Security

Turns out adding XSRF, CSRF, See-Surf or whatever the name we call it now to an Angular app with a .NET Core Web API is really really easy. Angular is set up by convention to expect a cookie with the name XSRF-TOKEN.

I do security work often but not often enough that I don’t end up Googling many of the terms and concepts every time. Here is a list of the best articles as a quick goto: OAUTH-OPENID: YOU’RE BARKING UP THE WRONG TREE IF YOU THINK THEY’RE THE SAME THING OpenID versus OAuth from the user’s perspective An introduction to OpenID Connect in ASP.NET Core Creating your own OpenID Connect server with ASOS: introduction

You can use selfssl from the IIS 6 Resource Kit to quickly add self signed SSL certs for local development. When installing select custom install and only install selfssl.exe. Then you can run the following command: selfssl /N:CN=site.local /V:9999 /T /S:2 CN is the hostname you want to register.

First unzip OpenSSL from https://code.google.com/p/openssl-for-windows/downloads/list and put it anywhere you want e.g. c:\openssl. Right click on c:\openssl\bin\openssl.exe and "run as administrator". Enter the following command where c:\openssl is the location you unzipped into: > req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem -config "C:\OpenSSL\openssl.cnf" Country name or any of the other information isnt required so you can keep pressing enter. You should now have two files in the bin folder key.pem and cert.pem.

Today I got the following message when trying to send the rawData of a JwtSecurityToken I had created manually: IDX10708: ‘System.IdentityModel.Tokens.JwtSecurityTokenHandler’ cannot read this string: ‘Bearer’. The problem was that the rawData portion of the JwtSecurityToken is not populated until the token has been validated. I ended up using the following solution to create and validate JWT Tokens.

After wrestling with ADFS 3.0 and WIF in .NET 4.5 I decided to create this cheat sheet to map the numerous mixed terms that exist between ADFS and WIF. ADFS Authentication Authorization Example Notes Identifier Wtrealm Audience urn:servername This can be anything as long as it is unique and it not used anywhere else Relying Party Endpoints Wreply https://localhost/testserver/ This is the address of the server that wants to use ADFS for identity. Ensure you add the trailing / in Wreply this is a bug in WIF Service Endpoint MetadataAddress https://adfsserver/federationmetadata/2007-06/federationmetadata.xml Contains the details that WIF will use to configure authentication. Without this file you would have to configure the server manually Service Endpoint Issuer http://adfsserver/adfs/services/trust

Turns out it is quite easy to allow your users to log on with their Active Directory usernames and passwords when you expose a .NET MVC application to the internet. Either select the following option from the new project menu: