Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to .NET Florin Olariu

Published byNorma Reed Modified over 5 years ago

Similar presentations

Presentation on theme: "Introduction to .NET Florin Olariu"— Presentation transcript:

1 Introduction to .NET Florin Olariu
“Alexandru Ioan Cuza”, University of Iași Department of Computer Science

2 Agenda Authorization & Authentication in .NET Core Authentication
What authentication is? What authorization is? Do we really need this? Authentication Authentication methods Authorization Proprietary or Third-party? Demo

3 Authorization & Authentication in .NET Core

4 Authorization & Authentication in .NET Core
What authentication is? Generally speaking, the term authentication refers to any process of verification that someone, be it a human being or an automated system, is who (or what) it claims to be. This is also true within the context of the World Wide Web (WWW), where that same word is mostly used to denote any technique used by a website or service to collect a set of login info from a user agent, typically a web browser, and authenticate them using a membership and/ or Identity service.

5 Authorization & Authentication in .NET Core
What authentication is? What authorization is? Authentication should never be confused with authorization, as it is a different process and is in charge of a very different task: to give a quick definition, we could say that the purpose of authorization is to confirm that the requesting user is allowed to have access to the action they want to perform.

6 Authorization & Authentication in .NET Core
What authentication is? What authorization is? Do we really need this? As a matter of fact, implementing authentication and/ or authorization logic isn't mandatory for most web-based applications or services: there are a number of websites that still don't do that, mostly because they serve contents that can be accessed by anyone at any time. There are billions of websites and services that require authentication to work properly, as most of their content and/ or intents depend upon the actions of registered users: forums, blogs, shopping carts, subscription-based services, and even collaborative tools such as wikis.

7 Authentication Since the origin of the World Wide Web, the vast majority of authentication techniques rely upon HTTP/ HTTPS implementation standards, and all of them work more or less in the following way: A non-authenticated user-agent asks for a content that cannot be accessed without some kind of permissions. The web application returns an authentication request, usually in form of an HTML page containing an empty web form to complete. The user-agent fills up the web form with their credentials, usually a username and a password, and then sends it back with a POST command, which is most likely issued by a click on a Submit button. The web application receives the POST data and calls the aforementioned server-side implementation that will try to authenticate the user with the given input and return an appropriate result. If the result is successful, the web application will authenticate the user and store the relevant data somewhere, depending on the chosen authentication method: sessions/ cookies, tokens, signatures, and so on (we'll talk about it later on). Conversely, the result will be presented to the user as a readable outcome inside an error page, possibly asking them to try again, contact an administrator, or something else.

8 Authentication methods
As we most certainly know, the HTTP protocol is stateless, meaning that whatever we do during a request/ response cycle will be lost before the subsequent request, including the authentication result. The only way we have to overcome this is to store that result somewhere, together with all its relevant data, such as user ID, login date/ time, and last request time.

9 Authentication methods
Sessions Since few years ago, the most common and traditional method to do that was to store this data on the server by using either a memory-based, disk-based, or external session manager. Each session can be retrieved using a unique ID that the client receives with the authentication response, usually inside a session cookie, that will be transmitted to the server on each subsequent request.

10 Authentication methods
Sessions Downsides: 1. Memory issues: Whenever there are many authenticated users, the web server will consume more and more memory. Even if we use a file-based or external session provider, there will nonetheless be an intensive IO, TCP, or socket overhead. 2. Scalability issues: Replicating a session provider in a scalable web farm might not be an easy task and will often lead to bottlenecks or wasted resources. 3. Cross-domain issues: Session cookies behave just like standard cookies, so they cannot be easily shared among different origins/ domains. These kinds of problem can be often solved with some workarounds, yet they will often lead to insecure scenarios to make things work. 4. Security issues: There is a wide and detailed literature of security-related issues involving sessions and session cookies: XSS attacks, cross-site request forgery, and a number of other threats that won't be covered here for the sake of simplicity. Most of them can be mitigated by some countermeasures, yet they could be difficult to handle for first-hand developers.

11 Authentication methods
Sessions Tokens The most important difference between session-based authentication and token-based authentication is that the latter is stateless, meaning that we won't be storing any user-specific information on the server memory, database, session provider, or other data containers of any sort. This single aspect solves most of the downsides that we pointed out earlier for session-based authentication.

12 Authentication methods
Sessions Tokens The most important difference between session-based authentication and token-based authentication is that the latter is stateless, meaning that we won't be storing any user-specific information on the server memory, database, session provider, or other data containers of any sort. This single aspect solves most of the downsides that we pointed out earlier for session-based authentication.

13 Authentication methods
Sessions Tokens Signatures This is a method used by most modern API-based cloud-computing and storage services, including Amazon Web Services (AWS). In contrast with session-based and token-based approaches, which rely upon a transport layer that can be theoretically accessed by/ exposed to a third-party attacker, signature-based authentication performs a hash of the whole request using a previously shared private key. This ensures that no intruder or man-in-the-middle could ever act as the requesting user, as they won't be able to sign the request.

14 Authentication methods
Sessions Tokens Signatures Two-factor This is the standard authentication method used by most banking and financial accounts, being arguably the most secure one. The implementation may vary, but it always relies upon the following base workflow: The user performs a standard login with a username and password. The server identifies the user and prompts them with an additional, user-specific request that can be only satisfied by something obtained or obtainable through a different channel: an OTP password sent by SMS, a unique authentication card with a number of answer codes, a dynamic PIN generated by a proprietary device or a mobile app, and so on. If the user gives the correct answer, they get authenticated using a standard session-based or token-based method.

15 Authorization In most standard implementations, including those featured by ASP.NET, the authorization phase kicks in right after the authentication.

16 Authorization In most standard implementations, including those featured by ASP.NET, the authorization phase kicks in right after the authentication. It's mostly based on permissions or roles: any authenticated user might have their own set of permissions and/ or belong to one or more roles, and thus be granted access to a specific set of resources.

17 Authorization Third-party authorization
The best known third-party authorization protocol nowadays is OAuth, developed by Blaine Cook and Chris Messina in 2006 and widely used by a lot of social networks, including Facebook and Twitter. It basically works like this: Whenever an existing user requests a set of permissions to our application via OAuth, we open a transparent connection interface between them and a third-party authorization provider that is trusted by our application (for example, Facebook). The provider acknowledges the user and, if they have the proper rights, responds entrusting them with a temporary, specific access key. The user presents the access key to our application and will be granted access.

18 Demo ASP.NET Identity full sample JSON Web Token full sample

19 One more thing…

20 One more thing…

21 Bibliography Pluralsight
Valerio De Sanctis - ASP.NET Core and Angular 2

22 Questions Do you have any other questions?

23 Thanks! See you next time! 

Download ppt "Introduction to .NET Florin Olariu"

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
How to get your free Windows Store Access

How to get your free Windows Store Access
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
The Internet & The World Wide Web Notes

The Internet & The World Wide Web Notes
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Feedback #2 (under assignments) Lecture Code:

Feedback #2 (under assignments) Lecture Code:
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Similar presentations

Ads by Google