OpenIdConnect wip
ASPNET Security libraries
- simplified ASPNET Security-like libraries.
- rewritten from scratch ASPNET Security libraries.
- "light" functional-style libraries [90% OOP-free].
Security libraries
- Authentication.Cookies.
- Authentication.Facebook.
- Authentication.Google.
- Authentication.Twitter.
- Authentication.BearerToken.
- Authentication.OAuth2.
- Authentication.OpenIdConnect.
- Authorization.
- DataProtection.
Design
- security services [authentication and authorization services] represent the mechanism backbone.
- security services [high-level functions] act as security behaviour controllers and represent public API.
- security libraries were written following some of FP principles [pure functions, high-order functions, immutability, data/behaviour separation, static methods/functions as first-class citiziens, result pattern].
- DI is used as thin layer usually over functional security services [eg. SignInCookie have 2 implementations with/without DI services]. DI services implementations are registred as usual with specific method extensions [eg. AddCookiesServices, AddFacebookServices].
- security mechanism is based on security services [authentication scheme free-mechanism]:
- authentication middleware receive authentication service as param [UseAuthentication extension].
- authorization middleware receive challenge and forbid services as params [UseAuthorization extension].
- oauth callback endpoints receive signin service as param [eg. MapFacebook].
- authentication libraries implement specific authentication services [eg. AuthenticateCookie, SignInCookie, ChallengeGoogle, AuthenticateFacebook].
- authorization library implement authorization services [eg. Authorize].
- high-level functions usually use declarative style [eg. SignInCookie].
- usually impure functions [with side-effects].
- built on top of low-level and intermediate-level functions.
- intermediate-level functions use imperative/declarative style [eg. SetAuthorizationParams].
- low-level functions usually use imperative style and are one-liners [eg. IsSecuredCookie].
- usually pure [without side effects] or semi-pure functions [side effects on parameters].
- high-intermediate-low-level hierarchy design I named it lego principle. It could be seen also as a functions pyramid having at the base low-level functions.
- no else strategy [0 (zero) else branches].
Processes
- there are 2 different security processes: local authentication and remote authentication.
- local authentication process [cookie]:
- each request [when use authentication middlware] call authentication func [eg. AuthenticateCookie]. Based on authentication result the middleware set HttpContext.User prop.
- then each request [when use authorization middlware] call authorization func [eg. Authorize]. Based on authorization policies result is decided if the request is allowed, unauthenticated/challenged or unauthorized/forbidden.
- signin/signout funcs are used on specific endpoints/controller actions implememted by devs.
- remote authentication process [OAuth2 protocol]:
- when called, the challenge endpoint [eg. registered with MapFacebook] build and send an authorization request to authorization server.
- after processing the authorization request the authorization server redirect response to callback endpoint [eg. registered with MapFacebook]. That endpoint receive authorization server response and call callback func [eg. CallbackFacebook, CallbackOAuth]. The callback func has 2 steps:
- authentication: AuthenticateOAuth oauth authentication func has 3 substeps:
- PostAuthorization - validate the authorization code and the request from the authorization server [local].
- ExchangeCodeForTokens - exchange with the authorization server the authorization code for the access [and refresh] tokens [remote].
- AccessUserInfo - using access token gets from the authorization server the user informations [remote].
- The authentication step transform user informations received from authorization server into security claims, add them to the claims identity, create an authentication ticket and return the AuthenticationResult.
- signin: after oauth authentication step when authentication succedded then the signin func is called [eg. *SiginInCookie^, SignInBearerToken]. Signin func is set on oauth endpoints registration.
- after callback redirection next requests will use local authentication process.
Remarks
- completely rewritten authentication mechanism.
- partially rewritten authorization mechamism [keeping compatibility with ASPNET authorization policies mechanism].
