Post Archive

  • Common Browser Security Concepts

    Same Origin Policy (SOP)

    The Same Origin Policy is a browser security feature that prevents scripts running in one window accessing the data from another window (whether tabs, windows or iFrames), unless both windows have the same origin - being the the URL scheme, host and port.

    The SOP restricts malicious sites reading sensitive information displayed by a target...

  • OpenID Connect - OAuth 2.0 with Authentication

    Note On Terminology

    When OAuth 2.0 was developed, it was focused on providing a secure and standardized framework for allowing users to authorize Client Apps without sharing credentials.

    OAuth 2.0 had no features specifically for authenticating users with Client Apps via Identity Providers, to say nothing for administering user roles, claims, and other attributes.

    Originally, after OAuth...

  • OAuth 2.0 Device Authorization Flow

    Note On Terminology

    Device Authorization Flow is designed for authorizing Client Apps that run on a different device than one the user will use to authenticate with - typically this is used for authorizing streaming apps on Smart TVs to access a user’s existing account, and grant them access to use it to stream data through the...

  • OAuth 2.0 Authorization Code Flow with PKCE

    Note On Terminology

    Unlike implicit flow, Authorization Code Flow with PKCE includes the intermediate step of providing the client with an Authorization Code that is later used to exchange for Access Tokens.

    Access Tokens are obtained with an AJAX request to a token-exchange endpoint on the Authorization Server, which has the sole purpose of certifying a request’s...

  • OAuth 2.0 Implicit Flow

    Note On Terminology

    Client-side applications are generally considered less secure at storing sensitive information like client secrets.

    In the case of SPAs, the source code is accessible, and if a device is shared between users, developer tools make it easy to find secrets stored in the browser. They can be vulnerable to XSS attacks, allowing malicious scripts...

  • OAuth 2.0 Authorization Code Flow

    This is most similar to the OAuth 1.0 flow. It is appropriate for server-based Client Apps, that can securely store Access Tokens from an Authentication Server.

    Note On Terminology

    1) App Registration

    First, like in OAuth 1.0, the Client App developers register the app with the Service Provider.

    During registration the Client App is assigned a client_id,...

  • OAuth 2.0 Overview

    OAuth 2.0 both improves and expands upon OAuth 1.0, with simpler authentication processes, and a modular approach that allows for additional use-cases besides server-based Client App authorization.

    In fact, OAuth 2.0 offers several flows, are appropriate for different scenarios. We’ll give a brief overview of each one before delving into the implementation details of some of the more notable ones...

  • OAuth 1.0

    For sites without user-driven features that offer API interfaces for their functionality (for instance, a site providing weather data), enabling Client Applications secure API access is often a straightforward process - generating a unique API key for each registered client for them to include in each API request.

    But for user-focused sites that wish to allow Client Apps to add...

  • JWT Essentials

    JWT tokens are used for communicating information between different applications and services, with properties that enable the receiver to certify the information in the JWT is authentic and has not be tampered with.

    We will explain their implementation here, as they are a necessary part of OIDC authorization, which we will cover later.

    JWT tokens themselves are simple to construct,...

  • Maintaining Authentication State with Session Cookies

    This is a widely used, browser-based approach for allowing a user to maintain their authentication state, thus avoiding having them constantly re-authenticate when accessing protected resources.

    It’s straightforward, and we’ll demonstrate a simple implementation in ASP.NET Core, without using any external libraries.

    However it has numerous security vulnerabilities if misconfigured, so for production-use it is nearly always implemented on the...

  • HTTP Basic Access Authentication

    Basic Access Authentication is probably the simplest authentication scheme to implement.

    When an unauthenticated user tries to access a restricted resource, the server responds with a 401 Unauthorized status and a WWW-Authenticate response header field, with the header value ‘Basic realm=”[Name given to resource user is trying to access]”’.

    The realm here is required and serves as an identifier for...

  • Cookies - A guide for developers

    The HTTP protocol is by definition stateless. Before cookies, websites had no way of remembering your current state and preferences - for example, if you were already logged in to the site, or whether you had made site-specific actions or state, such as the current items in an e-commerce site’s shopping cart.

    The name cookies originated from Unix, which were...

  • An ASP.NET Core loading bar with cancellation button using SignalR in 10 minutes

    The aim here is to demonstrate the simplest way to use SignalR (ASP.NET Core version) in ASP.NET Core to create a loading bar that will automatically update itself whenever we push through SignalR the latest progress amount of a long running task to it.

    I won’t go into details of every function and class necessary here, it’s just an example...

  • Translating R's poly() output to transform polynomial variable inputs for model prediction in .NET

    When performing a linear regression in R and other stats platforms, polynomial variables are often transformed ‘orthogonally’, rather than raw.

    For example, when trying to find the optimal prediction model, consider the simplified model:

    y = β0 + β1x + β2x2 + β3x3 + ... + βnxn

    We are trying to find how much variance in Y is...

  • Blog move to GitHub Pages

    I’ve moved my blog from my ASP.NET Core site to a static file site hosted with GitHub Pages.

    The main reason - GitHub Pages offers free hosting, and free SSL certificates for custom domains using Let’s Encrypt.

    My ASP.NET Core site hosted on Azure needed a backend database and a non-free App Service plan to allow a custom domain....

  • C# HttpClient Wrapper for Asynchronous REST resources

    In a previous post I showed how to use the asynchronous REST pattern to work around the problem of R Plumber only being able to serve one request at a time. Now I’m going outline a HTTP client wrapper that abstracts the process of issuing the POST create resource request, polling the status of the resource and returning and...

  • Stop EF Core creating expensive Azure SQL Database configurations on start up

    If you’re developing an application that uses Azure SQL Databases for development and testing, you usually just want the bare minimum configuration, the Basic or Standard options, so you don’t waste cash.

    If you’re using EF Core as your ORM and you automatically run migrations on startup, if it doesn’t find the database on the server specified in your connection...

  • A template for handling Asynchronous REST Operations in R Plumber

    Serve concurrent requests with R plumber without creating multiple instances with complex load balancing solutions

    The single-threading Problem

    R Plumber is great for easily opening your R analytics to other services to access via HTTP. If you’ve got a web application front end that serves analytics results to the client for example, there...

  • Browser Caching Basics

    Browsers cache web content to deliver previously visited pages faster.

    This caching can be controlled by the web server with the HTTP header cache-control (sometimes also using the header e-tag), as explained later.

    If the cache-control header is not set, the browser will use heuristics to determine the length of time to cache the resource, usually 10% of the...

  • New Blog Site

    Hello! I’m Mike, a .NET-oriented developer, and this is my tech blog. I’m not usually the blogging type but as a developer you accumulate so much random knowledge that often gets lost or forgotten - it seemed like it was time to start recording some of it, so I can refer back to it, and if it helps anyone else...