That Conference 2018 – Securing Your ASP.NET Core Applications

That Conference 2018, Kalahari Resort, Lake Delton, WI
Securing Your ASP.NET Core Applications – Cecil Phillip

Day 3, 8 Aug 2018  1:00 PM

Disclaimer: This post contains my own thoughts and notes based on attending That Conference 2018 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of the speakers.

Executive Summary

  • Quick review of authentication pipeline
  • Various options for authentication

ASP.NET Core 2

  • Cross platform web framework
  • Targets .NET Standard 2.0
  • Introduces Razor Pages
  • SignalR Core available
  • ASP.NET Core 2.1 out now

Middleware Pipeline

  • diagram

Application Startup

  • Startup.cs
  • Configure takes IApplicationBuilder, IHostingEnvironment
  • app.UserXyz, app.UsePdq
  • The order of middleware matters


  • In VStudio, two servers
    • IIS Express
      • Enable SSL in properties
    • Kestrel – cross-platform
      • Have to use .NET CLI tool
      • dotnet dev-certs https –trust
      • Generates self-signed cert that’s automatically trusted
      • This cert doesn’t appear in cert manager
      • MMC – add snap-in, Certificates snap-in, My user account
      • Now looking at certs for the current user only
      • Now you see the dev cert that we just created
  • When you run, you fire up 2 endpoints–HTTP, HTTPS–that it’s listening too
  • Remove cert
    • dotnet dev-certs https –clean
  • Do not use this dev cert in production
    • Only for local development


  • Many options, i.e. middleware
    • Cookies
    • Twitter
    • Google
    • JWT Tokens
    • Facebook
    • OpenID Connect
    • Microsoft Accounts
    • Custom
    • Windows

Cookie Authentication Demo

  • In ConfigureServices, services.AddAuthentication
  • .AddCookie
  • In Configure, do app.UseAuthentication
    • Need to do this before UseMvcWithDefaultRoute
  • Mvc is a “terminating middleware”–stuff after it won’t run
  • Controller code
    • Login action, with LoginViewModel
    • Create ClaimsIdentity with a Claim
    • Pass in to HttpContext.SignInAsync
  • Back in ConfigureServices
    • .AddCookie takes opts with authentication events
    • We can handle various events as part of pipeline
      • Kick out existing logged in user

Twitter Authentication Demo

  • .AddAuthentication, AddCookie, AddTwitter (pass in client ID and secret)
  • Still just do app.UseAuthentication in Configure


  • Manage user secrets
  • Lives in app profile
  • JSON data with different secrets, e.g. Twitter-ClientSecret
  • (or) dotnet user-secrets
  • Roaming, so it will synch across profiles
  • BuildWebHost doesn’t do anything special to get secrets info
  • Configuration passed in to Startup (DI)
    • You can just ask it for secret, with [“xxx”]
  • In production
    • In Azure, have Azure key Vault
    • Can also create certificates
    • In application, you can specify Azure Key Value as a source of configuration
    • builder.AddAzureKeyValue (off .ConfigureAppConfiguration, in BuildWebHost
    • Register your app with Azure Key Vault–and perms, what can you do
    • Also supports versioning of secrets
  • What to put in Azure Key Vault
    • URL of SQL Server, web server URI
    • Connection strings
    • Secrets
  • You need secret to talk to key vault??
    • Yes, ID/Secret, hard-coded
    • OR create cert, associate with app in Azure App Services
  • You “compose” configuration
    • Settings come from various places

ASP.NET Identity

  • User management framework
  • Get bunch of stuff out of the box
  • Register
    • E-mail, password, Register button
  • Identity using EF, which uses migrations to ensure database is what you expect
  • You get Manage User feature
  • Authenticator app support
    • Little app on your phone to do 2-factor
  • Associate Google Authenticator app on phone to your application
  • Scan QR code with your phone, get #, enter that number
  • Also gives you recovery codes, for account recovery
    • You use one at a time and that code becomes invalid

Azure AD B2C

  • Create tenant, then go to that tenant
  • Register applications for that tenant
  • Identify providers
  • Can see users
  • Add to application (AD B2C)
    • New Project, Change Authentication
    • Individual user accounts – ASP.NET Identify
    • Individual user accounts, Connet to existing user store in the cloud
    • Add info for AD B2C, get domain name
    • Enter application ID
    • Reply URL–can default to localhost
    • Sign-up or Sign-in Policy–create one in Azure, give it name
      • Can have one or more policies for your application
      • E.g. E-mail sign-up
      • Application claims (in policy)
  • Run application that uses AD B2C
  • Login / signup, you go out to AD B2C page on Azure
    • E-mail verification code
    • Additional metadata fields, e.g. Job Title
  • User profiles in Azure, after they sign up

In code

  • User.Identities.First().Claims — a bunch of key/val pairs