ASP.NET Core SPA Cookie Authentication vs XSRF (.NET 7 Minimal Apis C#)

  Рет қаралды 10,011

Raw Coding

Raw Coding

Күн бұрын

Пікірлер: 33
@joshem32
@joshem32 2 жыл бұрын
Finally somebody talks about it, well done!!
@TheNorthRemember
@TheNorthRemember 2 жыл бұрын
man i love ur vids very clear and to the point, keep up
@highdynamic
@highdynamic Жыл бұрын
nice and straightforward overview! (for origins though - while I know it was just an example in the video - avoid "startsWith" because evil can make a matching subdomain easily : )
@IvanRandomDude
@IvanRandomDude 2 жыл бұрын
I use cookies for SPAs when I have simple system API + one SPA client. I just make sure to use the same domain in deployment. Something like app(dot)io and app(dot)io/api. Usually using reverse proxy of some kind to direct traffic from app(dot)io to front end ip address and app(dot)io/api to back end ip address. Both front end and back end are not accessible directly (hidden inside security group). It is some form of simplified BFF but without oauth2 and token relaying. You don't even need this if you are serving SPA directly from back end. Most frameworks allow you to serve SPA as simple static content, although I don't like this approach.
@GabrielBartolazzi
@GabrielBartolazzi 2 жыл бұрын
How would this scale if your API would also have to be accessed by a mobile app? Would you implement an identity server or some other methodology?
@IvanRandomDude
@IvanRandomDude 2 жыл бұрын
@@GabrielBartolazzi I would cry and then go home. I don't know, I don't make mobile apps. Still not sure about Identity Server because I don't know if it can be used for free now. They say if your company make less than million a year which is not much for a company. Even small companies can make that money. Maybe pick some other solution like Keycloak or nodejs service based on oidc-provider. But Keycloak is pain in the a** for customization. Not saying it's hard but there are not many great online resources about SPI implementations. Documentation has one simple code sample. Maybe I would create simple identity based on Spring Authorization Server instead of Identity server. But SAS is new and not sure if it is still production ready. They say it is but I would bet not many people use it yet. In the end, what about identity providers like Okta? Never used it but I heard it can get really pricey.
@GabrielBartolazzi
@GabrielBartolazzi 2 жыл бұрын
@@IvanRandomDude I'm not the only one running into these frustrating issues... There's also OpenIddict, which I haven't tried yet.
@RawCoding
@RawCoding 2 жыл бұрын
Check my authentication playlist
@GabrielBartolazzi
@GabrielBartolazzi 2 жыл бұрын
Your videos are excellent! You explain complicated concepts in a simple and easy to understand way. A video showing a shared API between SPA and Xamarin would be great. Or someone who explains why IdentityServer? or any introduction to OpenID Connect and OAuth 2.0
@RawCoding
@RawCoding 2 жыл бұрын
Cheers, for ids4 got a kzbin.info/www/bejne/a36kiql3Z8t0mqM I’ll see what to do about OAuth flow etc
@vinnbrock
@vinnbrock 2 жыл бұрын
@@RawCoding that would be awesome (the OAuth 2.0)! Just found your channel and I really appreciate your content!
@EzequielRegaldo
@EzequielRegaldo Жыл бұрын
Excelent video, for 2° attack we can use cors instead or not ?
@andreasaa2563
@andreasaa2563 2 жыл бұрын
Keep these type of videos coming!
@whitebudgie
@whitebudgie 5 ай бұрын
dude! thank you so much.
@1dfe-4e68-bd9f
@1dfe-4e68-bd9f 2 жыл бұрын
as always advanced topics! 👌
@christiandemienculanag2320
@christiandemienculanag2320 2 жыл бұрын
Informative!
@piercejohnstevens2038
@piercejohnstevens2038 2 жыл бұрын
Hi, A bit out of topic but how would a SPA access claims in the frontend from a Cookie?
