Security in ASP.NET Web API 2
DDD Melbourne 2014
Pratik Khasnabis@softveda
Outline SSL and Certificates
OWIN and KATANA – Quick Primer
Security Architecture in Web API 2
Classic Authentication – Demo
OAuth – Introduction
OAuth – Demo
HAWK - Demo
SSL and Certificates
HTTPS = HTTP over TLS• Server Authentication• Integrity protection• Encryption• Client Authentication
Server Root CertComputer – Trusted Root Certification Authorities
Server SSL CertComputer – Personal(Must have a private key. Usually a .pfx file)
Client Private CertCurrent User – Personal(Must have a private key. Usually a .pfx file)
X.509 Certificates• ITU-T Standard for PKI• Standard formats for
certificates• Installed in Windows
Certificate Store
Client Public CertComputer – Trusted People(Only public key required. Usually a .cer file)
HTTPS Simplified
Bind SSL certificate to port / host name • IIS • netsh.exe • httpconfig.exe • CN should match DNS
name
Connect
Send Certificate
Generate session key andencrypt with public key
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
HTTP Authentication Framework
Status: 401 (Unauthorised)
WWW-Authenticate: Scheme realm=“app"
GET /URL/Resource
Authorization: scheme <credential>
Authorisation: basic dXNlcjpwYXNzd29yZA==
Create Your Own Root Certificatemakecert -r -n "CN=DevRoot" -pe -sv DevRoot.pvk -cy authority DevRoot.cer
• -r Create a self signed certificate• -n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)• -pe Mark generated private key as exportable• -sv <pvkFile> Subject's PVK file; To be created if not present• -cy <certType> Certificate types
Package the certificate and the private keypvk2pfx.exe -pvk DevRoot.pvk -spc DevRoot.cer -pfx DevRoot.pfx
Create SSL Cert – Server Authentication
makecert -iv DevRoot.pvk -ic DevRoot.cer -n "CN=site.local" -pe -sv %1.pvk -sky exchange site.local.cer -eku 1.3.6.1.5.5.7.3.1
• -iv <pvkFile> Issuer's PVK file• -ic <file> Issuer's certificate file• -n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)• -pe Mark generated private key as exportable• -sv <pvkFile> Subject's PVK file; To be created if not present• -sky <keytype> Subject key type• -eku <oid[<,oid>]> Comma separated enhanced key usage OIDs
Open Web Interface for .NET (OWIN)Environment Dictionary
Stores all of the state necessary for processing an HTTP request and response, as well as any relevant server state.
IDictionary<string, object> "owin.RequestMethod" : A string containing the HTTP request method of the request (e.g., "GET", "POST").
Application Delegate (AppFunc)This is a function signature which serves as the primary interface between all components in an
OWIN application.Func<IDictionary<string, object>,
Task>;
• Your appApplicatio
n•Web API•SignalR•Nancy•ServiceStack
Middleware
• Microsoft.Owin.Host.SystemWeb• Microsoft.Owin.Host.HttpListener• Helios
Server
•IIS/ASP.Net•OwinHost.exe•Self Host•IIS
Host
Katana
Microsoft’s OWIN Implementation
http://katanaproject.codeplex.com/
Hosts and Servers Implementation
IISSelf-Hosting
OwinHost.exe
Convenience ClassesOwinContextOwinRequest
OwinResponseAppBuilderUseExtensions
Middleware for Common Features
AuthenticationCORS
Katana Assembly Graph
Web API 2 Architecture
Web API Web APIWeb API
(+ OWIN Adapter)
Self Host Web Host OWIN
WCF ASP.NetASP.Net
(+ OWIN Bridge)
Service / Exe IIS IIS
Hosting v1 Hosting v2
Web API(+ OWIN Adapter)
OWIN
Process/Host(+ OWIN Bridge)
No System.Webdependency
OWIN Pipeline in Web API 2Host Web API 2
OWIN MessageHandler(global/per-route) Authentication Filter Authorization Filter
Host/Framework independent concerns,E.g. authentication
Web API cross-cutting concerns,E.g. CORS
authorization
HostOWIN Server
Middleware 1 Middleware 2 ApplicationClient
Classic Authentication Windows Authentication
Basic Authentication
SSL client certificates
Intranet ScenarioWindows Authentication
• AD Integrated• Client and Server are on a
domain• The User is a domain account
<system.web> <authentication mode="Windows" /></system.web>
public static IAppBuilder UseWindowsAuthentication(this IAppBuilder app){ object value; if (app.Properties.TryGetValue("System.Net.HttpListener", out value)){ var listener = value as HttpListener; if (listener != null){ listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication; } } return app;}
Users Clients
Do I trust this app ?
