ddd melbourne 2014 security in asp.net web api 2

Post on 21-Jun-2015






Click to see full reader


My presentation at DDD Melbourne 2014 Conference on Security in ASP.Net Web API 2. Includes a brief introduction to OWIN and Katana. http://www.dddmelbourne.com/


Security in ASP.NET Web API 2

DDD Melbourne 2014

Pratik Khasnabis@softveda

Outline SSL and Certificates

OWIN and KATANA – Quick Primer

Security Architecture in Web API 2

Classic Authentication – Demo

OAuth – Introduction

OAuth – Demo

HAWK - Demo

SSL and Certificates

HTTPS = HTTP over TLS• Server Authentication• Integrity protection• Encryption• Client Authentication

Server Root CertComputer – Trusted Root Certification Authorities

Server SSL CertComputer – Personal(Must have a private key. Usually a .pfx file)

Client Private CertCurrent User – Personal(Must have a private key. Usually a .pfx file)

X.509 Certificates• ITU-T Standard for PKI• Standard formats for

certificates• Installed in Windows

Certificate Store

Client Public CertComputer – Trusted People(Only public key required. Usually a .cer file)

HTTPS Simplified

Bind SSL certificate to port / host name • IIS • netsh.exe • httpconfig.exe • CN should match DNS



Send Certificate

Generate session key andencrypt with public key


HTTP Authentication Framework

Status: 401 (Unauthorised)

WWW-Authenticate: Scheme realm=“app"

GET /URL/Resource

Authorization: scheme <credential>

Authorisation: basic dXNlcjpwYXNzd29yZA==

Create Your Own Root Certificatemakecert -r -n "CN=DevRoot" -pe -sv DevRoot.pvk -cy authority DevRoot.cer

• -r Create a self signed certificate• -n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)• -pe Mark generated private key as exportable• -sv <pvkFile> Subject's PVK file; To be created if not present• -cy <certType> Certificate types

Package the certificate and the private keypvk2pfx.exe -pvk DevRoot.pvk -spc DevRoot.cer -pfx DevRoot.pfx

Create SSL Cert – Server Authentication

makecert -iv DevRoot.pvk -ic DevRoot.cer -n "CN=site.local" -pe -sv %1.pvk -sky exchange site.local.cer -eku

• -iv <pvkFile> Issuer's PVK file• -ic <file> Issuer's certificate file• -n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)• -pe Mark generated private key as exportable• -sv <pvkFile> Subject's PVK file; To be created if not present• -sky <keytype> Subject key type• -eku <oid[<,oid>]> Comma separated enhanced key usage OIDs

Open Web Interface for .NET (OWIN)Environment Dictionary

Stores all of the state necessary for processing an HTTP request and response, as well as any relevant server state.

IDictionary<string, object> "owin.RequestMethod" : A string containing the HTTP request method of the request (e.g., "GET", "POST").

Application Delegate (AppFunc)This is a function signature which serves as the primary interface between all components in an

OWIN application.Func<IDictionary<string, object>,


• Your appApplicatio

n•Web API•SignalR•Nancy•ServiceStack


• Microsoft.Owin.Host.SystemWeb• Microsoft.Owin.Host.HttpListener• Helios


•IIS/ASP.Net•OwinHost.exe•Self Host•IIS



Microsoft’s OWIN Implementation


Hosts and Servers Implementation



Convenience ClassesOwinContextOwinRequest


Middleware for Common Features


Katana Assembly Graph

Web API 2 Architecture


(+ OWIN Adapter)

Self Host Web Host OWIN


(+ OWIN Bridge)

Service / Exe IIS IIS

Hosting v1 Hosting v2

Web API(+ OWIN Adapter)


Process/Host(+ OWIN Bridge)

No System.Webdependency

OWIN Pipeline in Web API 2Host Web API 2

OWIN MessageHandler(global/per-route) Authentication Filter Authorization Filter

Host/Framework independent concerns,E.g. authentication

Web API cross-cutting concerns,E.g. CORS


HostOWIN Server

Middleware 1 Middleware 2 ApplicationClient

Classic Authentication Windows Authentication

Basic Authentication

SSL client certificates

Intranet ScenarioWindows Authentication

• AD Integrated• Client and Server are on a

domain• The User is a domain account

<system.web> <authentication mode="Windows" /></system.web>

public static IAppBuilder UseWindowsAuthentication(this IAppBuilder app){ object value; if (app.Properties.TryGetValue("System.Net.HttpListener", out value)){ var listener = value as HttpListener; if (listener != null){ listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication; } } return app;}

Users Clients

Do I trust this app ?

How can I securely

communicate ?


Who is the user ?Who is the client ?

What are they authorised to do ?

Modern Application




id =



= read

access token

access token

Scopes: read, write, delete

Alice(Resource Owner)


Web API(Resource Server)


OAuth 2.0


User-Agent (Browser) based apps

Native apps

Server rendered apps

Machine to Machine


Trusted Clients/Applications – Corporate Environment

Resource Owner Password Credential Flow

• User gives its credentials to the client.

• The client access the auth server on behalf of the user with the credentials

• Client can optionally authenticate with the auth server using Basic authentication scheme.

• Auth server returns an access token – typically with a short expiry time

Trusted Clients/Applications – Corporate Environment

Resource Owner Password Credential Flow

• The client then access the Resource Server using the access token

Implicit Flow – Untrusted ClientsNative / Browser based clients

• Credential input is not in the client but in the auth server

• No client authentication, client secret not embedded in a public device

• Client opens a web view to auth server

• Auth server will show a login page and a consent screen

• Auth server redirects to the callback URL (# fragment)

• Client extracts the access token and expiry

• Client uses the access token to access the resource server

Authorisation code flow

Server based clientsClients can securely store client secret and client can authenticate with auth server

• Client opens a web view to auth server• Auth server will show a login page and a consent screen• Auth server only sends a authorisation code and access token is

not leaked• Client now directly posts to the auth server, authenticates itself

and sends the authorisation code• The auth server responds with the access token. The access

token is never leaked to the browser.• Access token maybe long lived.

Assertion Flow – OAuth Extension for Federation

• So far auth server and resource server are in same trusted subsystem

• Allow users to login using Facebook and then using the Facebook identity to access the backend services

• Facebook only does authorisation for their own backend not your backend

Cross Origin Resource Sharing

Same Origin Policy in Browsers• AJAX requests to a different host, port or

protocol will fails• CORS is a W3C standard that allows cross

origin http requests• The request itself succeeds but the

browser returns an error• Supported in modern browsers only, IE


CORS support in Web API• Install-Package

Microsoft.AspNet.WebApi.Cors• WebApiConfig.cs – config.EnableCors();

• Controller.cs – [EnableCors("origin", "headers", "verbs")]public class MyController : ApiController{}

Request HeaderOrigin: http://cors.local/

Response HeaderAccess-Control-Allow-Origin: *

HAWK Authentication Scheme

Alternative to OAuth for machine to machine scenario

• Authentication scheme using HMAC digest of request and response header

• Server and Client shares a secret key for the hash

• The key is never is not part of the headers

• Client hashes the header with secret key

• Server hashes the header with same key and compares the has

• Useful when SSL cannot be used

Request HeaderAuthorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", mac="werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn"

Response HeaderServer-Authorization: Hawk mac="YWojrFVgIjgd+RiPacnDwRcL8VtvcMEzahVfOpoLxoA=", hash="yAF3A3y3uzLvNT2m/nVwsifn1+joCqu0uNWZS8RSv6Y="

With thanks to our sponsors


top related