Oauth as a service using asp net web api and windows azure access control
Sponsored Links
This presentation is the property of its rightful owner.
1 / 47

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on
  • Presentation posted in: General

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control. Maarten Balliauw @ maartenballiauw. Who am I?. Maarten Balliauw Technical Evangelist, JetBrains AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

Download Presentation

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control

Maarten [email protected]


Who am I?

  • Maarten Balliauw

  • Technical Evangelist, JetBrains

  • AZUG

  • Focus on web

    • ASP.NET MVC, Windows Azure, SignalR, ...

    • MVP Windows Azure & ASPInsider

  • http://blog.maartenballiauw.be

  • @maartenballiauw

  • Shameless self promotion: Pro NuGet - http://amzn.to/pronuget


Agenda

  • Whywould I needan API?

  • API characteristics

  • ASP.NET MVC Web API

  • Windows Azure ACS


Whywould I needan API?


Consuming the web

  • 2000-2008: Desktop browser

  • 2008-2012: Mobile browser

  • 2008-2012: iPhoneandAndroidapps

  • 2010-2014: Tablets, tablets, tablets

  • 2014-2016: Your fridge (Internet of Things)


Twitter & Facebook

By show of hands


Make everyone API

(as the French say)


Expose services to 3rd parties

  • Valuable

  • Flexible

  • Managed

  • Supported

  • Have a plan


API Characteristics


What is an API?

  • Software-to-Software interface

  • Contract between software anddevelopers

    • Functionalities, constraints (technical / legal) Programming instructionsandstandards

  • Open services toother software developers (public or private)


Flavours

  • Transport

    • HTTP

    • Sockets

  • Message contract

    • SOAP

    • XML

    • Binary

    • JSON

    • HTML


Technical

  • Most API’suse HTTP and REST extensively

    • Addressing

    • HTTP Verbs

    • Media types

    • HTTP status codes

    • Hypermedia (*)


The Web is an API

Demo


HTTP Verbs

  • GET – return data

  • HEAD – check if the data exists

  • POST – create or update data

  • PUT – put data

  • MERGE – merge values with existing data

  • DELETE – delete data


Status codes

  • 200 OK – Everything is OK, your expected data is in the response.

  • 401 Unauthorized – You either have to log in or you are not allowed to access the resource.

  • 404 Not Found – The resource could not be found.

  • 500 Internal Server Error – The server failed processing your request.


Hypermedia in action!


Be detailed!

Remember the RFC!

Think RFC2324!


ASP.NET Web API


ASP.NET Web API

  • Part of ASP.NET MVC 4

  • Framework tobuild HTTP Services (REST)

  • Solid features

    • Modern HTTP programming model

    • Content negotiation (e.g. xml, json, ...)

    • Query composition (OData query support)

    • Model binding andvalidation (conversionto .NET objects)

    • Routes

    • Filters (e.g. Validation, exception handling, ...)

    • And more!


ASP.NET Web API is easy!

  • HTTP Verb = action

  • “Content-type” header = data format in

  • “Accept” header = data format out

  • Return meaningful status code


Creatingan API

using ASP.NET Web API

Demo


Securingyour API

  • No authentication

  • Basic/Windows authentication

  • [Authorize] attribute


Securing your API


The world of API clients is complex

AuthN + AuthZ

Username/password?

Basic auth?

NTLM / Kerberos?

Client certificate?

Shared secret?

Clients

  • HTML5+JS

  • SPA

  • Native apps

  • Server-to-server


A lot of public API’s…

“your API consumer isn’t really your user,but an application acting on behalf of a user”

(or: API consumer != user)


OAuth2


Guest badges

  • Building owner / colleague full-access badge

  • Guest badge

    • Your name on it

    • Limited scope (only 7th floor)

    • Limited validity (onlytoday)


Guest badges

+--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!


OAuth2

+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow

http://tools.ietf.org/html/draft-ietf-oauth-v2-31


Quick side note…

  • There are 3 major authentication flows

  • Based on type of client

  • Variants possible


On the web…


Access tokens / Refresh tokens

  • In theory: whatever format you want

  • Widely used: JWT (“JSON Web Token”)

  • Less widely used: SWT (“Simple Web Token”)

  • Signed / Encrypted


JWT

Header:{"alg":"none"}

Token:{"iss":"joe",

"exp":1300819380,

"http://some.ns/read":true}


Whatyou have toimplement

  • OAuthauthorization server

  • Keep track of supportedconsumers

  • Keep track of user consent

  • OAuth token expiration & refresh

  • Oh, andyour API


Windows AzureAccess Control Service


ACS - Identity in Windows Azure

  • Active Directory federation

  • Graph API

  • Web SSO

  • Link appstoidentity providers usingrules

  • Support WS-Security, WS-Federation, SAML

  • Little known feature: OAuth2 delegation


OAuth flow using ACS


ASP.NET Web API, OAuth2, Windows Azure ACS


OAuth2 delegation?

  • You: OAuthauthorization server

  • ACS: Keep track of supportedconsumers

  • ACS: Keep track of user consent

  • ACS: OAuthtoken expiration & refresh

  • You: Your API


Conclusion


Keytakeaways

  • API’s are the new apps

  • Valuable

  • HTTP

  • ASP.NET Web API

  • OAuth2

  • Windows Azure Access Control Service


http:[email protected]

Thankyou!

http://amzn.to/pronuget


  • Login