App’s Security Terminologies

Basic terminologies when dealing with OAuth security in the context of app (web application, api, mobile application, etc).

Authentication
The process of proving you are who you say you are.

Authorization
The act of granting an authenticated party permission to do something. It specifies what data you’re allowed to access and what you can do with that data.

Identity
Refer to users who request access to resources. Users have to proof their identity is who they said they are, usually through authentication process.

Flow (aka. grant type)
Methods through which applications can gain Access Tokens and by which you grant limited access to your resources to another entity without exposing credentials.

Token
A piece of data contain information about users and apps. Common types of tokens:

  1. Id token
  2. A token used to identify user.

  3. Access token
  4. A token used to access some kind of resources, ie: api.

  5. Refresh token
  6. A token used to refresh access token.

Hash
Function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes.

Encrypt
Convert (information or data) into a cipher or code, especially to prevent unauthorized access. Common methods of encryption:

  1. Asymmetric
  2. A form of encryption where keys come in pairs. Public keys which may be disseminated widely, and private keys which are known only to the owner. Public keys are used to encrypt and private keys are used to decrypt.

  3. Symmetric
  4. A form of encryption which only use one key (as opposed to pair of keys in Asymmetric). The key is used to encrypt and decrypt.

Decrypt
Make a coded or unclear message able to be understood.

Public private key
See asymmetric encryption above.

Federation
The linking a users’ electronic identity and attributes, stored across multiple distinct identity management systems.

References:
Microsoft
Auth0
Wikipedia

Another Reading List

Cross Tab Communication with Javascript

This post lays out an interesting problem, how can Javascript communicates across browser tab (or iframe or window)? There are few different approaches with pro and cons of each.


Use read-only replicas to load-balance read-only query workloads

With new vCore pricing model, Azure offers SQL solution with better features. One of those is no-cost, built-in read-only scale out database. Read more on the details here.


Overview of Microsoft Authentication Library (MSAL)

MSAL is the new library to authenticate with Microsoft Identity Platform (or what it used to be Azure AD endpoint). It’s replacing ADAL (which only used to authenticate to Azure AD endpoint – v1). The new version support authentication beyond Azure AD which includes personal account (hotmail.com / outlook.com) and social accounts like Facebook / Twitter, etc.  For more details on Microsoft Identity Platform: https://docs.microsoft.com/en-us/azure/active-directory/develop/about-microsoft-identity-platform


Authentication flows

There are many authentication flows in the world of authentication. This Microsoft documentation gives overview of each auth flow and how it’s being used. Primarily for Microsoft Identity Platform, but generally applicable to other platform / framework as well.  The more details coverage of each auth flow can also be found here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow


Google Spent 2 Years Studying 180 Teams. The Most Successful Ones Shared These 5 Traits

Great achievement can sometime be done by one person. But most of the time, it’s a team. This post talks about Google research into what makes the most successful one. It’s along the same line of previous studies around motivation, more psychological than anything else.


Monday Reading List

Don’t snapshot your UI components, make assertions!

Great post discussing unit test and the reason behind making assertions vs snapshot UI. More of philosophical that hopefully shape how you think about unit testing. Good read.


Something to Know about gRPC in ASP.NET Core 3

gRPC is on the rise! And so is ASP.NET Core 3! But wait, it’s not working in Azure App Service? Head on to this post to learn why. But, hey, maybe it will be fixed soon.


AI Terms Every Beginner Should Know: an Abbreviations Glossary

This is the kind of post I like. I would start learning about AI but hardly can explain it to others. Knowing the terms definitely helps, and it makes you look like an expert!


Hacking ASP.NET apps and turning them onto Zombies

Interesting post about ASP.NET. Even though this is security related, it’s not one of those boring security. It’s about hacking, injecting malicious code into ASP.NET app. And more importantly, how to prevent it.


Fast Data is Forcing New Strategies in DevOps

Probably not worth your time to read. But I do like that it argues real-time streaming data has its own challenge in DevOps. It also offer high-level solutions / approach to the challenge.


Free eBooks

Everyone gotta loves free stuff. Here are free eBooks that would improve your technical skills and knowledge.


Cognitive Complexity

Fairly short read. SonarQube, a company that makes an automatic code-review tool with the same name, has come up with an algorithm to determine how complex code is and the score to determine easy it’s to understand, called Cognitive Complexity.


Azure Security Best Practices

If you are in Azure environment, this is a really good resource to understand what Azure has to offer to secure your application and environment. From identity management, network, monitoring system, VMs and database, it covers pretty much everything security.


Learn Azure in a Month of Lunches

You can learn everything Azure in a month of lunches, that’s 30 days x 1 hour = 30 hours! Sounds pretty good deal to me!


Barebone Angular Project with Auth0

Simple project to demonstrate how to use Auth0 in Angular project, download code on Github.

