Iden%ty & Access Control for .NET 4.5.x
and beyond
Dominick Baier hAp://leastprivilege.com @leastprivilege think mobile!
2 @leastprivilege
Dominick Baier
• Security consultant at thinktecture • Focus on
– security in distributed applica9ons – iden9ty management – access control – Windows/.NET security – mobile app security
• MicrosoL MVP for Developer Security • ASP.NET Web API Advisor • [email protected] • hAp://leastprivilege.com think mobile!
3 @leastprivilege
Agenda
• Past • Present • Future
4 @leastprivilege
Once upon a 9me…
2002
.NET 1.0 ASP.NET 1.0
interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } }
interface IPrincipal { IIdentity Identity { get; } bool IsInRole(string roleName); }
5 @leastprivilege
Dealing with iden9ty
Plumbing code / Infrastructure /
Runtime Application logic
Thread.CurrentPrincipal
set get
TLS
Applica%on
6 @leastprivilege
Principals & Iden99es
• WindowsPrincipal / WindowsIden%ty – represents Windows accounts
• GenericPrincipal / GenericIden%ty – represents non-‐Windows accounts
• FormsIden%ty – ASP.NET FormsAuthen9ca9on user
• RolePrincipal – ASP.NET RoleProvider based user
Motivation (2002-present)
Trusted Subsystem
Basic-‐, Digest-‐, Forms-‐, Windows-‐Authen%ca%on, Client Cer%ficates
WS-‐Security Tokens, SecureID, Custom
Corporate Network
Partners, Customers
Cloud
8 @leastprivilege
In the mean9me…
2002
.NET 1.0 ASP.NET 1.0
2006
.NET 3.0 WCF (#fail)
2009
WIF
2012
.NET 4.5
9 @leastprivilege
WIF & .NET 4.5
• Claims-‐based iden%ty • Security token handlers • WS-‐Federa%on & WS-‐Trust • SAML 1.1 & 2.0
10 @leastprivilege
Claims
• Many security systems out there – groups, roles – permissions, capabili9es – specialized (e.g. Bell LaPadula)
• Claim examples – Bob is an administrator – Jim‘s email address is [email protected] – Alice is allowed to add new customers – Dave is allowed to write documents up to ‚confiden9al‘
11 @leastprivilege
Claim
• Statement about an en%ty made by someone else
public class Claim
{
public virtual string Type { get; }
public virtual string Value { get; }
public virtual string Issuer { get; }
// rest omitted
}
12 @leastprivilege
ClaimsPrincipal & ClaimsIden9ty
class ClaimsPrincipal : IPrincipal { ReadOnlyCollection<ClaimsIdentity> Identities { get; } }
class ClaimsIdentity : IIdentity { IEnumerable<Claim> Claims { get; } }
interface IPrincipal { IIdentity Identity { get; } bool IsInRole(string roleName); }
interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } }
13 @leastprivilege
Inheritance structure in .NET 4.5
IPrincipal
ClaimsPrincipal
GenericPrincipal WindowsPrincipal RolePrincipal
IIden%ty
ClaimsIden%ty
FormsIden9ty WindowsIden9ty GenericIden9ty
14 @leastprivilege
Creden9al type support
• Unifica%on of various creden%al formats to common ClaimsPrincipal representa%on – Windows / Kerberos – Forms Authen9ca9on – HTTP basic authen9ca9on – SSL client cer9ficates – SAML 1.1/2.0 – JSON Web Tokens (JWT) – extensible
creden%al ClaimsPrincipal ClaimsIdentity Claim Claim …
15 @leastprivilege
Security token handler
standard implementations
read token
validate token
write token
token type
16 @leastprivilege
External authen9ca9on
Client Relying Party
Security Token Service
1
2
Token
External/Cloud
17 @leastprivilege
Federated & Session Authen9ca9on
• WS-‐Federa%on implementa%on • FormsAuthen%ca%on replacement
<modules> <add name="WSFederationAuthenticationModule" type="…WSFederationAuthenticationModule, …" /> <add name="SessionAuthenticationModule" type="…SessionAuthenticationModule, …" /> </modules>
18 @leastprivilege
PrincipalPermission
• Ships with the .NET Framework (since version 1) – „the old way“ – based on code access security – invoked by the CLR – typically clashes with unit tes9ng – throws a SecurityExcep,on – limited to roles – encourages you to mix authoriza9on & business logic
[PrincipalPermission(SecurityAction.Demand, Roles = "Marketing"] public ActionResult AddCustomer() { ... }
19 @leastprivilege
Resource/Ac9on based Authoriza9on
• Decoupling of – what the code is doing – who is allowed to execute the code
[ClaimsPrincipalPermission(SecurityAction.Demand, Operation = "Add", Resource = "Customer")] public void AddCustomer(Customer customer) { … }
void Print(Document document) { if (ClaimsPrincipalPermission.CheckAccess( document.Printer, "Print")) { … }
}
20 @leastprivilege
Present
2002
.NET 1.0 ASP.NET 1.0
2006
.NET 3.0 WCF (#fail)
2009
WIF
2012
.NET 4.5
2013
Katana 2.0
21 @leastprivilege
What is Katana? • MicrosoL’s OWIN implementa%on
– hips://katanaproject.codeplex.com/ • Set of hosts and servers
– IIS or self-‐hos9ng • Set of convenience classes
– OwinContext, OwinRequest, OwinResponse, etc. – AppBuilderUseExtensions – Authen,ca,onManager
• Set of middleware for common features – Authen9ca9on – Hos9ng content (e.g. sta9c files) – CORS
22 @leastprivilege
OWIN Architecture
• Host manages process life%me • Server hosts HTTP and implements OWIN API • Middleware are linked components that process requests • Applica%on code targe%ng a framework (e.g. Web API)
Host
OWIN Server
Some Middleware
Some Other Middleware User Agent Applica9on
23 @leastprivilege
Katana == Microsom.Owin.*
24 @leastprivilege
Katana Authen9ca9on Manager
• Katana provides a uniform authen%ca%on API – available via OwinContext
public interface IAuthenticationManager { ClaimsPrincipal User { get; set; } void SignIn(params ClaimsIdentity[] identities); void SignOut(params string[] authenticationTypes); Task<AuthenticateResult> AuthenticateAsync(string authenticationType); void Challenge(params string[] authenticationTypes); IEnumerable<AuthenticationDescription> GetAuthenticationTypes(); }
25 @leastprivilege
Cookie Middleware
• Forms / Session authen%ca%on replacement
public void Configuration(IAppBuilder app) { var options = new CookieAuthenticationOptions { AuthenticationType = "Cookies", LoginPath = new PathString("/account/login"), ExpireTimeSpan = TimeSpan.FromHours(4), CookieSecure = CookieSecureOption.Always }; app.UseCookieAuthentication(options); }
26 @leastprivilege
External Authen9ca9on Name Descrip%on
Google Both OpenID and OAuth2/OpenID Connect
Twiier OAuth1
Facebook OAuth2
Microsom Account OAuth2
JWT Bearer (JSON web token)
Ac9veDirectory Bearer (JWTs from Azure/ADFS3)
Federa9on* WS-‐Federa9on
OIDC* OpenID Connect
Yahook, LinkedIn, Steam, GitHub (hips://github.com/owin-‐middleware/OwinOAuthProviders) FourSquare, Instagram, Dropbox, Flickr, StackExchange (hips://github.com/KatanaContrib)
27 @leastprivilege
ASP.NET Iden9ty
• Successor to the dreaded ASP.NET (simple) Membership – supports claims – supports external sign-‐ins and account linking – supports two-‐factor authen9ca9on – no dependencies on ASP.NET – more control over user/profile data and persistence – separate nuget package / release cycle
• S%ll room for improvement – hip://brockallen.com/2014/02/11/introducing-‐iden9tyreboot/
28 @leastprivilege
Web API v2.1
• Built-‐in support for OAuth2 paAerns – producing & consuming access tokens – as a replacement for cookie-‐based authen9ca9on
• More plumbing – authen9ca9on filters – integra9on with Katana authen9ca9on middleware – CORS
29 @leastprivilege
„Embedded“ OAuth2 Token Service
• OAuth2 authoriza%on server middleware can emit token – Supports the protocols of all OAuth2 flows
• OAuth2 bearer token middleware consumes tokens – Similar to cookie middleware
User Agent
OWIN Host
Bearer MW Application
Authorization Server MW
30 @leastprivilege
OAuth2 Producer/Consumer Middleware
// token generation app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/token"), AccessTokenExpireTimeSpan = TimeSpan.FromHours(8), Provider = new SimpleAuthorizationServerProvider() }); // token consumption app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); app.UseWebApi(WebApiConfig.Register());
31 @leastprivilege
Switching to a real OAuth2 Authoriza9on Server
User Agent
OWIN Host
JWT MW Applica9on
Authoriza%on Server (1)
(2)
1…n
32 @leastprivilege
JSON Web Token Middleware… and more
public void Configuration(IAppBuilder app) { // authorization manager ClaimsAuthorization.CustomAuthorizationManager = new AuthorizationManager(); // validate JWT tokens from AuthorizationServer app.UseJsonWebToken( issuer: IssuerName, audience: Audience, signingKey: SigningKey); // claims transformation app.UseClaimsTransformation(new ClaimsTransformer().Transform); app.UseWebApi(WebApiConfig.Configure()); }
33 @leastprivilege
(near) Future
2002
.NET 1.0 ASP.NET 1.0
2006
.NET 3.0 WCF (#fail)
2009
WIF
2012
.NET 4.5
2013
Katana 2.0
2014
Katana 3.0
34 @leastprivilege
Bringing back "Enterprise"
• WS-‐Federa%on middleware
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" }); app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions { MetadataAddress = "https://…/FederationMetadata/2007-‐06/FederationMetadata.xml", Wtrealm = "urn:owinrp", SignInAsAuthenticationType = "Cookies" });
35 @leastprivilege
OpenID Connect
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Client_Id = "implicitclient", Authority = Constants.BaseAddress, Redirect_Uri = "http://localhost:2671/", Response_Type = "id_token token", Scope = "openid email read", SignInAsAuthenticationType = "Cookies" };
36 @leastprivilege
Next year (probably)…
2002
.NET 1.0 ASP.NET 1.0
2006
.NET 3.0 WCF (#fail)
2009
WIF
2012
.NET 4.5
2013
Katana 2.0
2014
Katana 3.0
2015
Katana 4.0 MVC 6
SignalR 3 EF7
"ProjectK"
37 @leastprivilege
Summary
• Iden%ty and Access Control on .NET has come a long way – claims-‐based iden9ty – token handling – authen9ca9on protocols
• Katana is the way forward – founda9on for all new security investments
• Cookies, WS-‐Federa9on, OpenID Connect, OAuth2…
38 @leastprivilege
thank you!