Scribd
Upload
109 views43 pages

Securing Microservices In: Securing Your First Microservice

The document discusses securing microservices in ASP.NET Core, beginning with an overview of token-based security for microservices using OAuth2 and OpenID Connect protocols with an identity service like IdentityServer4. It then covers accessing microservices on behalf of both the client application using the client credentials flow as well as on behalf of the user using the identity token to log users in and out of the client application.

Uploaded by

cattaus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
109 views43 pages

Securing Microservices In: Securing Your First Microservice

The document discusses securing microservices in ASP.NET Core, beginning with an overview of token-based security for microservices using OAuth2 and OpenID Connect protocols with an identity service like IdentityServer4. It then covers accessing microservices on behalf of both the client application using the client credentials flow as well as on behalf of the user using the identity token to log users in and out of the client application.

Uploaded by

cattaus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

Securing Microservices in

ASP.NET Core
SECURING YOUR FIRST MICROSERVICE

Kevin Dockx
ARCHITECT

@KevinDockx https://www.kevindockx.com
t
h
s

Course prerequisites and tooling


Coming Up
Inspecting the demo application
Token-based security for microservices

Accessing microservices
- On behalf of the client application
- On behalf of the user
s
h
s

Discussion tab on the


course page
Twitter: @KevinDockx

(course shown is one of my other courses, not this one)


Course Prerequisites

Good knowledge of Some knowledge of


C# microservices in
ASP.NET Core
Building Microservices with ASP.NET Core
This course is part of a learning path on Pluralsight

Microservices: Microservices
Getting started
the big picture communication

Securing
Data management Versioning
microservices

Deploying Cross-cutting Scalability and


microservices concerns availability
Building Microservices with ASP.NET Core
This course is part of a learning path on Pluralsight

Microservices: Microservices
Getting started
the big picture communication

Securing
Data management Versioning
microservices

Deploying Cross-cutting Scalability and


microservices concerns availability
Course Prerequisites

Good knowledge of Some knowledge of Some knowledge of


C# microservices in OAuth2, OpenID
ASP.NET Core Connect and
IdentityServer4
Frameworks and Tooling

Visual Studio 2019 .NET Core 3.1


v16.4 or better
Frameworks and Tooling

Visual Studio 2019 Visual Studio Visual Studio for JetBrains Rider
v16.4 or better Code Mac
s
h
s

Exercise files tab on


the course page

(course shown is one of my other courses, not this one)


Inspecting the GloboTicket Demo Application

Event catalog

GloboTicket
client

Shopping basket Discount Order


s
h
s

The GloboTicket application as used in the


Inspecting the path potentially contains additional
GloboTicket microservices
- With our current set of microservices we
Demo can cover all security scenarios
Application
t
h
s

Demo
Getting started with the GloboTicket
demo application
Token-based Security for Microservices

Multiple approaches to microservices Microservices architectures exist with


architecture security exist or without an API gateway, with or
From quick & simple to complicated but without a BFF, with or without a bus, …
best-of-class These choices have an impact on what’s
possible, security-wise
Token-based Security for Microservices

Event catalog

GloboTicket
client

Shopping basket Discount Order


Token-based Security for Microservices

Event catalog

GloboTicket
client

Shopping basket Discount


s
h
s

We need a service that can generate


tokens for us
Token-based - Tokens that provide access on behalf of
a client application
Security for
- Tokens that provide access on behalf of
Microservices a user
Identity service / identity provider
s
h
s

Token-based We don’t want to reinvent the wheel


Security for - OAuth2 and OpenID Connect are proven
and tested protocols
Microservices
OAuth2
OAuth2 is an open protocol to allow secure
authorization in a simple and standard method from
web, mobile and desktop applications
s
h
s

OAuth2 defines an access token


- A client application can request such an
access token to gain access to an API /
Introducing microservice
- It thus defines how a client application
OAuth2 can securely achieve authorization

The access token does not have a notion of


the user
OpenID Connect
OpenID Connect is a simple identity layer on top of the
OAuth2 protocol
s
h
s

OpenID Connect defines an identity token


- A client application can request an
identity token (next to an access token)
Introducing and use it to sign in to the client
OpenID application
Connect - The access token can be used to access
an API / microservice

The access token has a notion of the user


Choosing an Identity Provider

Azure AD Ping Okta Auth0


s
h
s

IdentityServer4
- http://docs.identityserver.io/

IdentityServer4 is an OpenID Connect and


OAuth2 framework for ASP.NET Core
- De facto standard in the .NET Core world
Standardization is key
Everything we’ll implement will be according to existing,
proven and tested standards
GloboTicket with Identity Service

Identity

Event catalog

GloboTicket
client

Shopping basket Discount


t
h
s

Demo

Inspecting an identity service


Accessing a Microservice on Behalf of the Client

Identity

{ aud: “globoticket”}

Event catalog

GloboTicket
client

Shopping basket Discount


Client Credentials Flow

GloboTicket client Identity service

Client auth: clientid, clientsecret


token endpoint

credentials are
validated

access_token access_token
t
h
s

Demo

Blocking access to a microservice


t
h
s

Demo
Accessing a microservice on behalf of the
client application
s
h
s

More often than not, applications (clients


and APIs) need to know who the user is
Using the
Identity For client applications, that information is
delivered in an identity token as proof of
Microservice identity
to Log In - Used to log in
- “sub” claim defines the user
Authentication with an Identity Token
GloboTicket client Identity service

create code_verifier

hash (SHA256)

code_challenge authentication request + code_challenge


authorization endpoint
store code_challenge

user authenticates

(user gives consent)


code code

token request (code, clientid, clientsecret, code_verifier)


token endpoint
Authentication with an Identity Token
GloboTicket client Identity service

token request (code, clientid, clientsecret, code_verifier)


token endpoint

hash code_verifier

check if it matches the


stored code_challenge

id_token id_token

token is validated
t
h
s

Demo

Using the identity microservice to log in


t
h
s

Demo

Logging out
Accessing a Microservice on Behalf of the User

Identity

{ aud: “globoticket”}

Event catalog
{ aud: “globoticket”
sub: “12ka-eia…” }
GloboTicket
client

Shopping basket Discount


Authorization with an Access Token
GloboTicket client Identity service

create code_verifier

hash (SHA256)

code_challenge authentication request + code_challenge


authorization endpoint
store code_challenge

user authenticates

(user gives consent)


code code

token request (code, clientid, clientsecret, code_verifier)


token endpoint
Authorization with an Access Token
GloboTicket client Identity service

token request (code, clientid, clientsecret, code_verifier)


token endpoint

hash code_verifier

check if it matches the


stored code_challenge

id_token access_token id_token access_token

token is validated

access_token (as Bearer token in Authorization header)


Authorization with an Access Token
Identity service Microservices

code, clientid, clientsecret, code_verifier)


token endpoint

hash code_verifier

check if it matches the


stored code_challenge

(as Bearer token in Authorization header)


access token
is validated
t
h
s

Demo
Accessing a microservice on behalf
of the user
t
h
s

Summary Use token-based security to secure your


microservices
- OAuth2, OpenID Connect

The microservice should check the


incoming token for an audience value
- JwtBearerAuthentication middleware
t
h
s

Use the client credentials flow to


Summary - Get an access token to access a
microservice on behalf of the client
Use the code flow with PKCE protection to
- Sign in to the client application with an
identity token
- Get an access token to access a
microservice on behalf of the user

You might also like