TOKEN AUTHENTICATIONin ASP.NET Core

Nate Barbettini@nbarbettini

Overview● How Sessions Work (And Why They Suck)

● How Token Authentication Works

● Tokens + ASP.NET Core

How Sessions WorkBrowser

ASP.NET(1) POST /login

(2) 200 OK

Set-Cookie: session=dh7jWkx8fj;

(3) GET /profile

(4) 200 OK

Cookie: session=dh7jWkx8fj;

Log In:nate@example.com

MySecretPassword123!

Open Profile Page

Profit!

Session Store

session=dh7jWkx8fj

dh7jWkx8fj

Drawbacks of Sessions● Scaling is hard

● Doesn’t work with mobile

How Token Authentication WorksBrowser

ASP.NET(1) POST /login

(2) 200 OK

eyJ0eXAiOiJKV...Stored token: eyJ0eXAiOiJKV...

(3) GET /profile

(4) 200 OK

Authorization: Bearer eyJ0eXAiOiJKV...

Log In:nate@example.com

MySecretPassword123!

Open Profile View

Profit!

Advantages of TokensStateless!

Works on both web and mobile

Flexible

● A JWT is a JSON object that’s been stringified and base64-encoded:

Anatomy of JSON Web Tokens

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE0NjU1ODAwNzEsImV4cCI6MTQ5NzExNjA3NywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoibmF0ZUBleGFtcGxlLmNvbSIsImlzQXdlc29tZSI6InRydWUiLCJwcm92aWRlcyI6WyJzdGF0ZWxlc3MiLCJhdXRoZW50aWNhdGlvbiJdfQ.VXrLbyQeJfDmwTAg-JnRsyD23RYMQJshTx79z2STu0U

Red = HeaderBlue = Payload (“claims”)Green = Cryptographic signature (JWS)

Anatomy of JSON Web Tokens{ typ: "JWT", alg: "HS256"}

{ iss: "Online JWT Builder", iat: 1465580071, exp: 1497116077, aud: "www.example.com", sub: "nate@example.com", isAwesome: "true", provides: [ "stateless", "authentication" ]}

Header

Body

● Cryptographically signed by the server

● Signature guarantees it hasn’t been forged or altered

Token Security

● Token expiration (exp claim) and not-before (nbf claim)

● Optional token revocation using a nonce (jti claim)

● Use HTTPS (TLS) everywhere!

● Store tokens securely

Token Security

Where to Store Tokens?● On mobile: local device storage, sent via HTTP headers

● On the web: cookies, or HTML5 storage plus HTTP headers

Where to Store Tokens?● HTML5 web storage: vulnerable to XSS (cross-site scripting)

● Cookies: not vulnerable to XSS

○ Set the HttpOnly and Secure flags

○ Still need to protect against CSRF

● More info: Stormpath blog

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

Generating Tokens in ASP.NET Core● This functionality was included in ASP.NET, but was removed from ASP.NET

Core.

● The community has stepped up to build this functionality:

○ Stormpath ASP.NET Core plugin

○ Thinktecture IdentityServer4

○ AspNet.Security.OpenIdConnect.Server

○ OpenIddict

● Basic JWT creation: JwtSecurityTokenHandler

Generating Tokens in ASP.NET Core

using System.IdentityModel.Tokens.Jwt;

var claims = new Claim[]{ new Claim(JwtRegisteredClaimNames.Sub, username), new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),};

// Create the JWT and write it to a stringvar jwt = new JwtSecurityToken( issuer: _options.Issuer, audience: _options.Audience, claims: claims, notBefore: now, expires: now.Add(TimeSpan.FromMinutes(5)), signingCredentials: _options.SigningCredentials);var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);

● Nate’s simple example on Github:

https://github.com/nbarbettini/SimpleTokenProvider

Generating Tokens in ASP.NET Core

Validating Tokens in ASP.NET Core● Validating incoming Bearer (HTTP header) tokens is easy!

var mySecretKey = new SymmetricSecurityKey( Encoding.ASCII.GetBytes("mysupersecret_secretKey!123"));

app.UseJwtBearerAuthentication(new JwtBearerOptions(){ AutomaticAuthenticate = true, TokenValidationParameters = new TokenValidationParameters() { IssuerSigningKey = mySecretKey, ValidateLifetime = true, ValidIssuer = "MyApplication", ValidAudience = "https://app.example.com", }});

Validating Tokens in ASP.NET Core● JWTs in cookies?

See SimpleTokenProvider on Github:https://github.com/nbarbettini/SimpleTokenProvider

● Hosted user identity and authentication/authorization API

● Token generation and authentication

● Single Sign-On across multiple applications

● Multi-tenant support for SaaS applications

● Free (forever) developer tier

About Stormpath

Token authentication in ASP.NET Core tutorial (this talk)https://stormpath.com/blog/token-authentication-asp-net-core

Nate’s SimpleTokenProvider samplehttps://github.com/nbarbettini/SimpleTokenProvider

Web storage vs. cookieshttps://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

Links

Thank you!Nate Barbettini

@nbarbettinirecaffeinate.co .ws