How can I securely
communicate ?
API
Who is the user ?Who is the client ?
What are they authorised to do ?
Modern Application
OAuth
AuthorisationServer
client_
id =
MyClient
scope
= read
access token
access token
Scopes: read, write, delete
Alice(Resource Owner)
App(Client)
Web API(Resource Server)
http://tools.ietf.org/html/rfc6749
OAuth 2.0
Flows
User-Agent (Browser) based apps
Native apps
Server rendered apps
Machine to Machine
Federation
Trusted Clients/Applications – Corporate Environment
Resource Owner Password Credential Flow
• User gives its credentials to the client.
• The client access the auth server on behalf of the user with the credentials
• Client can optionally authenticate with the auth server using Basic authentication scheme.
• Auth server returns an access token – typically with a short expiry time
Trusted Clients/Applications – Corporate Environment
Resource Owner Password Credential Flow
• The client then access the Resource Server using the access token
Implicit Flow – Untrusted ClientsNative / Browser based clients
• Credential input is not in the client but in the auth server
• No client authentication, client secret not embedded in a public device
• Client opens a web view to auth server
• Auth server will show a login page and a consent screen
• Auth server redirects to the callback URL (# fragment)
• Client extracts the access token and expiry
• Client uses the access token to access the resource server
Authorisation code flow
Server based clientsClients can securely store client secret and client can authenticate with auth server
• Client opens a web view to auth server• Auth server will show a login page and a consent screen• Auth server only sends a authorisation code and access token is
not leaked• Client now directly posts to the auth server, authenticates itself
and sends the authorisation code• The auth server responds with the access token. The access
token is never leaked to the browser.• Access token maybe long lived.
Assertion Flow – OAuth Extension for Federation
• So far auth server and resource server are in same trusted subsystem
• Allow users to login using Facebook and then using the Facebook identity to access the backend services
• Facebook only does authorisation for their own backend not your backend
Cross Origin Resource Sharing
Same Origin Policy in Browsers• AJAX requests to a different host, port or
protocol will fails• CORS is a W3C standard that allows cross
origin http requests• The request itself succeeds but the
browser returns an error• Supported in modern browsers only, IE
10+
CORS support in Web API• Install-Package
Microsoft.AspNet.WebApi.Cors• WebApiConfig.cs – config.EnableCors();
• Controller.cs – [EnableCors("origin", "headers", "verbs")]public class MyController : ApiController{}
Request HeaderOrigin: http://cors.local/
Response HeaderAccess-Control-Allow-Origin: *
HAWK Authentication Scheme
Alternative to OAuth for machine to machine scenario
• Authentication scheme using HMAC digest of request and response header
• Server and Client shares a secret key for the hash
• The key is never is not part of the headers
• Client hashes the header with secret key
• Server hashes the header with same key and compares the has
• Useful when SSL cannot be used
Request HeaderAuthorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", mac="werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn"
Response HeaderServer-Authorization: Hawk mac="YWojrFVgIjgd+RiPacnDwRcL8VtvcMEzahVfOpoLxoA=", hash="yAF3A3y3uzLvNT2m/nVwsifn1+joCqu0uNWZS8RSv6Y="
With thanks to our sponsors
THANK YOU !