Annual Identity Update on DotNetRocks

Posted on April 16, 2013 by

It’s this time of the year again!

http://www.dotnetrocks.com/default.aspx?ShowNum=863

“Dominick Baier returns to talk to Carl and Richard about the current state of security in .NET 4.5. Dom starts out talking about how WebAPI has impacted the development of web services without much in the way of new security features – so he built some for everyone to use (check the links below). The conversation then digs into the challenges around OAuth 2 and the challenges of building specifications by committee when you’re dealing with security. Also listen for a great dig into the real goals of identity technologies that largely haven’t come to pass yet – there’s still a ways to go!”

Posted in .NET Security, ASP.NET, Azure, IdentityModel, IdentityServer, OAuth, WCF, WebAPI | 1 Comment

Authentication vs Authorization

Posted on April 16, 2013 by

…in the context of token-based security systems.

There are many practical and philosophical ways to discuss the difference between the two terms. But since there is quite some confusion, I want to look at it from the perspective of the “usual suspects” token-based protocols we are commonly using today to build applications. In particular I try to make it very clear where OAuth2 vs OpenID Connect fits in.

But first the “formal” definitions:

Authentication is a process where a person or a computer program proves their identity in order to access information.
Authorization is the act of granting a person or other entity permission to use resources in a secured environment. This is usually tightly linked to authentication.

Authentication
My rule of thumb is, when an application requests an identity token for its own use to provide personalization or access control to application features, that’s authentication. Or technically, the requested token’s audience is the requester itself and the requesting application can parse and validate the token to use the information contained.

Slide1

Typical protocols used for authentication: Kerberos, WS-Federation, SAML2p, OpenID (Connect). The resulting token is often called an identity token.

Authorization
In contrast, when the application requests a token for a different party than itself – e.g. a backend, that falls into the authorization bucket. This token is opaque to the requester and only makes sense in the context of the audience (aka the backend). The backend can parse and validate the token and control access based on the contained information.

Slide2

Typical protocols used for authorization: Kerberos, WS-Trust, OAuth2. The resulting token is often called an access token.

But – what about authentication with OAuth2?
Some providers advertise OAuth2 sign-in – where does that fit in? Well – OAuth2 on its own cannot provide authentication services and when you look closer, you can see that those providers use some custom extensions to make it happen. Quoting the Google documentation (link):

“The Google endpoints described here align with the OpenID Connect specification, which at the time of this writing, is in early draft stage. For reference, the OpenID Connect specification is very similar to the OAuth 2.0 protocol. These Google endpoints will update as the specification matures.”

To find out what is necessary to teach OAuth2 the authentication trick, I can recommend reading this piece by Tim Bray, the OpenID connect specification and this and this explanation why OAuth2 on its own is not enough.

HTH

Posted in .NET Security, IdentityModel, IdentityServer, OAuth, WebAPI | 2 Comments

Getting JSON web tokens (JWTs) from ADFS via Thinktecture IdentityServer's ADFS Integration

Posted on April 15, 2013 by

Reblogged from brockallen:

Click to visit the original post
  • Click to visit the original post

Dominick and I recently added three features to IdentityServer that collectively we call "ADFS Integration". This "ADFS Integration" is a new protocol (which can be enabled, disabled and configured like any other protocol IdentityServer supports). In short this new protocol helps obtain JWTs (indirectly) from ADFS (or really any WS-Trust enabled STS). I'll describe the three use cases here and how we provide a solution for each:

Read more… 1,023 more words

This can be very handy when having to integrate web APIs / mobile devices with ADFS!

Posted in IdentityModel, IdentityServer, OAuth, Uncategorized, WebAPI | Leave a comment

Driving the WS-Federation Handshake from ASP.NET Web API

Posted on April 14, 2013 by

In general I think the API design of the WS-Federation support in WIF / .NET 4.5 is a bit unfortunate.

It was a strange decision to combine the HTTP module (aka the FAM) and the more generic protocol helpers into a single class. And the fact the system.identityModel configuration sections are not declared by default, makes the FAM hard to use as a “standalone” library (for the search engines: “ID7027: Could not load the identity configuration because no <system.identityModel> configuration section was found.”). Microsoft?! Please fix this.

That all in combination makes it non-obvious how to “manually” process WS-Federation messages and since the question came up recently – here’s how to do it with ASP.NET Web API:

To create the WS-Federation request you can use this code:

public HttpResponseMessage Get()

{

    var signInRequest = new SignInRequestMessage(

        new Uri(https://idsrv.local/issue/wsfed),

        “urn:realm”);

 

    var response = Request.CreateResponse(
      HttpStatusCode.Found);

    response.Headers.Location =
      new Uri(signInRequest.WriteQueryString());

 

    return response;

}

The interesting bit is processing the response. As long as you can turn the post data into a NameValueCollection, it’s quite easy:

public HttpResponseMessage Post(HttpRequestMessage request)
{
    var form = request.Content.ReadAsFormDataAsync().Result;
    var signInResponse = WSFederationMessage.CreateFromNameValueCollection(
        FederationMessage.GetBaseUrl(request.RequestUri),
        form) as SignInResponseMessage;
 
    var fam = new WSFederationAuthenticationModule();
 
    // set all the necessary configuration
    // don't forget to declare the system.identityModel config sections
    fam.FederationConfiguration = new FederationConfiguration();
 
    var token = fam.GetSecurityToken(signInResponse);
            
    // validate token etc.
}

 

HTH

Posted in ASP.NET, IdentityModel, WebAPI | 7 Comments

Photo-only Blog

Posted on April 11, 2013 by

http://photos.leastprivilege.com

 

Posted in Photography | Leave a comment

Open Source Democracy

Posted on April 11, 2013 by

Really enjoyed this talk:

via Dinis

Posted in Uncategorized | Leave a comment

Going to NDC? Get two extra Days of Identity and Access Control!

Posted on April 10, 2013 by

Claims, WS-Federation, WS-Trust, WS-Security, ASP.NET, Federation, Single Sign-On, Home Realm Discovery, WCF, SAML, JWT, Web API, OAuth2, Thinktecture IdentityServer & IdentityModel, ADFS, Windows Azure Active Directory & Access Control…

Do the above terms sound interesting? Then join me for a two day pre-con workshop at the fantastic Norwegian Developer Conference. Will be a blast!

http://www.ndcoslo.com/Article/Workshops/claims

 

Posted in Azure, IdentityModel, IdentityServer, OAuth, WCF, WebAPI | 2 Comments