Using .NET Core Data Protection is a bit limited. I like how it generates keys and can maintain them, but the storage mechanisms out of the box are fairly limited. Unless you’re using Redis or Azure Stoage, your only option is file system persistence. This isn’t really usable for distributed applications that need to share keys. Ideally, using a SQL server backend would be available, but it’s not too terribly difficult to create one.
.NET Core SQL DataProtection Key Storage Provider using Entity Framework
posted on June 28, 2017 by long2know in Uncategorized
Sharing Cookies and Tokens between OWIN and .NET Core (Part 2)
posted on May 24, 2017 by long2know in Core, Middleware, OWIN
In my previous installment, I focused mostly on sharing Cookies between an OWIN application and a .NET Core application. What happens if you want to utilize the Bearer tokens as well?
Sharing Cookies and Tokens between OWIN and .NET Core
posted on May 23, 2017 by long2know in Core, Middleware, OWIN, Uncategorized
It seems like only yesterday when I setup an OWIN OAuth server to provide single-signon capabilities for all of my apps. Since that time, though, OWIN has kind of fallen to the wayside in favor of newer security mechanisms in .NET Core. However, it is possible to make an OWIN application play nice with a .NET Core application to share cookie-based authentication.
Moving from OWIN to .NET Core
posted on April 23, 2017 by long2know in ASP.NET, OWIN, Web
Since the OAuth server I’ve detailed previously is using OWIN, I’ve been looking at what it will take to move it to .NET Core. The OWIN OAuth Server provides all of the Secure Token creation. This functionality is not provided with .NET Core’s native middleware.
My first thought is to integrate with IdentityServer4 or Openiddict which provide Secure Token generation and are .NET Core compatible. After some cursory information gathering, I’m putting a few research links here for later use.
https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/
https://github.com/openiddict/openiddict-core
https://www.scottbrady91.com/Identity-Server/Getting-Started-with-IdentityServer-4
http://stackoverflow.com/questions/35304038/identityserver4-register-userservice-and-get-users-from-database-in-asp-net-core
ASP.NET Core OAuth Middleware
posted on July 11, 2016 by long2know in ASP.NET, Core, Microsoft, Middleware, Security
After using OWIN for months for basic OAuth authentication, it’s apparent that Microsoft is abandoning OWIN . This isn’t necessarily a bad thing. .NET Core is built on a similar structure as that which was implemented in OWIN. Essentially, we have a familiar middleware pipeline.
Integrating with ASP.NET Identity’s Schema
posted on June 24, 2016 by long2know in ASP.NET, Entity Framework, Security
My current single-sign server, that utilizes OWIN, does not store information regarding users’ identity. On the back-end, it makes LDAP queries to Active Directory to authenticate users and then makes additional LDAP queries to determine roles and authorization.
Since I’ve been playing with Azure lately, I wanted to re-tool this solution to allow toggling between a data-store for user identity information and Active Directory.
ASP.NET Anti-forgery XFrame Options
posted on June 18, 2016 by long2know in ASP.NET, Security
If you recall my previous post on ASP.NET Anti-forgery configuration options, you may be familiar with the way the ASP.NET MVC AntiForgeryToken helper adds the “x-frame-options SAMEORIGIN” header to server responses. This header prevents different domains from displaying your site in an iframe. Your only option to manage this feature is to completely disable it.
An all or nothing approach to configuration is quite inflexible. Additionally, if we are using the web.config to handle our configuration, that too is pretty rigid and hard to manage.
Extracting Bearer Token from OWIN Cookie
posted on May 2, 2016 by long2know in ASP.NET, OWIN, Security
If you’ll recall a previous post in which I examined decrypting the OWIN AuthenticationTicket, I didn’t really examine how to deal with the ticket in the context of cookies.
ASP.NET Anti-forgery configuration
posted on March 9, 2016 by long2know in ASP.NET, Security
ASP.NET has some useful security options to prevent cross-site scripting, click hijacking, and other vulnerabilities. However, configuring these options has a few caveats.
OWIN Authentication Modes
posted on June 3, 2015 by long2know in ASP.NET, MVC, OWIN, Security
After creating a redistributal package for a custom OWIN AuthenticationHandler that handles logins to an internally hosted Oauth2/SSO provider, I found something a little annoying.
When OWIN detects a 401 response and the AuthenticationMode is “Active,” it doesn’t capture the URL hash from the request.