Authentication and Authorization in ASP.

Net Core

Authentication is verifying an identity of a user or system, typically by

checking credentials like a username and password. It ensures that the
person or entity accessing the system is who they claim to be.

Ways to Authenticate in .Net

1.Identity Cookies - Middleware

2.Asp.Net core identity – leverages identity cookies. Offers a complete

framework around it with functionality like password mgmt. and two factor
authentication. It even provides a ready to go user interface, such as the
login screen.

3.Identity provider: If authentication has to go beyond the scope of just

one application, we can use an Identity provider that uses OpenID
Connect and OAuth. Here we can centralize the authentication process for
many applications.

Authorization is the process of granting or denying access to resources or

actions based on a user's permissions. It determines what an
authenticated user is allowed to do within a system.

Limited Access, what a user can do. Authorization can be done directly or
indirectly from claims.

Ways to do Authorization in .Net

1.Asp.Net core Authorization

2. OAuth2

Adding Cookie Authentication.

In Program.cs file add Authentication extension method.

builder.Services.AddAuthentication(“Cookies”).AddCookie();

To use authentication, add useAuthentication middleware:

App.useAuthentication() // order is imp. Right after UseRouting.

An authentication scheme is a way to authenticate, there can be multiple
ways to do authentication. Like Passport is needed to proof your
citizenship, School Id card to get entry in school.
So in Authentication method we need to specify a name for the
authentication scheme, which serves as lookup string for the
authentication method configured.

Restricting Access with Authorize Attribute

Use [Authorize] attribute at top of controller or action method.

[Authorize(AuthenticationSchemes=string?] if don’t want default

authentication scheme

Can be added globally: AddController(o=>o.Filters.Add(new

AuthorizeFilter());

How to set Identity Cookie while login

Use HttpContext.SignInAsync(); as parameter it needs a claim principle.

Object that represent a user is term ClaimsPrinciple.

ClaimsPrinciple contains a claimsIdentity object for each authentication

scheme.

All ClaimsIdentity object contains Claims.

All claims from each claimsIdentity is available as a Claims property in
ClaimsPrinciple object.
Use local redirect to protect against open redirection attacks.

How to remove Identity Cookies

Encryption and decryption of cookies is secured by Asp.net core data

protection

Register HttpContextAccessor() in dependency container , inject in the

class to access the user claims.

Problems with cookie:

Remain valid until the cookie expires.

To overcome we can override the events.

Here logic can be added to validate user from db.

Cross-Site Request Forgery (CSRF) is a type of security
vulnerability where a malicious actor tricks a user into performing
actions they didn't intend to, on a website where they are already
authenticated. In a CSRF attack, the attacker exploits the trust that a site
has in the user's browser, causing the user to send unauthorized requests
to a site where they are logged in.

To Prevent CSRF, SameSite Cookie is used:

SameSite=Lax: Allows cookies to be sent with top-level navigations (e.g.,

form submissions and link clicks), but blocks them for cross-site requests
in embedded contexts like iframes and AJAX.

SameSite=Strict: Only sends cookies if the request originates from the

same site (no cross-site requests allowed), ensuring the highest level of
security.

SameSite=None: Allows cookies to be sent with all cross-site requests,

but requires the Secure flag (only works over HTTPS) to prevent misuse.
Scheme Action:

Authenticate: how the claims principle gets reconstructed on every

request.
Challenge: Determines what happens if the user tries to access a resource
for which authentication is required. Ex- cookie scheme will redirect to
account/login, for google auth it will redirect to google identity provider.

Forbid: what happens if users access a resource they can’t access

because they don’t have sufficient rights.
 Authentication with ASP.NET Core Identity

-helps to build identity cookie-based authentication in our application.

Adds needed functionality around authentication.

When adding identity to existing application, before scaffolding better to

create a ApplicationUser class derived from IdentityUser for better control.

SecuityStamp claim

How to transform claim.

Role support is disabled by default
Role is a Claim type. But the source of the claim is not from UserClaim or
UserType table.
Addding Email Functionality

generate the code and store in AspNetUserToken Table.

Multi-application authentication with openID Connect

An identity provider is a service application, you could see it as sepecial

kind of API that is added to the application landscape. It facilitates a
centralized way to do authentication that works across several
applications.

Two types of token:

-Identity : contains personal data of the user (claims), used to build

identity cookie and then discards it.

-Access: client request for protect resources(Api) , it has to send

along an access token. It can also contain one or more claims of the
user, so the api can do authorization if needed.

OAuth2- Access token

OpenId Connect – build on top of OAuth(identity+Access token)

Scopes: refers to the range or extent of permissions, access, or

actions that a user, application, or system is authorized to perform on a
specific resource or set of resources.

There are two kind of scopes-

1. Identity Scopes: are baskets of user claims.

 2. API Scopes: these are used to request access to an API.

Response Type: what the client wants from the authorization endpoint.

Redirect URI: where the client want what is requested from

authorization endpoint to be delivered. it’s a url on the client the
identity provider will redirect to.

ClientId and RedirectUri should be known to identity provider.

Authority: Url of identity Provider.

openId and profile scope is default added, only if openId scope is added
will get the identity token (UserId, Subject, claims).

Profile contains several personal claims.

SaveTokens means the access token must be saved in the identity cookie.
When accessing Api, the client can easily retrieve it from there using HTTP
context.
There are the chances the code is intercepted from the attackers.

To avoid this PKCES protection is added.

Securing ASP.NET Core with OAuth2 and OpenID
Connect

OAuth2 : is an open protocol to allow secure authorization in a simple

and standard method from web, mobile and desktop applications.

A client application can request an access token to gain access to an API.

- OAuth2 defines how a client application can securely achieve

authorization.
- Homegrown endpoints are replaced by endpoints from OAuth2
standard
- The standard defines how to use these endpoints for different
types of client’s applications.

Azure AD , Duende IdentityServer , Ping, Okta/Auth0 implement the

OAuth2 standard.

OpenId : OpenId connect is a simple identity layer on top of the OAuth2

protocol.

- A client application can request an identity token (next to an

access token).
- That identity token is used to sign in to the client application.