Skip to content

Instantly share code, notes, and snippets.

@rustd
Last active August 29, 2015 13:57
Show Gist options
  • Save rustd/9403516 to your computer and use it in GitHub Desktop.
Save rustd/9403516 to your computer and use it in GitHub Desktop.
Information about ASP.NET Identity & Security

In Visual Studio 2013 we revamped the membership and authentication system for ASP.NET web developers.

We added ASP.NET Identity which is a modern membership system for ASP.NET applications. It includes features such as Two-Factor Authentication which is becoming a common practise for securing web applications. For more information on why did we create ASP.NET Identity please read http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity

As part of Microsoft OWIN Components (Katana) We also added support for OWIN and added OWIN middlewares such as OWIN Cookies (and more) which replaces the FormsAuthentication module. The move to be OWIN compliant Framework will allow us to build apps which are more flexible, portable, lightweight, and provide better performance. For more information please read http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana

We are in the processing of adding documentation for these changes but we do realize that documenting everything around these changes is a huge task and if we were to do it alone, it will take us a long time before we can add documentation for everything.

We're asking for your feedback to help validate and prioritize the document list. We also welcome any contributions and will determine a way to accept them or reference them from the official locations at a later date so that all our customers can benefit.

Action Items

  • Give feedback around other areas/ scenarios related to securing web applications that you need more information on.
  • Add a link to your favorite security article that you have found useful while building your application. THis can an article that expalins an idea or provides detailed information on how to secure your web application.
  • Add a link to an existing article that might already cover these areas.

Follow ups

  • Once we have a list of areas/ scenarios I would like to solicit the experts to help us write the docs I do appreciate your input and help in getting more information out for everyone to use.
- **Overview of authentication**
	- What are the different authentication options such as Windows/ FormsAuth/ Organization Accounts etc. and which one should I use?

- **ASP.NET Identity Overview and Basics**
	- What is Identity and why do I need it?
		- Unit Testing
	- Core concepts
		- UserManager
		- UserStore
	- Create Users
		- Do Validation
		- Add Profile data
	- Create Roles
	- Database
		- Where it is
		- Customize tables
		- How is EF Used

- **Local Logins**
    - How do I login by creating a username and password
	- Create User and SignIn
		- ClaimsIdentity
		- OWIN cookies middleware
			- Configuration of OWIN cookies
	- Assign User To Roles
		- Roles as Claims
        
- **Social Logins**
    - How do I login by social providers such as Facebook, Google, Microsoft Account etc.
    - Add Social Login such as Facebook
	- OWIN Facebook middleware
	- External Cookies
	- Challenge concept 
		- Active vs Passive middleware
	- Associate a user with different logins
		- A user can add or remove a login
	- Customize the Facebook button
	- Get more data from Facebook such as Friends pics
	- Protect against XSRF
		- For Form posts
		- For ExternalLoginCookie

- **ASP.NET Identity Entity Framework Extensibility & Extending UserStore**
	- Using Identity DbContext
	- Plugin your own DbContext
	- Plugin you own POCO classes for User
	- Use the PK of your own choice
	- Plug in existing database into Identity
		- Migrating from Custom Membership provider to Identity
		
	
- **ASP.NET Identity Storage persistence & Customization**
	- Overview of Identity infrastructure
		- Optional interfaces
	- Write your own Custom storage providers
		- Storing Roles as Claims in the Claims Table

- **Security concerns overview/ Guidelines**
	- Password complexity
	- Password Hashing
		- Pluggable
	- Account Lockout
	- Storing Question & Answer
	- Account Lockout
	- Password policies
    - XSRF checks
    - Sql Injection
    - XSS checks

- **Account Confirmation/ Password Reset/ Single SignOut From everywhere**
	- Security Token provider
	- CookieValidatorProvider
	- Implement Account Confirmation
	- How are account confirmation tokens managed and how to configure them
	- Create Users which are not confirmed

- **Two-Factor Authentication**
	- What it is and what is the flow
	- How do I configure the services such as SMS/ emails
	- How are the tokens generated and how long are they valid for.
	- Use of Account Lockout
		- Admins has Account Lockout disabled

- **Securing ASP.NET Web API**
	- OAuth Server
	- Managing Tokens
    - Authentication Filters
    - Building a connected application which works on Windows Phone App, Windows Store App and Web Application
    - Getting Facebook Access Token and storing it
	
- **Migrating membership data**
	- Migrating from Membership providers (SQL/ Universal) to Identity
	- Migrating from Simple Membership provider to Identity
	- Migrating from Custom Membership provider to Identity
	- Supported Matrix
		- .NET 4.5 is the minimum FX required.
		- Use ASP.NET Identity with MVC 4

- **Identity Guidelines**
	- Does
		- UserManager Factory
		- RoleManager Factory
		- DbContext Factory
		- Use IdentityDbContext
	- Don’t's

-**Web Administration**
	- Create/ Edit/ Delete Users
	- Create/ Edit/ Delete Roles
	- Add/ Remove Users From Roles
	- See the list of Registered Logins for the User
	- Enable/ Disable 2FA for the user
    - Enable/ Disable Account Lockout

-**Microsoft OWIN Components (Katana)**
    - What is OWIN?
    - What is Microsoft OWIN Components (Katana)?
    - What are the Katana components?
    - What is an OWIN Middleware and how do I use it?
    - What are the Katana components?

- **Authorization**
    - Authorizing using Roles
    - Implementing Groups and permissing using Roles

- **Organizational Accounts**
      - Building Web apps using Single Sign On Using Windows Azure Active Directory
      - Building Web APIs using Single Sign On Using Windows Azure Active Directory
	  - Building SaaS (Software as a Service) apps Using Windows Azure Active Directory
	  - Building Web apps and Web APIs Using On Premises Active Directory

- **Miscellaneous**
	  - Unit Testing your application code using ASP.NET Identity
	  - Show how to secure ASP.NET MVC and Web API in the same application
	  - Moving from Membership to Identity
	    - How did you create Users/ Roles in Membership and how do you do in Identity
	  - Moving from FormAuthentication module to OWIN cookie
	    - How did you generate a cookie using FormAuthentication module and how do you do using OWIN cookies
@rustd
Copy link
Author

rustd commented Mar 10, 2014

Thank You for the feedback and writing the blog posts Ben!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment