstream

services



Social Login and User Consent

OAuth 2.0 Supports variations of passive and active federation Popular for used for user consent flows where an applications

wants access to user information from another applications Sharing flickr photos Sharing tweets Facebook integration

NOT for authentication Authentication

Twitter Facebook Connect OpenID Connect

User Consent

Browser

ClientApplication

Authorization Server

LoginPage

1

2

5

3

4

ResourceServer

Authorization Code

Store Tokens

Get access token

Access + refresh token

Request information

Requested Information

6

7

98

10

Requested Information

11



Social Login / Delegated Authorization

Typical choices for B-to-B Username/password Twitter Linked In

Typical choices for B-to-C Username/password Twitter Facebook (maybe) Google+

Corporate environments Windows Username/password Live ID

Registration Options

Create Account

Facebook Registration

Facebook Registration (2)

Twitter Registration

Social Login

Demo

Social Login



Login or Register?

Make both available Make it obvious Navigation bar is one option

Access Control & Twitter

Your App

AccessControl

Google

Yahoo!Windows

Live

FaceBook

Browser

1 26 5

Your STS

3

Twitter4

Your App & Facebook / Twitter

Your App

Twitter

FaceBook

Browser

OAuthWebSecurity

Access Control, Social & Azure AD (vision)

Your App

AccessControl

Google

Yahoo!Windows

Live

FaceBook

Browser

Twitter

UserProfile

AzureAD



Identity and Access Management Tools

Windows Azure Active Directory Sync directories with domain Spin up new directories Connect with other IdP

Thinktecture Code base for IdP and Authorization Server Fully functional, you own it, you can edit it WS-Fed and OAuth2, SAML2 coming

Auth0 Hosted model, affordable, from small bus to enterprise When you don’t want to own the code, need IdP, Authorization

Server/OpenID Connect support



References

Conference resources: http://michelebusta.com

See my snapboards: Currently at the alpha site:

http://snapboardalpha.cloudapp.net/michelebusta Will move these to snapboard.com/michelebusta when we go

live on the main site (SOON watch my blog for announcement) Contact me:

[email protected] @michelebusta

http://michelebusta.com/

http://snapboardalpha.cloudapp.net/michelebusta

End to End Security with MVC and Web API

Technology

Transcript of End to End Security with MVC and Web API