Securing your application is bloody important. With so much jargon to sift through, it’s easy to get lost, for example there’s SSO, OAuth2, SAML 2.0, OpenID Connect, Federated Identity, 2FA, & MFA. Just to name a few! 😱 In this talk, Anthony will take an in depth look at Federated Identity using OpenID Connect and OAuth2 Framework for ASP. NET Core using Duende IdentityServer (aka IdentityServer 5). You will walk away knowing how to navigate the security options and avoid the madness.
[Authorize(Roles = ConstantRoles.Admin)] public class RolesManagerController : Controller
[Authorize(Policy="RequireAdministratorRole")]
public IActionResult Get()
{
/* .. */
} public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Admin"));
});
} [Authorize(Roles = "Administrator, PowerUser, BackupAdministrator")]
options.AddPolicy("ElevatedRights", policy => policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator")); [Authorize(Policy = "ElevatedRights")]
public IActionResult Shutdown()
{
return View();
} services.AddAuthorization(options =>
{
options.AddPolicy("EmployeeOnly", policy => policy.RequireClaim("EmployeeNumber"));
}); [Authorize(Policy = "EmployeeOnly")]
public IActionResult VacationBalance()
{
return View();
} public class DynamicPermissionRequirement : IAuthorizationRequirement
{
} public class DynamicPermissionsAuthorizationHandler : AuthorizationHandler<DynamicPermissionRequirement>
{
private readonly ISecurityTrimmingService _securityTrimmingService;
public DynamicPermissionsAuthorizationHandler(ISecurityTrimmingService securityTrimmingService)
{
_securityTrimmingService = securityTrimmingService;
_securityTrimmingService.CheckArgumentIsNull(nameof(_securityTrimmingService));
}
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
DynamicPermissionRequirement requirement)
{
var mvcContext = context.Resource as AuthorizationFilterContext;
if (mvcContext == null)
{
return Task.CompletedTask;
}
var actionDescriptor = mvcContext.ActionDescriptor;
var area = actionDescriptor.RouteValues["area"];
var controller = actionDescriptor.RouteValues["controller"];
var action = actionDescriptor.RouteValues["action"];
if(_securityTrimmingService.CanCurrentUserAccess(area, controller, action))
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
} private static void addDynamicPermissionsPolicy(this IServiceCollection services)
{
services.AddScoped<IAuthorizationHandler, DynamicPermissionsAuthorizationHandler>();
services.AddAuthorization(opts =>
{
opts.AddPolicy(
name: ConstantPolicies.DynamicPermission,
configurePolicy: policy =>
{
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new DynamicPermissionRequirement());
});
});
} [Authorize(Policy = ConstantPolicies.DynamicPermission)]
[DisplayName("کنترلر نمونه با سطح دسترسی پویا")]
public class DynamicPermissionsSampleController : Controller public interface IMvcActionsDiscoveryService
{
ICollection<MvcControllerViewModel> MvcControllers { get; }
ICollection<MvcControllerViewModel> GetAllSecuredControllerActionsWithPolicy(string policyName);
} [Authorize(Policy = ConstantPolicies.DynamicPermission)]
return user.HasClaim(claim => claim.Type == ConstantPolicies.DynamicPermissionClaimType && claim.Value == currentClaimValue);
public override void Process(TagHelperContext context, TagHelperOutput output)
{
context.CheckArgumentIsNull(nameof(context));
output.CheckArgumentIsNull(nameof(output));
// don't render the <security-trimming> tag.
output.TagName = null;
if(_securityTrimmingService.CanCurrentUserAccess(Area, Controller, Action))
{
// fine, do nothing.
return;
}
// else, suppress the output and generate nothing.
output.SuppressOutput();
} <security-trimming asp-area="" asp-controller="DynamicPermissionsTest" asp-action="Products">
<li>
<a asp-controller="DynamicPermissionsTest" asp-action="Products" asp-area="">
<span class="left5 fa fa-user" aria-hidden="true"></span>
گزارش از لیست محصولات
</a>
</li>
</security-trimming> var ticketStore = provider.GetService<ITicketStore>(); identityOptionsCookies.ApplicationCookie.SessionStore = ticketStore; // To manage large identity cookies
public class User
{
public string Name { set; get; }
} public record User
{
public string Name { set; get; }
} var user = new User(); user.Name = "User 1";
public record User(string Name);
var user = new User("User 1");
// Error: Init-only property or indexer 'User.Name' can only be assigned
// in an object initializer, or on 'this' or 'base' in an instance constructor
// or an 'init' accessor. [CS9Features]csharp(CS8852)
user.Name = "User 1"; public record User(string Name);
using System;
using System.Collections.Generic;
using System.Runtime.CompilerServices;
using System.Text;
using CS9Features;
public class User : IEquatable<User>
{
protected virtual Type EqualityContract
{
[System.Runtime.CompilerServices.NullableContext(1)]
[CompilerGenerated]
get
{
return typeof(User);
}
}
public string Name
{
get;
set/*init*/;
}
public User(string Name)
{
this.Name = Name;
base..ctor();
}
public override string ToString()
{
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append("User");
stringBuilder.Append(" { ");
if (PrintMembers(stringBuilder))
{
stringBuilder.Append(" ");
}
stringBuilder.Append("}");
return stringBuilder.ToString();
}
protected virtual bool PrintMembers(StringBuilder builder)
{
builder.Append("Name");
builder.Append(" = ");
builder.Append((object?)Name);
return true;
}
[System.Runtime.CompilerServices.NullableContext(2)]
public static bool operator !=(User? r1, User? r2)
{
return !(r1 == r2);
}
[System.Runtime.CompilerServices.NullableContext(2)]
public static bool operator ==(User? r1, User? r2)
{
return (object)r1 == r2 || (r1?.Equals(r2) ?? false);
}
public override int GetHashCode()
{
return EqualityComparer<Type>.Default.GetHashCode(EqualityContract) * -1521134295 + EqualityComparer<string>.Default.GetHashCode(Name);
}
public override bool Equals(object? obj)
{
return Equals(obj as User);
}
public virtual bool Equals(User? other)
{
return (object)other != null && EqualityContract == other!.EqualityContract && EqualityComparer<string>.Default.Equals(Name, other!.Name);
}
public virtual User <Clone>$()
{
return new User(this);
}
protected User(User original)
{
Name = original.Name;
}
public void Deconstruct(out string Name)
{
Name = this.Name;
}
} public virtual User <Clone>$()
{
return new User(this);
} public record User(string Name, int Age);
var user1 = new User("User 1", 21); var user2 = user1 with { Age = 31 }; var user1 = new User("User 1", 21);
var user2 = new User("User 1", 21); Console.WriteLine("user1.Equals(user2) -> {0}", user1.Equals(user2));
Console.WriteLine("user1 == user2 -> {0}", user1 == user2); user1.Equals(user2) -> True user1 == user2 -> True
public virtual bool Equals(User? other)
{
return (object)other != null &&
EqualityContract == other!.EqualityContract &&
EqualityComparer<string>.Default.Equals(Name, other!.Name) &&
EqualityComparer<int>.Default.Equals(Age, other!.Age);
} public record User
{
public string Name { get; init; }
public User(string name)
{
Name = name;
}
}
public record UserWithAge : User
{
public int Age { get; init; }
public UserWithAge(string name, int age) : base(name)
{
Age = age;
}
} var user1 = new User("User 1");
var user2 = new UserWithAge("User 1", 21);
Console.WriteLine("user1.Equals(user2) -> {0}", user1.Equals(user2));
Console.WriteLine("user1 == user2 -> {0}", user1 == user2); user1.Equals(user2) -> False user1 == user2 -> False
public abstract record Food(int Calories); public record Milk(int C, double FatPercentage) : Food(C);
Console.WriteLine(user1.ToString()); Console.WriteLine(user2.ToString());
User { Name = User 1 }
UserWithAge { Name = User 1, Age = 21 } public record Person(string Name, int Age);
public void Deconstruct(out string Name, out int Age)
{
Name = this.Name;
Age = this.Age;
} var (name, age) = new Person("User 1", 21); public record Person([Required] string Name, [Range(0, 150)] int Age);
public class PersonController
{
public IActionResult Index() => View();
[HttpPost]
public IActionResult Index(Person person)
{
// ...
