Oauth as a service using asp net web api and windows azure access control
Download
1 / 47

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control - PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control. Maarten Balliauw @ maartenballiauw. Who am I?. Maarten Balliauw Technical Evangelist, JetBrains AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control' - nelia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Oauth as a service using asp net web api and windows azure access control

OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control

Maarten [email protected]


Who am i
Who am I?

  • Maarten Balliauw

  • Technical Evangelist, JetBrains

  • AZUG

  • Focus on web

    • ASP.NET MVC, Windows Azure, SignalR, ...

    • MVP Windows Azure & ASPInsider

  • http://blog.maartenballiauw.be

  • @maartenballiauw

  • Shameless self promotion: Pro NuGet - http://amzn.to/pronuget


Agenda
Agenda

  • Whywould I needan API?

  • API characteristics

  • ASP.NET MVC Web API

  • Windows Azure ACS


Why would i need an api

Whywould I needan API?


Consuming the web
Consuming the web

  • 2000-2008: Desktop browser

  • 2008-2012: Mobile browser

  • 2008-2012: iPhoneandAndroidapps

  • 2010-2014: Tablets, tablets, tablets

  • 2014-2016: Your fridge (Internet of Things)


Twitter facebook

Twitter & Facebook

By show of hands


Make everyone api

Make everyone API

(as the French say)


Expose services to 3rd parties
Expose services to 3rd parties

  • Valuable

  • Flexible

  • Managed

  • Supported

  • Have a plan


Api characteristics

API Characteristics


What is an api
What is an API?

  • Software-to-Software interface

  • Contract between software anddevelopers

    • Functionalities, constraints (technical / legal) Programming instructionsandstandards

  • Open services toother software developers (public or private)


Flavours
Flavours

  • Transport

    • HTTP

    • Sockets

  • Message contract

    • SOAP

    • XML

    • Binary

    • JSON

    • HTML


Technical
Technical

  • Most API’suse HTTP and REST extensively

    • Addressing

    • HTTP Verbs

    • Media types

    • HTTP status codes

    • Hypermedia (*)



Http verbs
HTTP Verbs

  • GET – return data

  • HEAD – check if the data exists

  • POST – create or update data

  • PUT – put data

  • MERGE – merge values with existing data

  • DELETE – delete data


Status codes
Status codes

  • 200 OK – Everything is OK, your expected data is in the response.

  • 401 Unauthorized – You either have to log in or you are not allowed to access the resource.

  • 404 Not Found – The resource could not be found.

  • 500 Internal Server Error – The server failed processing your request.



Be detailed

Be detailed!

Remember the RFC!

Think RFC2324!



Asp net web api1
ASP.NET Web API

  • Part of ASP.NET MVC 4

  • Framework tobuild HTTP Services (REST)

  • Solid features

    • Modern HTTP programming model

    • Content negotiation (e.g. xml, json, ...)

    • Query composition (OData query support)

    • Model binding andvalidation (conversionto .NET objects)

    • Routes

    • Filters (e.g. Validation, exception handling, ...)

    • And more!


Asp net web api is easy
ASP.NET Web API is easy!

  • HTTP Verb = action

  • “Content-type” header = data format in

  • “Accept” header = data format out

  • Return meaningful status code


Creating an api

Creatingan API

using ASP.NET Web API

Demo


Securing your api
Securingyour API

  • No authentication

  • Basic/Windows authentication

  • [Authorize] attribute



The world of api clients is complex
The world of API clients is complex

AuthN + AuthZ

Username/password?

Basic auth?

NTLM / Kerberos?

Client certificate?

Shared secret?

Clients

  • HTML5+JS

  • SPA

  • Native apps

  • Server-to-server


A lot of public api s
A lot of public API’s…

“your API consumer isn’t really your user,but an application acting on behalf of a user”

(or: API consumer != user)



Guest badges
Guest badges

  • Building owner / colleague full-access badge

  • Guest badge

    • Your name on it

    • Limited scope (only 7th floor)

    • Limited validity (onlytoday)


Guest badges1
Guest badges

+--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!


Oauth21
OAuth2

+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow

http://tools.ietf.org/html/draft-ietf-oauth-v2-31


Quick side note
Quick side note…

  • There are 3 major authentication flows

  • Based on type of client

  • Variants possible



Access tokens refresh tokens
Access tokens / Refresh tokens

  • In theory: whatever format you want

  • Widely used: JWT (“JSON Web Token”)

  • Less widely used: SWT (“Simple Web Token”)

  • Signed / Encrypted


JWT

Header:{"alg":"none"}

Token:{"iss":"joe",

"exp":1300819380,

"http://some.ns/read":true}


What you have to implement
Whatyou have toimplement

  • OAuthauthorization server

  • Keep track of supportedconsumers

  • Keep track of user consent

  • OAuth token expiration & refresh

  • Oh, andyour API


Windows azure access control service

Windows AzureAccess Control Service


Acs identity in windows azure
ACS - Identity in Windows Azure

  • Active Directory federation

  • Graph API

  • Web SSO

  • Link appstoidentity providers usingrules

  • Support WS-Security, WS-Federation, SAML

  • Little known feature: OAuth2 delegation


Oauth flow using acs
OAuth flow using ACS



Oauth2 delegation
OAuth2 delegation?

  • You: OAuthauthorization server

  • ACS: Keep track of supportedconsumers

  • ACS: Keep track of user consent

  • ACS: OAuthtoken expiration & refresh

  • You: Your API



Key takeaways
Keytakeaways

  • API’s are the new apps

  • Valuable

  • HTTP

  • ASP.NET Web API

  • OAuth2

  • Windows Azure Access Control Service


Thank you

http://blog.maartenballiauw.be@maartenballiauw

Thankyou!

http://amzn.to/pronuget


ad