token authentication in asp.net core
Post on 15-Apr-2017
3.961 Views
Preview:
TRANSCRIPT
TOKEN AUTHENTICATIONin ASP.NET Core
Nate Barbettini@nbarbettini
Overview● How Sessions Work (And Why They Suck)
● How Token Authentication Works
● Tokens + ASP.NET Core
How Sessions WorkBrowser
ASP.NET(1) POST /login
(2) 200 OK
Set-Cookie: session=dh7jWkx8fj;
(3) GET /profile
(4) 200 OK
Cookie: session=dh7jWkx8fj;
Log In:nate@example.com
MySecretPassword123!
Open Profile Page
Profit!
Session Store
session=dh7jWkx8fj
dh7jWkx8fj
Drawbacks of Sessions● Scaling is hard
● Doesn’t work with mobile
How Token Authentication WorksBrowser
ASP.NET(1) POST /login
(2) 200 OK
eyJ0eXAiOiJKV...Stored token: eyJ0eXAiOiJKV...
(3) GET /profile
(4) 200 OK
Authorization: Bearer eyJ0eXAiOiJKV...
Log In:nate@example.com
MySecretPassword123!
Open Profile View
Profit!
Advantages of TokensStateless!
Works on both web and mobile
Flexible
● A JWT is a JSON object that’s been stringified and base64-encoded:
Anatomy of JSON Web Tokens
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE0NjU1ODAwNzEsImV4cCI6MTQ5NzExNjA3NywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoibmF0ZUBleGFtcGxlLmNvbSIsImlzQXdlc29tZSI6InRydWUiLCJwcm92aWRlcyI6WyJzdGF0ZWxlc3MiLCJhdXRoZW50aWNhdGlvbiJdfQ.VXrLbyQeJfDmwTAg-JnRsyD23RYMQJshTx79z2STu0U
Red = HeaderBlue = Payload (“claims”)Green = Cryptographic signature (JWS)
Anatomy of JSON Web Tokens{ typ: "JWT", alg: "HS256"}
{ iss: "Online JWT Builder", iat: 1465580071, exp: 1497116077, aud: "www.example.com", sub: "nate@example.com", isAwesome: "true", provides: [ "stateless", "authentication" ]}
Header
Body
● Cryptographically signed by the server
● Signature guarantees it hasn’t been forged or altered
Token Security
● Token expiration (exp claim) and not-before (nbf claim)
● Optional token revocation using a nonce (jti claim)
● Use HTTPS (TLS) everywhere!
● Store tokens securely
Token Security
Where to Store Tokens?● On mobile: local device storage, sent via HTTP headers
● On the web: cookies, or HTML5 storage plus HTTP headers
Where to Store Tokens?● HTML5 web storage: vulnerable to XSS (cross-site scripting)
● Cookies: not vulnerable to XSS
○ Set the HttpOnly and Secure flags
○ Still need to protect against CSRF
● More info: Stormpath blog
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
Generating Tokens in ASP.NET Core● This functionality was included in ASP.NET, but was removed from ASP.NET
Core.
● The community has stepped up to build this functionality:
○ Stormpath ASP.NET Core plugin
○ Thinktecture IdentityServer4
○ AspNet.Security.OpenIdConnect.Server
○ OpenIddict
● Basic JWT creation: JwtSecurityTokenHandler
Generating Tokens in ASP.NET Core
using System.IdentityModel.Tokens.Jwt;
var claims = new Claim[]{ new Claim(JwtRegisteredClaimNames.Sub, username), new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),};
// Create the JWT and write it to a stringvar jwt = new JwtSecurityToken( issuer: _options.Issuer, audience: _options.Audience, claims: claims, notBefore: now, expires: now.Add(TimeSpan.FromMinutes(5)), signingCredentials: _options.SigningCredentials);var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
● Nate’s simple example on Github:
https://github.com/nbarbettini/SimpleTokenProvider
Generating Tokens in ASP.NET Core
Validating Tokens in ASP.NET Core● Validating incoming Bearer (HTTP header) tokens is easy!
var mySecretKey = new SymmetricSecurityKey( Encoding.ASCII.GetBytes("mysupersecret_secretKey!123"));
app.UseJwtBearerAuthentication(new JwtBearerOptions(){ AutomaticAuthenticate = true, TokenValidationParameters = new TokenValidationParameters() { IssuerSigningKey = mySecretKey, ValidateLifetime = true, ValidIssuer = "MyApplication", ValidAudience = "https://app.example.com", }});
Validating Tokens in ASP.NET Core● JWTs in cookies?
See SimpleTokenProvider on Github:https://github.com/nbarbettini/SimpleTokenProvider
● Hosted user identity and authentication/authorization API
● Token generation and authentication
● Single Sign-On across multiple applications
● Multi-tenant support for SaaS applications
● Free (forever) developer tier
About Stormpath
Token authentication in ASP.NET Core tutorial (this talk)https://stormpath.com/blog/token-authentication-asp-net-core
Nate’s SimpleTokenProvider samplehttps://github.com/nbarbettini/SimpleTokenProvider
Web storage vs. cookieshttps://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
Links
Thank you!Nate Barbettini
@nbarbettinirecaffeinate.co .ws
top related