- cookie authentication services surgically implement session-based cookies feature [using IsSessionBasedCookie func]. Authenticating, signingin and signingout services are completely independent each other [no dependencies on HttpContext features]. AuthenticationSessionCookie, SignInSessionCookie and SignOutSessionCookie session-based cookies services are completely isolated from non-session based versions.
- authentication options implementation contains only data [eg. CookieAuthenticationOptions]. Cookie authentication services [non DI-based ones] receive all dependencies as parameters.
- Microsoft ASPNET authentication options implementation contains data and behaviour/services [eg. SessionStore, TicketDataFormat, SystemClock for CookieAuthenticationOptions]. This design have some advantages comparing with my implementation allowing options:
- to have different services from those registered on DI.
- to encapsulate and carry on those services through the authentication process [reducing the number of parameters so].
- AuthenticateOAuth oauth authentication func use template method design pattern allowing oauth libraries to override/decorate when neccessary postAuthenticate, exchangeCodeForTokens or accessUserInfo authentication substeps [eg. AuthenticateTwitter, AuthenticateFacebook].
- redirecting remarks:
- ChallengeOAuth and ChallengeOidc funcs redirect to authorization server [ChallengeOidc could use form instead of redirection].
- CallbackOAuth and CallbackOidc funcs redirect to original url or when callback authentication error to AccessDeniedPath or ErrorPath authentication options props depending of error type.
- SigninCookie, SignOutCookie, Challenge*, Forbid* etc. no redirections [webapi oriented functionality]. when redirections are neccessary those funcs could be decorated and redirected to AuthenticationProperties.RedirectUri or to AuthenticationOptions.ReturnUrlParameter query parameter.
- cookies remarks:
- AuthenticationCookieOptions.ExpiresAfter single place to control AuthenticationTicket [cookies] persistency.
- AuthenticationCookieOptions.CookieName single place to control cookies names.
- oidc remarks:
- pkce is the recommended solution regarding security for authorization code flow.
- implicit and hybrid flows not supported based on oidc best practices [even supported by oidc rfc].
- nonce is not neccessary because implicit and hybrid are only flows with required nonce parameter.
Project goals
- to untangle/demystify the ASPNET authentication/authorization mechanisms and local/remote processes.
- to simplify authentication/authorization mechanisms [ASPNET schema-based free mechanism].
- to demonstrate a functional programming implementation.
- to demonstrate a practical alternative to OOP.
Benchmark
| Method |
InvocationCount |
Mean |
Error |
StdDev |
Median |
Ratio |
RatioSD |
Gen0 |
Gen1 |
Gen2 |
Allocated |
Alloc Ratio |
| FPSignin |
128 |
64.34 μs |
1.196 μs |
1.119 μs |
64.69 μs |
1.00 |
0.00 |
- |
- |
- |
7.96 KB |
1.00 |
| OOPSignin |
128 |
79.98 μs |
3.247 μs |
9.212 μs |
79.56 μs |
1.13 |
0.14 |
7.8125 |
7.8125 |
7.8125 |
116.21 KB |
14.59 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| FPSignin |
512 |
45.75 μs |
5.065 μs |
14.934 μs |
39.12 μs |
1.00 |
0.00 |
1.9531 |
- |
- |
7.96 KB |
1.00 |
| OOPSignin |
512 |
97.08 μs |
7.432 μs |
21.679 μs |
95.52 μs |
2.41 |
1.12 |
9.7656 |
9.7656 |
9.7656 |
445.7 KB |
56.01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| FPSignin |
1024 |
28.83 μs |
2.009 μs |
5.533 μs |
26.26 μs |
1.00 |
0.00 |
1.9531 |
- |
- |
7.95 KB |
1.00 |
| OOPSignin |
1024 |
186.15 μs |
26.776 μs |
78.949 μs |
211.04 μs |
6.32 |
3.02 |
14.6484 |
13.6719 |
13.6719 |
915.64 KB |
115.12 |
- for InvocationCount > 2048 OOP benchmark start running extremely slow.
