ASP.NET Core Securing APIs

Part 1 see: https://github.com/damienbod/aspnetcore-standup-authn-authz

Protecting APIs Authorization Overview
- An overview
- Delegated APIs (UI authentication)
- Application APIs (no user)
- On behalf of flow
- OAuth 2.0 Token Exchange OIDC Downstream API
- APIs protected with Client/server certificate authentication
- Client binding, MTLS, DPOP, FAPI
Azure Continuous access & continuous access evaluation protected APIs
General API security topics
- Mixing auth, no auth APIs in an application
- Using Swagger with protected APIs
- Using multiple IDPs in an API service
- Mixing UIs and APIs in an application
- SignalR, web sockets
- Testing secure APIs
- Securing Web hooks
Legacy auth, unsecure flows, using network security
Proxies

Protecting APIs Authorization Overview

About tokens

JWT access tokens
Introspection (Stateful)
Cookies
Client/server certificate authentication
User access tokens versus application access tokens

Delegated APIs (UI authentication)

API security using JWT access tokens
- No logout possible
API security using introspection
- Logout with the revocation endpoint
API security using cookies
- BFF Backend for frontend
- Reverse proxy

Application APIs (no user)

OAuth2 Resource Owner Credentials Flow
Microsoft Identity Platform

On behalf of flow

OAuth 2.0 Token Exchange

OIDC with Downstream API

APIs protected with Client/server certificate authentication

Certificate authentication

Client binding, MTLS, DPOP, FAPI

MTLS
Securing APIs using ASP.NET Core and OAuth 2.0 DPoP
FAPI

Azure Continuous access & continuous access evaluation protected APIs

CA & CAE

General API security topics

Mixing auth, no auth APIs in an application

Mixing auth, no auth APIs

Using Swagger with protected APIs

Swagger with tokens

Using multiple IDPs in an API service

Mixing UIs and APIs in an application

Mixing UI with API

SignalR, web sockets

Web sockets protected with cookies
Web sockets protected with tokens

Testing secure APIs

Testing application APIs
Testing delegated APIs
- UI test tools

Securing Web hooks

Legacy, unsecure flows, using network security

What about shared access signature (SAS) tokens?
What about username & password to get an access token?
Firewalls, HTTPS termination?

Proxies

Yarp Reverse Proxy
dev Proxies
Gateways

Examples identity provider clients:

OIDC clients

OpenIddict with Razor Pages, Blazor WASM BFF and Angular OpenID Connect Code Flow with PKCE clients and ASP.NET Core APIs

https://github.com/damienbod/AspNetCoreOpeniddict

Differrent ASP.NET Core applications using OpenID Connect Hybrid flow Code Flow, Code Flow with PKCE, JWT APIs, Device Code flow. Force ASP.NET Core OpenID Connect client to require MFA. Send MFA signin requirement to OpenID Connect server using ASP.NET Core Identity and IdentityServer4. Requiring MFA for Admin Pages in an ASP.NET Core Identity application. Require user password verification with ASP.NET Core Identity to access Razor Page

https://github.com/damienbod/AspNetCoreHybridFlowWithApi

Auth0 with Angular and an ASP.NET Core API

https://github.com/damienbod/Auth0AngularAspNetCoreApi

Securing Blazor Web assembly using Cookies and Auth0, securing multiple Auth0 APIs in ASP.NET Core using OAuth Bearer tokens, securing OAuth Bearer tokens from multiple Identity Providers in an ASP.NET Core API

https://github.com/damienbod/SeparatingApisPerSecurityLevel

Securing an ASP.NET Core API which uses multiple access tokens, securing a Web API using multiple token servers

https://github.com/damienbod/ApiJwtWithTwoSts

Azure AD, Azure AD B2C clients, Continuous Access

Azure samples: ASP.NET Core Web App which lets sign-in users (including in your org, many orgs, orgs + personal accounts, sovereign clouds) and call Web APIs (including Microsoft Graph)

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/

Azure AD flows using ASP.NET Core and Microsoft.Identity for user, application aunthentication, authorization.

https://github.com/damienbod/AzureADAuthRazorUiServiceApiCertificate

Examples of implementing UIs, APIs using Azure AD as the token server with Angular, ASP.NET Core clients

https://github.com/damienbod/AzureAD-Auth-MyUI-with-MyAPI

Azure AD Continuous Access in an ASP.NET Core Razor Page app using a Web API, Azure AD Continuous Access (CA) step up with ASP.NET Core Blazor using a Web API, Azure AD Continuous Access (CA) standalone with Blazor ASP.NET Core, Force MFA in Blazor using Azure AD and Continuous Access

https://github.com/damienbod/AspNetCoreAzureADCAE

Securing ASP.NET Core Razor, Web APIs with Azure B2C external and Azure AD internal identities. Using Azure security groups in ASP.NET Core with an Azure B2C Identity Provider. Create Azure B2C users with Microsoft Graph and ASP.NET Core. Transforming identity claims in ASP.NET Core and Cache. Onboarding new users in an ASP.NET Core application using Azure B2C. Using multiple Azure B2C user flows from ASP.NET Core

https://github.com/damienbod/azureb2c-fed-azuread

PWA with Blazor Backend for frontend (BFF) and Azure B2C

https://github.com/damienbod/PwaBlazorBffAzureB2C

Add extra claims to an Azure B2C user flow using API connectors and ASP.NET Core. Implement certificate authentication in ASP.NET Core for an Azure B2C API connector

https://github.com/damienbod/AspNetCoreB2cExtraClaims