Bye bye Identity Server
0 likes237 views
The document discusses the significance of OAuth 2 and OpenID Connect within the context of identity and access management, particularly focusing on the ASP.NET Core framework and Azure's capabilities. It introduces Duende IdentityServer as a rebranded version of IdentityServer 4, highlighting essential features like token-based authentication and support for external identity providers. Additionally, it emphasizes the importance of using standard protocols for user authentication and authorization to improve security and efficiency in application development.
Bye bye Identity Server
- 1. #GlobalAzure May 5th – 7th,2022
- 4. What happened? OAuth 2 & OpenId Connect Other libraries and frameworks Azure to the rescue
- 6. ASP.NET Core Framework that helps us to incorporate following features to our applications: Token-based authentication Single-sign-on Api access control Federation gateway (Support for external identity providers like Azure Active Directory, Google, Facebook, etc…)
- 7. https://leastprivilege.com/2020/10/01/the-future-of-identityserver/ The “salseo” 3 years => 60k$ Duende Software is founded (https://duendesoftware.com) IdentityServer 4 will be rebranded as Duende IdentityServer. Duende IdentityServer will contain all new feature work and will target .NET Core 3.1 and .NET 5 (and all versions beyond)
- 10. The question
- 11. #GlobalAzure #GlobaAzureSpain OAuth 2 & OpenId Connect
- 12. OAuth 2.0 is the industry-standard protocol for authorization (RFC 6749) Grant types: Authorization code (common user flow for confidential and public clients) Client credentials (machine to machine) Device code (Apple Tv, Playstation, etc…) Extensions: PKCE. Extension for authorization code to prevent CSRF and injection attacks Refresh tokens Grants allow you to get an Access token that will allow you to invoke a protected resource (API for example) https://oauth.net/2/
- 13. For confidential clients There is no end-user participating Usually for “Machine to machine”
- 14. For both confidential and public clients Token does not represent an user The common flow you all know
- 16. Legacy grant types: Implicit flow Authorization code Password grant (resource owner)
- 17. OAuth 2 issues an access token to access protected resources OpenId Connect is an identity layer on top of the OAuth2 protocol. Issues an extra token to the client application, called the identity token. This token contains user profile information which can be used by client applications to identify the end-user. It's wise to keep your tokens small. Therefore, the OpenID Connect protocol offers the possibility to expose an userinfo endpoint from which clients can retrieve extra information about the end-user which is not stored in the identity token
- 19. ASP.NET Core Framework that helps us to incorporate following features to our applications: Token-based authentication Single-sign-on Api access control Federation gateway (Support for external identity providers like Azure Active Directory, Google, Facebook, etc…)
- 21. #GlobalAzure #GlobaAzureSpain Azure to the rescue
- 22. Is a customer identity access management (CIAM) solution that helps you to incorporate following features to our applications: Token-based authentication Single-sign-on Api access control Federation gateway (Support for external identity providers like Azure Active Directory, Google, Facebook, etc…) Features: Managed service build on same technology than Azure AD Takes care of the scaling Handles threats like denial-of-service, password spray, or brute force attacks Fully customizable flows Custom-branded identity solution
- 25. Custom policies Very complex Based on XML “Azure AD B2C es mucho más de lo que ves en el portal” Unai https://github.com/azure-ad-b2c/Gaining-expertise-with-Azure-AD-B2C/blob/main/policies/Module7/SignUpOrSigninUsingSalesforceAndGoogle.xml
- 27. • Make a decision before others force you to make it • Stop writing your own user authentication/authorization code • Use well known standard protocols • Know them in depth
- 29. https://docs.microsoft.com/es-es/azure/active-directory-b2c/ Solutions and training: https://docs.microsoft.com/en-us/azure/active-directory-b2c/solution-articles https://app.pluralsight.com/library/courses/developing-azure-active-directory-b2c-applications Custom policies: https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview
Editor's Notes
- #2: Tengo 45 mins!
- #8: Today IdentityServer4 is used by thousands of companies and has achieved over 12 million total downloads on Nuget, and has become the de facto standard for .NET-based token services.
- #11: ¿y si nos quedamos así? Es una opción, pero recomiendo migrar mientras puedas decidir cuando hacerlo. Más adelante puede aparecer una vulnerabilidad y tendrás que hacerlo si o si, y con prisa.
- #15: Con client ID Con client ID + secret
- #16: az login --use-device-code
- #21: Demo de OpenIdDict Lanzamos Velusia Enseñamos login y acceso a recurso Comentamos que no se ven los tokens, es muy seguro, porque se intercambian server a server Mostramos como es el código. Primero server, comentamos como se configura y que es algo más de más bajo nivel que Identity Server Luego el client: es standard, nada especial, usando librerías de Micro
- #24: Primero: creamos los flows y los probamos. Borrar antes usuario Recuerda pedir claims: Nombre, apellido, ciudad, región, alias Después la aplicación (https://localhost:5000/signin-oidc y https://jwt.ms), y la configuramos. Recuerda marcar tokens. Probamos desde asp.net Hablamos de que devuelve un id_token, eso no nos vale para acceder a un API. Para eso necesitamos Access token Editamos profile Primero custom layout Después fondo etc… (company branding) Tb app local
- #25: Enseño a poner fondo y banner Tb pagina html a pelo, que la tengo en un storage. Suscripción: visual studio proffesional