Identity and access management are a core part of any solution design. Your web, mobile and rich client applications require a user login experience that typically involves a single sign-on (SSO) experience, APIs are called from client-facing applications, from background workers, and through multiple application tiers. And then, of course, there is the need for fine-grained authorization to control access to application areas, APIs, and other resources. This session will give you a top to bottom tour for implementing a secure solution based on standards like OAuth2 and OpenID Connect, in addition to showing you a permissions model after which you can pattern authorization checks throughout the code. In the process we’ll also look at recommended practices for each step from user login, session management, secure token flow across tiers. Code demonstrations will be based on ASP.NET but relevant to other platforms in practice.
Injustice - Developers Among Us (SciFiDevCon 2024)
IDaaS - Modern Security for your Web Apps and APIs
1.
2. IDaaS - Modern Security for your
Web Apps and APIs
Michele Leroux Bustamante
Cofounder, Solliance
Cloud / Security Architect
michelebusta@solliance.net
3. Example Solution Topology
Backend
Web API
Browser
Java
Script
Web App
JS
Web API
Server
Process
Mobile
App
Mobile
Web API
API Gateway
Partner
Web API
Queues
Third Party
Apps
4.
5. Example Solution Topology
Backend
Web API
Browser
Java
Script
Web App
JS
Web API
Server
Process
Mobile
App
Mobile
Web API
LOGIN
API Gateway
Partner
Web API
LOGIN
Queues
Authorization
Server
Third Party
Apps
LOGIN
6. Concepts
• Authentication
• User, application / service
• Token Flow
• Authentication, front end APIs, back end APIs
• Token validation, delegation, lifetime management
• Protocols
• OpenID Connect, OAuth2, JSON Web Token (JWT)
• Types of Tokens
• ID token
• Access token
• Refresh token
• Reference token
7. OAuth2 Concepts
• Separate role of client and resource owner
• Resource owner (end-user)
• Resource server (protects resource, requires token)
• Client (makes requests for resource owner)
• Authorization Server (issues token after authenticating resource
owner and getting authorization for the client)
14. JavaScript to APIs
• Token available to Browser
• Retrieved during login
• Returned with page security context
• Watch the PII
• Calls back to APIs
• Within web application
• CORS
16. JavaScript calls to Web API (2)
Browser
Web API
HTML
/JS
token is passed in the
Authorization header
1
Validate Token /
Authorize Access
2
token is embedded in the
page
19. Web Application / API to Web API
• Have a token (user login)
• Passed to Web API
• Written to cookie (for pages)
• Request new token (delegation)
• Options
• ID token for ID token
• ID token for access token
• Access token for access token
• …
• Act As
• Not an official specification (in progress)
22. Background Workers
• No user login, unattended
• Alternative to token exchange
• Trusted subsystem model
• Client credentials (client id and secret)
25. Mobile Apps
• Native login (same for rich clients)
• Resource Owner flow
• User provides credentials
• Web View
• Implicit flow
• Creates SSO session with AS
• Hybrid models
26. Mobile Use Case (Web View)
Mobile
App
1 OAuth2
Implicit Flow
3
2
POST
Credentials
AS
Authenticate
Issue Claims
4
Login
Page
Java
Script
5
Mobile
Web API
6
7
27. Mobile Use Case (Native)
Mobile
App
2 Resource
Owner
Flow
1
4
POST
Credentials
AS
Authenticate
Issue Token
3
Login
Page
5
Mobile
Web API
31. API to API / pre-cache
Browser/SPA
1
2
34
JS
JS API AS
(AT1)
Session
API Token Cache
(15 mins)
(AT1)
(AT2)
(AT2)
(15 mins)
Client id + secret
Back End API
5 (AT2)
32. API to API / post-cache
Browser/SPA
1
2
JS
JS API AS
(AT1)
Session
API Token Cache
(15 mins)
(AT2)
Back End API
3 (AT2)
33. Trusted Sub
1
23
Client App AS
API Token Cache
(15 mins)
(AT3)
(AT3)
(15 mins)
Client id
+ secret
Back End API
4 (AT3)
34. Permissions Management
• Permission Tables
• Resource Authorization
• Keeping logic in a single place
• Entire app prevention
• Controller Attributes
• Inline demands
39. Example Solution Topology
Backend
Web API
Browser
Java
Script
Web App
JS
Web API
Server
Process
Mobile
App
Mobile
Web API
LOGIN
API Gateway
Partner
Web API
LOGIN
Queues
Authorization
Server
Third Party
Apps
LOGIN
40. How to reach me…
Michele Leroux Bustamante
michelebusta@solliance.net
@michelebusta
Solliance Cofounder
Cloud / Security Architect
Microsoft Regional Director since 2003
Microsoft MVP – Microsoft Azure
Azure Elite, Azure Insider
41. Glöm inte att utvärdera sessionen direkt i
Microsoft TechDays-appen!