}
} 
{
"jti": "b2921057-32a4-fbb2-0c18-5889c1ab8e70",
"iss": "https://localhost:5001/",
"iat": 1576402824,
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "Vahid N.",
"DisplayName": "Vahid N.",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/userdata": "1",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Admin",
"nbf": 1576402824,
"exp": 1576402944,
"aud": "Any"
} class App extends Component {
state = {}; > npm install --save jwt-decode
import jwtDecode from "jwt-decode";
// ...
class App extends Component {
state = {};
componentDidMount() {
try {
const jwt = localStorage.getItem("token");
const currentUser = jwtDecode(jwt);
console.log("currentUser", currentUser);
this.setState({ currentUser });
} catch (ex) {
console.log(ex);
}
} render() {
return (
<React.Fragment>
<ToastContainer />
<NavBar user={this.state.currentUser} />
<main className="container"> const NavBar = ({ user }) => { {!user && (
<React.Fragment>
<NavLink className="nav-item nav-link" to="/login">
Login
</NavLink>
<NavLink className="nav-item nav-link" to="/register">
Register
</NavLink>
</React.Fragment>
)} {user && (
<React.Fragment>
<NavLink className="nav-item nav-link" to="/logout">
Logout
</NavLink>
<NavLink className="nav-item nav-link" to="/profile">
{user.DisplayName}
</NavLink>
</React.Fragment>
)} 
this.props.history.push("/"); window.location = "/";
<NavLink className="nav-item nav-link" to="/logout"> Logout </NavLink>
import Logout from "./components/logout";
// ...
class App extends Component {
render() {
return (
// ...
<Switch>
// ...
<Route path="/logout" component={Logout} /> import { Component } from "react";
class Logout extends Component {
componentDidMount() {
localStorage.removeItem("token");
window.location = "/";
}
render() {
return null;
}
}
export default Logout; const tokenKey = "token";
export async function login(email, password) {
const {
data: { access_token }
} = await http.post(apiEndpoint + "/login", { email, password });
console.log("JWT", access_token);
localStorage.setItem(tokenKey, access_token);
} const { data } = this.state;
await auth.login(data.username, data.password);
window.location = "/"; export function logout() {
localStorage.removeItem(tokenKey);
} import * as auth from "../services/authService";
class Logout extends Component {
componentDidMount() {
auth.logout(); import jwtDecode from "jwt-decode";
//...
export function getCurrentUser() {
try {
const jwt = localStorage.getItem(tokenKey);
const currentUser = jwtDecode(jwt);
console.log("currentUser", currentUser);
return currentUser;
} catch (ex) {
console.log(ex);
return null;
}
} import * as auth from "./services/authService";
class App extends Component {
state = {};
componentDidMount() {
const currentUser = auth.getCurrentUser();
this.setState({ currentUser });
} export function loginWithJwt(jwt) {
localStorage.setItem(tokenKey, jwt);
} import * as auth from "../services/authService"; // ... const response = await userService.register(this.state.data); auth.loginWithJwt(response.headers["x-auth-token"]);
public class Customer
{
public string Email { get; private set; }
public string Name { get; private set; }
private Customer(email, name)
{
Email = email;
Name = name;
}
public static Result<Customer> New(string email, string name, INewCustomerPolicy policy)
{
var isUnique = policy.IsUnique(email);
if (!isUnique)
{
return Result.Fail<Customer>("Customer with this email already exists.");
}
var customer = new Customer(email, name);
//customer.AddDomainEvent(new CustomerRegistered(customer));
return Result.Ok(customer);
}
}