To get started, you must have Auth0 account.
To setup the project, update following value in `environment.ts`:
1. Client ID. This is the id of your app you created in Auth0 dashboard. See here.
2. Client Domain. Your Auth0 domain to authenticate user. See here.
3. Callback Url. This is url Auth0 will redirect to after user is authenticated. This url must be white-listed in Auth0 dashboard. See here.
4. Logout Url. This is url Auth0 will redirect to after user logout. This url must be white-listed in Auth0 dashboard. See here.

The juice is on `service/auth.service.ts`, following are explanations of each methods:
1. Login
Call Auth0 authorize method to authenticate users. The method will redirect user to Auth0, if user is not authenticated, a login screen will displated, if user is authenticated Auth0 will redirect to callback endpoint and pass id token.

2. HandleAuthentication
Parse response object from Auth0 which contain id token, access token, expiration time and other information. Redirect user to appropriate url depend on the authorization results.

3. SetSession
Set authentication tokens and expiration in browser’s storage. User is authenticated.

4. Logout
Remove authentication tokens and expiration from browser’s storage. User is not authenticated anymore.

5. IsAuthenticated
Check browser’s storage to see if user is authenticated.

Create All Purpose Self-Signed Certificate with Makecert

All Purpose Certificate (with Certificate Authority)

#Root authority certificate
C:\>makecert -n "CN=TempCA" -pe -r -sv TempCA.pvk TempCA.cer
#Certificate
C:\>makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My

All Purpose Certificate (w/o the Certificate Authority)

#Self-signed Certificate
C:\>makecert -r -pe -n "CN=SignedByCA" -sr currentuser -ss my

The certificate will be installed in Current User, Personal store.

From there you can export the private key. Alternatively, use pvk2pfx to export.
 
For local SSL specific certificate: How to Create Valid and Trusted SSL Certificate (Wildcard) for Development

Reference
Microsoft Docs
Makecert Documentation

Conceal Sensitive Information with Azure Role-Based Access Control (RBAC)

Use Role-Based Access Control to Hide Access to Configurations, Connection Strings, Account Keys and Certificates

Access to Azure services can be defined in a more granular level. This is useful when you want to grant access to certain services without revealing sensitive information, such as account keys, connection strings or certificates.

RBAC Custom Roles

This can be achieved by defining Custom Roles in RBAC. Built-in roles is not going to be sufficient.

For example, we could restrict access to Azure Cloud Service ‘s Configurations and Certificates below:

azure-rbac-1

{
  "Name": "Dev Ops",
  "Id": "<some_guid>",
  "IsCustom": true,
  "Description": "Dev Ops role.",
  "Actions": [
    "Microsoft.ClassicCompute/domainNames/read",
	"Microsoft.ClassicCompute/domainNames/slots/roles/providers/Microsoft.Insights/metricDefinitions/read",
	"Microsoft.ClassicCompute/domainNames/slots/start/action",
	"Microsoft.ClassicCompute/domainNames/slots/state/start/write",
	"Microsoft.ClassicCompute/domainNames/slots/state/stop/write",
	"Microsoft.ClassicCompute/domainNames/slots/stop/action",
	"Microsoft.ClassicCompute/domainNames/swap/action"
  ],
  "NotActions": [
	"Microsoft.ClassicCompute/domainNames/slots/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/operationStatuses/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/read"
  ],
  "AssignableScopes": [
    "/subscriptions/<some_guid>"
  ]
}

What restrict users access to the configurations and certificates are the resource provider operations in NotActions.

What Resource Provider Needed for Azure Service?

In the example above, I use Azure Cloud Service as an example and the resource provider for Azure Cloud Service is Microsoft.ClassicCompute.

You can find out what resource provider used in an Azure Service from the URL. For example, this is URL for Azure Cloud Service.

azure-rbac-2

The part where it says Microsoft.ClassicCompute is what tells you which resource provider to use.

More

The challenge is to find resource provider operations to suit your needs.

For more information on how to create custom roles, available built-in roles and list of resource provider operations, see the links in References.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Get Private Key and Certificate from .PFX

Export the private key from .PFX file

C:\> openssl pkcs12 -in filename.pfx -nocerts -out privatekey.pem

Decrypt the encrypted private key

C:\> openssl rsa -in privatekey.pem -out private.key

The final private.key file is the the private key file.

Export the certificate from the .PFX file

C:\> openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

The cert.pem output from the command is the certificate file.

Claims-Based Authorization in ASP.Net MVC and Web Api

Normally, I would re-write a blog post in hope to provide better explanation and concise the article, but since this is from Dominick Baier, I think he does it the best.

So, here’s it, how to apply claims based authorization in ASP.Net MVC and Web Api:

http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

Add Authentication to MongoDB Database

To prevent un-authorized access to your MongoDB database, you can add security to it by requiring authentication whenever someone tries to connect.

It’s simple, run the mongod with --auth option. the command is:

// To add user
> use admin;
> db.addUser('admin','123456');

// Start mongod with --auth
$ sudo mongod --auth --dbpath /data

// Run mongo and login
$ mongo localhost:27017
> use admin
> db.auth('admin','123456');

// Include login in mongo command
$ mongo localhost:456789/admin -u admin-p 123456

More MongoDB security option: http://docs.mongodb.org/manual/administration/security/