@RawCoding
@RawCoding 2 жыл бұрын
Good question! It doesn’t and it shouldn’t, make an api call.
@recepgultekin2455
@recepgultekin2455 Жыл бұрын
I just don't understand why I can't post json from another origin, because CORS is for reads and not writes. I would expect that with posting json data from a different domain, I am gonna receive a cookie and save it in my browser. When the user goes to that website he/she is authenticated with my account. Could you explain this please?
@RawCoding
@RawCoding Жыл бұрын
You can’t post from different domain because it’s a browser security feature. You don’t want faceboook.com (malicious site) to post credentials to real Facebook. Auth cookies should never work cross domain.
@ataadevs
@ataadevs 2 жыл бұрын
Why cors doesn't work when submitting form from different origin and even when attacker request data from different origin after login
@RawCoding
@RawCoding 2 жыл бұрын
Because I disable it for that case
@denisivanov4888
@denisivanov4888 2 жыл бұрын
Nice video! But I didn't understand why this simple form login replaced the cookie for the 'company.local' domain just like that and suddenly became 'logged in' from 'foo' to 'evil'.
@RawCoding
@RawCoding 2 жыл бұрын
That’s the vaulnerability to be able to post data from 1 domain to the other and browser automatically attaching cookies
@pjank
@pjank Жыл бұрын
Love this video! Great, practical explanation of a tricky subject. And I want to belive that in apps like this we can safely rely on SameSite cookie only, but... what are your thoughts on the fact that both OWASP and RFC 6265 still insist that this shouldn't be our only protection?
@pjank
@pjank Жыл бұрын
The above is a fragment of a longer comment I made weeks ago, only now realizing nobody else could see it. Let me try how much I can add and clarify before YT blocks this again... OWASP - i.e. CSRF Prevention Cheat Sheet RFC 6265 - the section on Strict and Lax enforcement
@nullentrophy
@nullentrophy 2 жыл бұрын
Maybe unrelated but can you secure your api that only your spa can access it? I guess you can do that with CORS but attacker may use modified client or smth like that to exfil your data
@RawCoding
@RawCoding 2 жыл бұрын
That’s impossible, only via vpn
@nullentrophy
@nullentrophy 2 жыл бұрын
@@RawCoding so someone with malicious intent could easly drain your api quota
@RawCoding
@RawCoding 2 жыл бұрын
Yea if you embed the token in the client. But if you own the api that’s called ddos
@nullentrophy
@nullentrophy 2 жыл бұрын
@@RawCoding So to make it clear, the token is always public. There is no security mechanism to hide token. I have never realised this, this is low key shocked me. Thanks for info, I appreciate your taking time to answer my silly question
@RawCoding
@RawCoding 2 жыл бұрын
It depends what kind of token you are talking about. But don’t keep secrets on the client. If it’s an authentication token it’s kinda same thing, you want a backend that will securely store the token.
ASP.NET Core Angular Authentication with Identity & EF Core
41:40
ASP.NET Core Cookie Authentication (.NET 7 Minimal Apis C#)
46:19
Yay, My Dad Is a Vending Machine! 🛍️😆 #funny #prank #comedy
00:17
У вас там какие таланты ?😂
00:19
Карина Хафизова
Рет қаралды 13 МЛН
Elza love to eat chiken🍗⚡ #dog #pets
00:17
ElzaDog
Рет қаралды 13 МЛН
Understanding CORS with ASP.NET Core C#
17:44
Raw Coding
Рет қаралды 12 М.
Liquid Templating in ASP.NET Core | Email Templating Example
20:00
OAuth 2.0 & 2.1 Explained
39:59
Raw Coding
Рет қаралды 26 М.
Next.js 15 Breakdown (Everything You Need To Know)
18:10
Web Dev Simplified
Рет қаралды 46 М.
ASP.NET Core Dynamic Authorization (.NET 7 Minimal Apis C#)
21:22
ASP.NET Core OAuth Authorization (.NET 7 Minimal Apis C#)
30:05
Raw Coding
Рет қаралды 23 М.