At NDC London, Jon and K. Scott talk to Paul Betts about several of his recent open source libraries designed to simplify cross platform development on C#.
Download / Listen: Herding Code 187: Brock Allen on ASP.NET Security and Identity
- (00:18) Brock gave two presentations on security at NDC, as well as a two day pre-conference workshop with Dominick Baier (also on security).
- Brock’s contribution of CORS support to ASP.NET Web API
- (00:35) Jon asks Brock about the CORS support he recently contributed to ASP.NET Web API. Brock tells the history of how he built a CORS implementation at Thinktecture and how he went about contributing it.
- (01:21) Jon asks Brock about what was involved in his CORS implementation. Brock describes the limitations browsers place on cross-origin requests and how CORS solves that. It’s defined in the HTML5 specs and is supported by all modern browsers.
- (02:12) Jon asks what’s required on the server for CORS to work. Brock explains how servers respond to browsers to tell them they support CORS and which other servers they want to allow communications with.
- (02:45) The most common form of browser communications for CORS is via an OPTIONS request from the browser, to which the server responds using predefined headers.
- (03:14) K. Scott asks about the process of getting his CORS implementation added to the ASP.NET Web API codebase. Brock explains the process, including his big pull request and the month of work he and Yao put in to getting the code "Microsoftified." Brock’s implementation was pretty broad, the shipping version was targeted just at Web API.
- Thinktecture Identity Model
- (04:59) Jon asks if there’s any reason to use the Thinktecture Identity Model version now. Brock explains the other areas that Identity Model supports, and that many of the features of Thinktecture Identity Model have been removed as ASP.NET Web API has added a lot of these features to the core.
- ASP.NET Identity and Membership Reboot
- (06:09) K. Scott asks how the identity features in Thinktecture Identity Model compare to the new features shipped in the new ASP.NET Identity system. Brock describes the problems that the ASP.NET Identity system was designed to solve.
- (07:02) Brock describes the membership system he wrote as an alternative to the ASP.NET provider model system, called Membership Reboot. His Membership Reboot system includes things like password resets and e-mail account verification which are not in the initial version of ASP.NET Identity, but he thinks that the new system is well architected to add these in, since it’s just a NuGet package.
- (07:42) Jon asks Brock about the other features Membership Reboot covers. Brock says that was the subject of one of his talks – how he implemented features like password reset, e-mail verification and two factor authentication without opening up attack vectors.
- ASP.NET Security
- (08:27) K. Scott asks about the other talks Brock did at NDC London. His other talk was on ASP.NET Core Security – he focused on teasing apart the membership and forms authentication parts so they’re understood as separate components.
- (09:20) Jon asks Brock how he got interested in security. Brock talks about his background in programming, and how he thinks it’s interesting to see how the different parts work together.
- (09:48) Jon talks about cases he sees where developers decide they want to write their own security implementations for speed or other reasons. Brock says that was one of the key points of his talk: you don’t want to implement those things yourself.
- (10:19) Jon asks about common security issues that developers commonly forget to consider. Brock lists several: proper implementation of SSL, password management, etc.
- What’s Next For Brock?
- (11:09) Jon asks what’s next for Brock. He’ll be busy: he’s got a lot of course rework for recent updates, Identity Server v3 (with OpenID Connect).
- (11:46) Jon asks how OpenID Connect affects him as a developer.
- (13:15) K. Scott asks what Brock does to relax. Brock does Tai Chi and Kung Fu.