Authentication in ASP.NET 5 (vNext)

Question

I have a traditional ASP.NET app that I want to move to ASP.NET 5 (vNext). I am doing this as a learning exercise.

My current app uses Forms-based authentication. However, I would like to use OAuth. I was looking at the Security module and was curious what should be used for OAuth. I see an option for Microsoft.AspNet.Authentication.OAuth and Microsoft.AspNet.Authentication.OAuthBearer.

Which of these is used to let a user login?

Does anyone know of a sample/example showing these in action?

Answer 1

Microsoft.AspNet.Authentication.OAuth

• Allows 3rd party Identifiers (e.g. Google, Facebook) to authenticate users for you, saving your users the annoyance of registering.
• Allows other apps to use your application for Authentication

Once your users are Authenticated by a 3rd party, the OWIN middle-ware reads their OAuth cookie and creates a domain specific Claims-based cookie. So long as the cookie is available (present, un-expired and uncorrupted) your users remain Authenticated.

An introduction to the ASP.NET 5 Generic OAuth Provider

Microsoft.AspNet.Authentication.OAuthBearer

Creates bearer tokens. When a user signs into an end point (Web-API), or is authenticated by a 3rd party, the OWIN middle-ware returns a bearer token. The bearer token is sent with all service requests to Identify your users in lieu of Cookies.

In Startup

app.UseOAuthBearerAuthentication(options =>
{
    options.Authority = "http://localhost:5000/oauth/";
    options.Audience = "http://localhost:5000/oauth/resources";

    options.TokenValidationParameters = new TokenValidationParameters
    {
        IssuerSigningKeys = new[] { new X509SecurityKey(cert) },
        ValidateLifetime = false,
    };
    options.AutomaticAuthentication = true;

    options.SecurityTokenValidators = new[]
    {
        new JwtSecurityTokenHandler()
    };
});

Bearer Tokens are used when creating SPA (Single Page Application) or for securing AJAX requests.

Cookie Authentication is considered adequate for Server requests. But Service end points (whether or not they allow Cross Origin Resource Sharing) are more vulnerable to CSRF and XSS attacks.

---

Many Applications use both:

A common practice is to use cookie authentication for page requests and bearer tokens for AJAX requests.

You would need to differentiate between resources that utilize cookies and resources that utilize Tokens.

In this Stackoverflow answer, Matt DeKrey did a nice job of outlining his implementation utilizing

[Authorize("Bearer")]

For Controllers or Methods that should use bearer Tokens rather than the standard cookie based [Authorize] attribute.

---

Many Applications rely on Cookies alone:

How vulnerable is your application to CSRF attacks when relying on cookies? This is debatable. Many sites rely on cookies alone and never face issues. The answer may depend more on your traffic level and security needs.

If you are developing a site for tens of thousands of users, you are probably safe relying on cookies.

If you are serving millions of users or protect important financial data, your asynchronous calls should rely on bearer tokens.

---

Note: You mention using forms authentication, I would strongly recommend using Identity. The framework integrates with OWIN out of the box to give you both types of functionality.