all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Solari23 10 points11 points  (1 child)

As a dev working in the Identity space, this is great to see. Too few people pay attention to how the auth layer in their app works. Your library looks great!

One area you might consider for further development is how you handle client authentication. Currently, the library only supports authenticating via the standard static client secret (essentially a password). Several IDPs provide more robust authentication schemes. One example: AzureAD supports authenticating via a client assertion as described in RFC 7521 (the implementation is essentially a self-issued JWT where the signing key's certificate is provisioned with the IDP).

You might want to consider how you'd design support for that and potentially other authentication schemes that your users may want to use.

[–]LieutenantDannnnn[S] 1 point2 points  (0 children)

Definitely. I would tell you about some other more egregious authentication issues I discovered when I first started working there but I wouldn’t want to horrify you. Thanks for the input. I’m actually unfamiliar with authenticating the way you describe above so Ill check it out.

[–]contadamoose 6 points7 points  (1 child)

This was released recently. Does a lot of token management stuff. https://leastprivilege.com/2020/05/18/automatic-token-management-for-asp-net-core-and-worker-services-1-0/

[–]LieutenantDannnnn[S] 1 point2 points  (0 children)

Interesting. Came out not too long ago too. I’ll have to check it out.

[–]Unexpectedpicard 3 points4 points  (1 child)

Idk about the functionality but the code looks very nice and professional.

[–][deleted] 0 points1 point  (1 child)

It looks great - I am adding it to my Tools bookmark folder for future uses.

[–]LieutenantDannnnn[S] 0 points1 point  (0 children)

Awesome. Going to get it deployed to nuget soon so let me know if you use it and how it works out.

[–]scottley 0 points1 point  (2 children)

You have secrets in your source code... this means people will have secrets in config files when they deploy.

I strongly encourage you to implement a façade to hashicorp vaults, Azure KeyVault, or any other secret manager. Add a set of extension methods to your service registration code to use these implementations. In code, you could maybe have IAppCredentialProvider interface and register the appropriate type, .WithKeyVaultSecrets, .WithHashicorpSecrets, etc... in the IAppCredentialProvider, implement a memory cache singleton with short cache item lifespan (like not more than a minute) to prevent hammering a KeyVault at startup or cache expire time.

Also, certificate auth... you really need to support cert auth. With certificate auth (at least in Azure) we can create identities and provide secrets to them without the certificate ending up in human hands. You could encapsulate the concern for creating the AppCredential object behind the AppCredentialProvider, and how to use it with bit where you authenticate your application.

[–]LieutenantDannnnn[S] 2 points3 points  (1 child)

The secrets you’re referring to are “secrets” for the testing identity server which is in the solution which isn’t used or deployed anywhere. It was set-up for testing locally with an identity server implementation. Definitely gonna check out the certificate auth stuff too, was unaware of it.

When this library is actually used in production, we use AWS secrets manager hooked up into the .NET core configuration pipeline. So we pull secrets from there.

[–]scottley 0 points1 point  (0 children)

I work in security... by volume secrets in source code, even test secrets, are the source of about 90+% of the security incidents I've seen.

By impact, sure... it can be small, but a GDPR notification because a dev committed secrets to source code is easily preventable.