OAuth is Not User Authorization

30 November 2020 OAuth

In the same way that OAuth is not authentication, it also does not tell us what the user is allowed to do or represent that the user can access a protected resource (an API).

Understanding what OAuth is not is just as important as knowing what it is, in order to use it effectively. In this article, I’m going to discuss how OAuth does not include user authorization and why user authorization rules should not live within your OAuth authorization server.

TL;DR: OAuth is not suitable for user authorization. The fact that you have an access token that allows you to act on the user’s behalf does not mean that the user can perform an action.

Continue reading...

XChaCha20-Poly1305: A Primer with Examples in .NET

11 October 2020 C#

As part of my work with ScottBrady.IdentityModel, I’ve had the chance to play with XChaCha20-Poly1305. Despite sounding a bit silly and being a pain to type, XChaCha20-Poly1305 is a useful symmetric encryption algorithm that offers an alternative to the AES we know and love.

In this article, I am going to give a high-level overview of ChaCha20, Poly1305, and XChaCha20-Poly1305. This will include some code samples using a libsodium implementation in .NET, and a silly “rolling your own” implementation to help demonstrate the differences between ChaCha20-Poly1305 and XChaCha20-Poly1305.

Continue reading...

PEM Loading in .NET Core and .NET 5

21 September 2020 C#

PEM is a file format that typically contains a certificate or private/public keys. PEM files have had patchy support in Windows and .NET but are the norm for other platforms. However, starting with .NET 5, .NET now has out of the box support for parsing certificates and keys from PEM files.

This article will show you how to manually load a PEM file in .NET Core 3.1 (the old way) and how to do the same using the new .NET 5 APIs.You’ll also see how to use PEM certificates for Kestrel TLS.

Continue reading...

Recording: Let's stop blaming our users for getting hacked when it is our problem to solve

20 August 2020 FIDO

This year, I had the pleasure of (virtually) speaking at NDC Oslo. While it would have been great to present at the Oslo Spectrum, I still got the chance to talk about my recent work with FIDO2 and WebAuthn, which resulted in the creation of FIDO2 for ASP.NET.

If you want to learn more about how user authentication works on the web and how I think FIDO2 is going to be the solution to many of our issues, then check out my talk below.

Continue reading...

JWTs: Which Signing Algorithm Should I Use?

18 August 2020 JOSE

JSON Web Tokens (JWTs) can be signed using many different algorithms: RS256, PS512, ES384, HS1; you can see why some developers scratch their heads when asked which one they would like to use.

In my experience, many of the mainstream identity providers have historically only offered RS256 or at least defaulted to it. However, thanks to initiatives such as Open Banking, these identity providers are now expanding their support to cover more signing algorithms, which means you will need to start understanding which ones to use.

Continue reading...

Creating RSA Keys using OpenSSL

05 August 2020 OpenSSL

Creating a private key for token signing doesn’t need to be a mystery. Recently, I wrote about using OpenSSL to create keys suitable for Elliptical Curve Cryptography (ECC), and in this article, I am going to show you how to do the same for RSA private and public keys, suitable for signature generation with RSASSA-PKCS1-v1_5 and RSASSA-PSS.

Continue reading...

OAuth Security Workshop 2020

30 July 2020 OAuth

Last week, I attended the 5th OAuth Security Workshop (OSW), a workshop where people working with OAuth can meet up and talk about anything related to OAuth security for 3-4 days.

This was my first time attending the OSW, so I thought I would share a few of my highlights and help raise awareness of the event.

Continue reading...

Using ECDSA in IdentityServer4

22 July 2020 Identity Server

By default, IdentityServer4 uses RS256 to sign identity tokens and JWT access tokens; however, it does also support Elliptical Curve Cryptography (ECC). Using Elliptical Curve Digital Signing Algorithms (ECDSA) such as ES256 does have some benefits over RSA, such as shorter signature and smaller keys while providing the same level of security.

In this article, I am going to show you how to use ES256 to sign JWTs in IdentityServer4 and then how to use it alongside RS256 for backward compatibility. I contributed some of the code around ECDSA in IdentityServer4, so I figure it is time to write about it 🙂.

Continue reading...

Creating Elliptical Curve Keys using OpenSSL

20 July 2020 OpenSSL

Recently, I have been using OpenSSL to generate private keys and X509 certificates for Elliptical Curve Cryptography (ECC) and then using them in ASP.NET Core for token signing.

In this article, I’m going to show you how to use OpenSSL to generate private and public keys on the curve of your choice.

Continue reading...

Adding Tailwind Utility Classes to your Bootstrap Website

10 July 2020 General

Tailwind is a utility-first CSS framework that one of my colleagues has been advocating internally at Rock Solid Knowledge for some time. After using Bootstrap’s utility classes on my own website, I’m finally sold on the benefits of using utility classes for web design.

Bootstrap’s utility classes are relatively basic, and I soon became jealous of some of the utility classes found in Tailwind, especially the ability to prefix any utility class with a breakpoint name (e.g. md:w-3/4).

Continue reading...