Advanced ASP.NET Core Authorization with Barry Dorrans

Sign in to queue

The Discussion

  • User profile image
    MrSmith

    Excellent, right on Barry. Even tough it´s easter: this is far from an easter egg, but so elegant, powerful and simple. So when you first open it, why not use, extend and enjoy it;-)

  • User profile image
    cecilphillip

    These videos on security have been very insightful.

    it would be great if you could do another one on setting up token based security or federated identity with IdentityServer :)

  • User profile image
    blowdart

    @scyonx: As identity server isn't a Microsoft product I wouldn't presume to make a video on it.

  • User profile image
    figuerres

    , blowdart wrote

    @scyonx: As identity server isn't a Microsoft product I wouldn't presume to make a video on it.

    Hey what about a good talk on how to play with OAuth and Identity ?

    I spent several weeks figuring out how to do OAuth for my new job we did not want to use 3rd party Oauth servers and did not want to re-invent stuff.  it seems like the Microsoft bits for this are lacking some key items and I had to use one of the parts from ID Server to make my implementation work.

    the issue was getting the tokens issued as I recall.

    it was a painful process as there seems to be very little documentation out there.  most of what I saw was how to use some other auth server to store and issue.  almost nothing on how to just configure the Microsoft bits to work.   it was all on using Azure or Live ID or Google etc...

     

  • User profile image
    cecilphillip

    @blowdart fair enough. How would you demonstrate leveraging security tokens (JWT, etc) for web based APIs w/ aspnet-core ?

  • User profile image
    hsakarp

    This is a good video.but,I am kind of confused between the AuthorizeActionFilter and resource based authorization.

  • User profile image
    blowdart

    @figuerres:Yea, our previous attempts were sadly lacking, so come ASP.NET Core we decided to reinvest dev resources elsewhere as, frankly, Identity Server did everything better than our previous attempts. So don't expect an OAuth Server from our team any time soon.

     

  • User profile image
    blowdart

    @scyonx: That's just "Use the JWT middleware".  However it's still in flux a little, and it's owned by the AAD team really. Really it just boils down to.

     

    var key = Convert.FromBase64String("base64-encoded symmetric key");
    app
    .UseJwtBearerAuthentication(options => { options.AutomaticAuthenticate = true; options.AutomaticChallenge = true;
    options
    .Authority = Configuration["jwt:authority"]; options.Audience = Configuration["jwt:audience"];
    options
    .TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(key);});

     

  • User profile image
    blowdart

    @hsakarp: Well I didn't cover filters :) AuthorizeActionFilters are at a deep level. Frankly we hope with the new policy based stuff you won't ever need to write one, but they're there, in case you want to do something really odd.

  • User profile image
    gogators

    Hi, I have a Web API app using Azure B2C with the configuration shown below. From a Xamarin client, I can call AcquireTokenAsync and get a Token and IdToken successfully. I can take that token and paste it into an online decoder (like https://jwt.io/) and I can view the payload. However I haven't figured out how to view the payload from my Xamarin app. Every JWT decoder I have tried gives me errors, like "rs256 is not supported"

    I'm wondering if you have an recommendations. Thanks!

     

     

    app.UseJwtBearerAuthentication(new JwtBearerOptions
                {
                    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                    {
                        IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String("key="))
                    },
                    AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
                    AutomaticAuthenticate = true,
                    AutomaticChallenge = true,
                    MetadataAddress = String.Format(CultureInfo.InvariantCulture, "{0}/{1}/{2}/{3}?p={4}", policySettings.Value.AadInstance, policySettings.Value.Tenant, "v2.0", OpenIdProviderMetadataNames.Discovery, policySettings.Value.SignUpInPolicyId),
                    Audience = policySettings.Value.ClientId
                });

     

     

     

  • User profile image
    Serexx

    I've had a pain in my Auth for a very long time, thanks for making it go away :)

  • User profile image
    VisualDragon

    "I am far older than you..."

    My "baby" brother was born just two weeks after you, and I was already six.  :P

    Great presentation BTW.  Thanks.

Add Your 2 Cents