Category Archives: Security

Home / Security
22 Posts

I’ve been playing around with Authorize attributes in .NET Core as of late. With a custom (derived) authorization attribute, it seemed like it wasn’t always being evaluated. This caused me to pause and take a step back to examine using the built-in policy-based authorization.

More Link

It seems like only yesterday when I setup an OWIN OAuth server to provide single-signon capabilities for all of my apps. Since that time, though, OWIN has kind of fallen to the wayside in favor of newer security mechanisms in .NET Core. However, it is possible to make an OWIN application play nice with a .NET Core application to share cookie-based authentication.

More Link

Since the OAuth server I’ve detailed previously is using OWIN, I’ve been looking at what it will take to move it to .NET Core. The OWIN OAuth Server provides all of the Secure Token creation. This functionality is not provided with .NET Core’s native middleware.

My first thought is to integrate with IdentityServer4 or Openiddict which provide Secure Token generation and are .NET Core compatible. After some cursory information gathering, I’m putting a few research links here for later use.

https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/
https://github.com/openiddict/openiddict-core
https://www.scottbrady91.com/Identity-Server/Getting-Started-with-IdentityServer-4
http://stackoverflow.com/questions/35304038/identityserver4-register-userservice-and-get-users-from-database-in-asp-net-core

After using OWIN for months for basic OAuth authentication, it’s apparent that Microsoft is abandoning OWIN . This isn’t necessarily a bad thing. .NET Core is built on a similar structure as that which was implemented in OWIN. Essentially, we have a familiar middleware pipeline.

More Link

My current single-sign server, that utilizes OWIN, does not store information regarding users’ identity. On the back-end, it makes LDAP queries to Active Directory to authenticate users and then makes additional LDAP queries to determine roles and authorization.

Since I’ve been playing with Azure lately, I wanted to re-tool this solution to allow toggling between a data-store for user identity information and Active Directory.

More Link

If you recall my previous post on ASP.NET Anti-forgery configuration options, you may be familiar with the way the ASP.NET MVC AntiForgeryToken helper adds the “x-frame-options SAMEORIGIN” header to server responses. This header prevents different domains from displaying your site in an iframe. Your only option to manage this feature is to completely disable it.

An all or nothing approach to configuration is quite inflexible. Additionally, if we are using the web.config to handle our configuration, that too is pretty rigid and hard to manage.

More Link

ASP.NET has some useful security options to prevent cross-site scripting, click hijacking, and other vulnerabilities. However, configuring these options has a few caveats.

More Link

With a new project we have, I was tasked with working on security. Initially, I used OWIN and cookie authentication to implement a simple login and all was good. However, we wanted to remove the ability to login and have it driven by an external site redirecting a user with a token.

More Link