Oauth as a service using asp net web api and windows azure access control
This presentation is the property of its rightful owner.
Sponsored Links
1 / 47

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control PowerPoint PPT Presentation


  • 50 Views
  • Uploaded on
  • Presentation posted in: General

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control. Maarten Balliauw @ maartenballiauw. Who am I?. Maarten Balliauw Technical Evangelist, JetBrains AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

Download Presentation

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Oauth as a service using asp net web api and windows azure access control

OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control

Maarten [email protected]


Who am i

Who am I?

  • Maarten Balliauw

  • Technical Evangelist, JetBrains

  • AZUG

  • Focus on web

    • ASP.NET MVC, Windows Azure, SignalR, ...

    • MVP Windows Azure & ASPInsider

  • http://blog.maartenballiauw.be

  • @maartenballiauw

  • Shameless self promotion: Pro NuGet - http://amzn.to/pronuget


Agenda

Agenda

  • Whywould I needan API?

  • API characteristics

  • ASP.NET MVC Web API

  • Windows Azure ACS


Why would i need an api

Whywould I needan API?


Consuming the web

Consuming the web

  • 2000-2008: Desktop browser

  • 2008-2012: Mobile browser

  • 2008-2012: iPhoneandAndroidapps

  • 2010-2014: Tablets, tablets, tablets

  • 2014-2016: Your fridge (Internet of Things)


Twitter facebook

Twitter & Facebook

By show of hands


Make everyone api

Make everyone API

(as the French say)


Expose services to 3rd parties

Expose services to 3rd parties

  • Valuable

  • Flexible

  • Managed

  • Supported

  • Have a plan


Api characteristics

API Characteristics


What is an api

What is an API?

  • Software-to-Software interface

  • Contract between software anddevelopers

    • Functionalities, constraints (technical / legal) Programming instructionsandstandards

  • Open services toother software developers (public or private)


Flavours

Flavours

  • Transport

    • HTTP

    • Sockets

  • Message contract

    • SOAP

    • XML

    • Binary

    • JSON

    • HTML


Technical

Technical

  • Most API’suse HTTP and REST extensively

    • Addressing

    • HTTP Verbs

    • Media types

    • HTTP status codes

    • Hypermedia (*)


The web is an api

The Web is an API

Demo


Http verbs

HTTP Verbs

  • GET – return data

  • HEAD – check if the data exists

  • POST – create or update data

  • PUT – put data

  • MERGE – merge values with existing data

  • DELETE – delete data


Status codes

Status codes

  • 200 OK – Everything is OK, your expected data is in the response.

  • 401 Unauthorized – You either have to log in or you are not allowed to access the resource.

  • 404 Not Found – The resource could not be found.

  • 500 Internal Server Error – The server failed processing your request.


Hypermedia in action

Hypermedia in action!


Be detailed

Be detailed!

Remember the RFC!

Think RFC2324!


Asp net web api

ASP.NET Web API


Asp net web api1

ASP.NET Web API

  • Part of ASP.NET MVC 4

  • Framework tobuild HTTP Services (REST)

  • Solid features

    • Modern HTTP programming model

    • Content negotiation (e.g. xml, json, ...)

    • Query composition (OData query support)

    • Model binding andvalidation (conversionto .NET objects)

    • Routes

    • Filters (e.g. Validation, exception handling, ...)

    • And more!


Asp net web api is easy

ASP.NET Web API is easy!

  • HTTP Verb = action

  • “Content-type” header = data format in

  • “Accept” header = data format out

  • Return meaningful status code


Creating an api

Creatingan API

using ASP.NET Web API

Demo


Securing your api

Securingyour API

  • No authentication

  • Basic/Windows authentication

  • [Authorize] attribute


Securing your api1

Securing your API


The world of api clients is complex

The world of API clients is complex

AuthN + AuthZ

Username/password?

Basic auth?

NTLM / Kerberos?

Client certificate?

Shared secret?

Clients

  • HTML5+JS

  • SPA

  • Native apps

  • Server-to-server


A lot of public api s

A lot of public API’s…

“your API consumer isn’t really your user,but an application acting on behalf of a user”

(or: API consumer != user)


Oauth2

OAuth2


Guest badges

Guest badges

  • Building owner / colleague full-access badge

  • Guest badge

    • Your name on it

    • Limited scope (only 7th floor)

    • Limited validity (onlytoday)


Guest badges1

Guest badges

+--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!


Oauth21

OAuth2

+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow

http://tools.ietf.org/html/draft-ietf-oauth-v2-31


Quick side note

Quick side note…

  • There are 3 major authentication flows

  • Based on type of client

  • Variants possible


On the web

On the web…


Access tokens refresh tokens

Access tokens / Refresh tokens

  • In theory: whatever format you want

  • Widely used: JWT (“JSON Web Token”)

  • Less widely used: SWT (“Simple Web Token”)

  • Signed / Encrypted


Oauth as a service using asp net web api and windows azure access control

JWT

Header:{"alg":"none"}

Token:{"iss":"joe",

"exp":1300819380,

"http://some.ns/read":true}


What you have to implement

Whatyou have toimplement

  • OAuthauthorization server

  • Keep track of supportedconsumers

  • Keep track of user consent

  • OAuth token expiration & refresh

  • Oh, andyour API


Windows azure access control service

Windows AzureAccess Control Service


Acs identity in windows azure

ACS - Identity in Windows Azure

  • Active Directory federation

  • Graph API

  • Web SSO

  • Link appstoidentity providers usingrules

  • Support WS-Security, WS-Federation, SAML

  • Little known feature: OAuth2 delegation


Oauth flow using acs

OAuth flow using ACS


Asp net web api oauth2 windows azure acs

ASP.NET Web API, OAuth2, Windows Azure ACS


Oauth2 delegation

OAuth2 delegation?

  • You: OAuthauthorization server

  • ACS: Keep track of supportedconsumers

  • ACS: Keep track of user consent

  • ACS: OAuthtoken expiration & refresh

  • You: Your API


Conclusion

Conclusion


Key takeaways

Keytakeaways

  • API’s are the new apps

  • Valuable

  • HTTP

  • ASP.NET Web API

  • OAuth2

  • Windows Azure Access Control Service


Thank you

http:[email protected]

Thankyou!

http://amzn.to/pronuget


  • Login