Securing Microservices in

ASP.NET Core
SECURING YOUR FIRST MICROSERVICE

Kevin Dockx
ARCHITECT

@KevinDockx https://www.kevindockx.com
t
h
s

Course prerequisites and tooling

Coming Up
Inspecting the demo application
Token-based security for microservices

Accessing microservices
- On behalf of the client application
- On behalf of the user
s
h
s

Discussion tab on the

course page
Twitter: @KevinDockx

(course shown is one of my other courses, not this one)

 Course Prerequisites

Good knowledge of Some knowledge of

C# microservices in
ASP.NET Core
 Building Microservices with ASP.NET Core
This course is part of a learning path on Pluralsight

Microservices: Microservices
Getting started
the big picture communication

Securing
Data management Versioning
microservices

Deploying Cross-cutting Scalability and

microservices concerns availability
 Building Microservices with ASP.NET Core
This course is part of a learning path on Pluralsight

Microservices: Microservices
Getting started
the big picture communication

Securing
Data management Versioning
microservices

Deploying Cross-cutting Scalability and

microservices concerns availability
 Course Prerequisites

Good knowledge of Some knowledge of Some knowledge of

C# microservices in OAuth2, OpenID
ASP.NET Core Connect and
IdentityServer4
 Frameworks and Tooling

Visual Studio 2019 .NET Core 3.1

v16.4 or better
 Frameworks and Tooling

Visual Studio 2019 Visual Studio Visual Studio for JetBrains Rider
v16.4 or better Code Mac
s
h
s

Exercise files tab on

the course page

(course shown is one of my other courses, not this one)

Inspecting the GloboTicket Demo Application

Event catalog

GloboTicket
client

Shopping basket Discount Order

s
h
s

The GloboTicket application as used in the

Inspecting the path potentially contains additional
GloboTicket microservices
- With our current set of microservices we
Demo can cover all security scenarios
Application
t
h
s

Demo
Getting started with the GloboTicket
demo application
 Token-based Security for Microservices

Multiple approaches to microservices Microservices architectures exist with

architecture security exist or without an API gateway, with or
From quick & simple to complicated but without a BFF, with or without a bus, …
best-of-class These choices have an impact on what’s
possible, security-wise
 Token-based Security for Microservices

Event catalog

GloboTicket
client

Shopping basket Discount Order

 Token-based Security for Microservices

Event catalog

GloboTicket
client

Shopping basket Discount

s
h
s

We need a service that can generate

tokens for us
Token-based - Tokens that provide access on behalf of
a client application
Security for
- Tokens that provide access on behalf of
Microservices a user
Identity service / identity provider
s
h
s

Token-based We don’t want to reinvent the wheel

Security for - OAuth2 and OpenID Connect are proven
and tested protocols
Microservices
OAuth2
OAuth2 is an open protocol to allow secure
authorization in a simple and standard method from
web, mobile and desktop applications
s
h
s

OAuth2 defines an access token

- A client application can request such an
access token to gain access to an API /
Introducing microservice
- It thus defines how a client application
OAuth2 can securely achieve authorization

The access token does not have a notion of

the user
OpenID Connect
OpenID Connect is a simple identity layer on top of the
OAuth2 protocol
s
h
s

OpenID Connect defines an identity token

- A client application can request an
identity token (next to an access token)
Introducing and use it to sign in to the client
OpenID application
Connect - The access token can be used to access
an API / microservice

The access token has a notion of the user

 Choosing an Identity Provider

Azure AD Ping Okta Auth0

s
h
s

IdentityServer4
- http://docs.identityserver.io/

IdentityServer4 is an OpenID Connect and

OAuth2 framework for ASP.NET Core
- De facto standard in the .NET Core world
Standardization is key
Everything we’ll implement will be according to existing,
proven and tested standards
 GloboTicket with Identity Service

Identity

Event catalog

GloboTicket
client

Shopping basket Discount

t
h
s

Demo

Inspecting an identity service

Accessing a Microservice on Behalf of the Client

Identity

{ aud: “globoticket”}

Event catalog

GloboTicket
client

Shopping basket Discount

 Client Credentials Flow

GloboTicket client Identity service

Client auth: clientid, clientsecret

token endpoint

credentials are
validated

access_token access_token
t
h
s

Demo

Blocking access to a microservice

t
h
s

Demo
Accessing a microservice on behalf of the
client application
s
h
s

More often than not, applications (clients

and APIs) need to know who the user is
Using the
Identity For client applications, that information is
delivered in an identity token as proof of
Microservice identity
to Log In - Used to log in
- “sub” claim defines the user
 Authentication with an Identity Token
GloboTicket client Identity service

create code_verifier

hash (SHA256)

code_challenge authentication request + code_challenge

authorization endpoint
store code_challenge

user authenticates

(user gives consent)

code code

token request (code, clientid, clientsecret, code_verifier)

token endpoint
 Authentication with an Identity Token
GloboTicket client Identity service

token request (code, clientid, clientsecret, code_verifier)

token endpoint

hash code_verifier

check if it matches the

stored code_challenge

id_token id_token

token is validated
t
h
s

Demo

Using the identity microservice to log in

t
h
s

Demo

Logging out
Accessing a Microservice on Behalf of the User

Identity

{ aud: “globoticket”}

Event catalog
{ aud: “globoticket”
sub: “12ka-eia…” }
GloboTicket
client

Shopping basket Discount

 Authorization with an Access Token
GloboTicket client Identity service

create code_verifier

hash (SHA256)

code_challenge authentication request + code_challenge

authorization endpoint
store code_challenge

user authenticates

(user gives consent)

code code

token request (code, clientid, clientsecret, code_verifier)

token endpoint
 Authorization with an Access Token
GloboTicket client Identity service

token request (code, clientid, clientsecret, code_verifier)

token endpoint

hash code_verifier

check if it matches the

stored code_challenge

id_token access_token id_token access_token

token is validated

access_token (as Bearer token in Authorization header)

 Authorization with an Access Token
Identity service Microservices

code, clientid, clientsecret, code_verifier)

token endpoint

hash code_verifier

check if it matches the

stored code_challenge

(as Bearer token in Authorization header)

access token
is validated
t
h
s

Demo
Accessing a microservice on behalf
of the user
t
h
s

Summary Use token-based security to secure your

microservices
- OAuth2, OpenID Connect

The microservice should check the

incoming token for an audience value
- JwtBearerAuthentication middleware
t
h
s

Use the client credentials flow to

Summary - Get an access token to access a
microservice on behalf of the client
Use the code flow with PKCE protection to
- Sign in to the client application with an
identity token
- Get an access token to access a
microservice on behalf of the user