Damien Bowden 3
Damien is a web developer, architect and a Microsoft MVP for Visual Studio Development Technologies who loves to learn. He contributes regularly to open source projects on GitHub. He runs a very popular blog which focuses on ASP.NET Core, application security, Azure and Angular.
Präsentationen bei der .Net User Group Bern
Securing .NET Core, ASP.NET Core applications
This talk gives an overview of authentication and authorization in .NET Core and
ASP.NET Core applications. Some of the different approaches when implementing these in SPAs,
ASP.NET Core UI or APIs, Cloud solutions will be explained as well as the different OpenID Connect,
OAuth flows which should be used or can be used for these types of solutions now and in the future.
The second part of this talk will be a general introduction about implementing
Self Sovereign Identity in ASP.NET Core
.NETworking Workshop ASP.NET Core 3.0 Security
This workshop shows how authentication, authorization and security requirements can be implemented using ASP.NET Core 3.0. Some of the different approaches when implementing these in SPAs, or ASP.NET Core Razor/MVC will be explained as well as the different OpenID Connect/OAuth flows which should be used or can be used for these types of solutions.
Agenda
- 8:30 - 9:00 Welcome Coffee
- 9:00 - 10:30 Intro
- Security requirements ASP.NET Core Framework Security features
- Claims, Principals, Identities, Claims based Identity
- Cookie Authentication
- Data Protection
- Authorization
- External Authentication Providers
- User Secrets Exercise:
- Cookie based authentication Identity ASP.NET Core Razor Pages application, EF Core SQLite DB, User secrets
- 10:30 - 11:00 Coffee break Tapis Rouge
- 11:00 - 12:30 OpenID Connect, OAuth2 flows
- OAuth2 Resource Owner Credentials Flow
- OpenID Connect Code flow
- OpenID Connect Hybrid flow
- OpenID Connect PKCE Authorization Code Flow RFC 7636
- OAuth Device Flow Exercise
- IdentityServer4 secure token service with an ASP.NET Core OpenID Connect Hybrid flow client
- 12:30 - 14:00 Lunch
- 14:00 - 15:30 API Authorization
- APIs with tokens authorization
- APIs with cookies authorization
- Introspection
- Public, protected APIs Exercise
- Client/API with JWT Bearer token authorization Authorization policies, claims
- Policies
- Handlers
- Requirements
- Custom authorization Exercise
- Implementing authorization using claims, policies, handlers
- 15:30 - 16:00 Coffee break
- 16:00 - 17:30 Protecting the session, client
- Click jacking
- XSS
- CSRF
- CSP
- HSTS
- Cookie protection Exercise
- Add security fixes to an existing ASP.NET Core application
- 17:30 Retrospective
Workshop Requirements
PC with .NET Core 3 SDK and Visual Studio 2019/Visual Studio Code installed. - Internet WLAN connection
Application Security in ASP.NET Core
This talk shows how authentication and authorization can be implemented for ASP.NET Core applications. Some of the different approaches when implementing these in SPAs, or ASP.NET Core MVC will be explained as well as the different OpenID Connect flows which should be used or can be used for these types of solutions.