In the previous article I showed how to use OAuth to connect to twitter. At this point all the authentication and authorization has been done and we are busy with the last step to retrieve the Identity information from twitter specifically.
Last time I looked at Oauth I was simply looking at the steps involved with it, today I am doing a small POC. I will be using twitter as my identity provider.
In the previous post I showed how to enable HSTS so that all HTTP traffic to a website is secured. As cool as that is, the unfortunate reality is that it is not always possible to secure all HTTP traffic for a website especially when dealing with some legacy technology.
HTTP Strict Transport Security or HSTS is a header that instructs a browser not to downgrade a secure https connection to a unsecure HTTP connection for a specified domain.
There is a vulnerability in SSL3 called POODLE, it is documented in detail here by Google. SSL2 & 3 needs to be disabled in the client browser and on the web server. Below is a registry file that can be copied and run on a Microsoft IIS web servers to disable SSL 2 & 3… Read More »
It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).
So what is this OAuth? This is what wikipedia says: OAuth is an open standard for authorization, commonly used as a way for Internet users to authorize websites or applications to access their information on other websites but without giving them the passwords.[1] This mechanism is used by companies such as Google, Facebook, Microsoft and… Read More »
In the following example i will show how to build an Identity Provider also called a passive security token service (IP-STS) that issues tokens using WS-Federation. This post builds on work done in a previous post, Create your own active STS. In this article I will show how to create a complete working example of an… Read More »
Figured that I would start a post dealing specifically with all the terms we find in the Identity world. Ill add to this post as time goes on…
As in .net framework it is just as important to add security headers to your asp.net core project to harden the security posture of your web application.
A passive STS (IP-STS) is a website that issues a token and uses the browser to direct the flow of the application through redirects. The following example will be integrating a website with a passive STS that issues tokens using the WS-Federation standard. Click here if you wish to see how to create your own passive STS.
Sometimes it can be a real nightmare to troubleshoot for what reason an application are unable to connect to WCF services. The client simply gets a “Connection refused”, “Connection aborted” or “Timeout” message back.
The post will show the configuration needed to enable net.tcp transport security with impersonation for WCF.
When it comes to securing WCF security it comes down to Message security or Transport security. There are hybrid approaches of the two but they are not often used. The type of security to use can also be influenced by the binding that will be used.
The following example uses an active security token service (A-STS) that issues tokens using the WS-Trust standard. The type of STS discussed in this post is called a Active STS OR A-STS, it refers to the client that is actively in control of its own authenticated state. This client will typically have its own login window build into the… Read More »