Identity Server ha sido durante mucho tiempo el framework para OpenIdConnect y OAuth 2 más utilizado en el ámbito de .NET. Usándolo conectábamos de modo seguro front y back, conseguíamos Single Sign-On y en general manejábamos aspectos relativos a la seguridad de nuestras aplicaciones. Pero nada es eterno, y en Octubre de 2020, desde Duende Software, fundada por los mantainers de Identity Server anunciaban que el soporte se acabaría junto al de .NET Core 3.1 ¡Y eso se acerca! En noviembre de 2022 dejará de mantenerse, y por tanto dejaremos de recibir actualizaciones de seguridad. ¿Qué opciones tenemos? Veremos algunas de ellas, entre las que están otros paquetes open source y soluciones que Microsoft nos ofrece en Azure, como Azure AD B2C.

1. #GlobalAzure
May 5th – 7th,2022

3. #GlobalAzure
#GlobaAzureSpain

4. What happened?
OAuth 2 & OpenId Connect
Other libraries and frameworks
Azure to the rescue

5. #GlobalAzure
#GlobaAzureSpain
What happened?

6. ASP.NET Core Framework that helps us to incorporate following features to our
applications:
 Token-based authentication
 Single-sign-on
 Api access control
 Federation gateway (Support for external identity providers like Azure Active Directory, Google,
Facebook, etc…)

7. https://leastprivilege.com/2020/10/01/the-future-of-identityserver/
The “salseo”
3 years => 60k$
 Duende Software is founded (https://duendesoftware.com)
 IdentityServer 4 will be rebranded as Duende IdentityServer.
Duende IdentityServer will contain all new feature work and will
target .NET Core 3.1 and .NET 5 (and all versions beyond)

10. The question

11. #GlobalAzure
#GlobaAzureSpain
OAuth 2 & OpenId Connect

12. OAuth 2.0 is the industry-standard protocol for authorization (RFC 6749)
Grant types:
 Authorization code (common user flow for confidential and public clients)
 Client credentials (machine to machine)
 Device code (Apple Tv, Playstation, etc…)
Extensions:
 PKCE. Extension for authorization code to prevent CSRF and injection attacks
 Refresh tokens
Grants allow you to get an Access token that will allow you to invoke a protected resource (API for
example)
https://oauth.net/2/

13.  For confidential clients
 There is no end-user participating
 Usually for “Machine to machine”

14.  For both confidential and public clients
 Token does not represent an user
 The common flow you all know

16. Legacy grant types:
 Implicit flow Authorization code
 Password grant (resource owner)

17.  OAuth 2 issues an access token to access protected resources
 OpenId Connect is an identity layer on top of the OAuth2 protocol.
 Issues an extra token to the client application, called the identity token. This token contains
user profile information which can be used by client applications to identify the end-user.
It's wise to keep your tokens small. Therefore, the OpenID Connect protocol offers the possibility to
expose an userinfo endpoint from which clients can retrieve extra information about the end-user
which is not stored in the identity token

18. #GlobalAzure
#GlobaAzureSpain
Other libraries and
frameworks

19. ASP.NET Core Framework that helps us to incorporate following features to our
applications:
 Token-based authentication
 Single-sign-on
 Api access control
 Federation gateway (Support for external identity providers like Azure Active Directory, Google,
Facebook, etc…)

21. #GlobalAzure
#GlobaAzureSpain
Azure to the rescue

22. Is a customer identity access management (CIAM) solution that helps you
to incorporate following features to our applications:
 Token-based authentication
 Single-sign-on
 Api access control
 Federation gateway (Support for external identity providers like Azure Active
Directory, Google, Facebook, etc…)
Features:
 Managed service build on same technology than Azure AD
 Takes care of the scaling
 Handles threats like denial-of-service, password spray, or brute force attacks
 Fully customizable flows
 Custom-branded identity solution

24. https://mybuild.microsoft.com/en-US/home

25.  Custom policies
 Very complex
 Based on XML
“Azure AD B2C es mucho más de lo que
ves en el portal”
Unai
https://github.com/azure-ad-b2c/Gaining-expertise-with-Azure-AD-B2C/blob/main/policies/Module7/SignUpOrSigninUsingSalesforceAndGoogle.xml

27. • Make a decision before others force you to make
it
• Stop writing your own user
authentication/authorization code
• Use well known standard protocols
• Know them in depth

29. https://docs.microsoft.com/es-es/azure/active-directory-b2c/
Solutions and training:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/solution-articles
https://app.pluralsight.com/library/courses/developing-azure-active-directory-b2c-applications
Custom policies:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview