oauth as a service using asp net web api and windows azure access control
Download
Skip this Video
Download Presentation
OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control

Loading in 2 Seconds...

play fullscreen
1 / 47

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control - PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control. Maarten Balliauw @ maartenballiauw. Who am I?. Maarten Balliauw Technical Evangelist, JetBrains AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control' - nelia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
who am i
Who am I?
  • Maarten Balliauw
  • Technical Evangelist, JetBrains
  • AZUG
  • Focus on web
    • ASP.NET MVC, Windows Azure, SignalR, ...
    • MVP Windows Azure & ASPInsider
  • http://blog.maartenballiauw.be
  • @maartenballiauw
  • Shameless self promotion: Pro NuGet - http://amzn.to/pronuget
agenda
Agenda
  • Whywould I needan API?
  • API characteristics
  • ASP.NET MVC Web API
  • Windows Azure ACS
consuming the web
Consuming the web
  • 2000-2008: Desktop browser
  • 2008-2012: Mobile browser
  • 2008-2012: iPhoneandAndroidapps
  • 2010-2014: Tablets, tablets, tablets
  • 2014-2016: Your fridge (Internet of Things)
twitter facebook

Twitter & Facebook

By show of hands

make everyone api

Make everyone API

(as the French say)

expose services to 3rd parties
Expose services to 3rd parties
  • Valuable
  • Flexible
  • Managed
  • Supported
  • Have a plan
what is an api
What is an API?
  • Software-to-Software interface
  • Contract between software anddevelopers
    • Functionalities, constraints (technical / legal) Programming instructionsandstandards
  • Open services toother software developers (public or private)
flavours
Flavours
  • Transport
    • HTTP
    • Sockets
  • Message contract
    • SOAP
    • XML
    • Binary
    • JSON
    • HTML
technical
Technical
  • Most API’suse HTTP and REST extensively
    • Addressing
    • HTTP Verbs
    • Media types
    • HTTP status codes
    • Hypermedia (*)
http verbs
HTTP Verbs
  • GET – return data
  • HEAD – check if the data exists
  • POST – create or update data
  • PUT – put data
  • MERGE – merge values with existing data
  • DELETE – delete data
status codes
Status codes
  • 200 OK – Everything is OK, your expected data is in the response.
  • 401 Unauthorized – You either have to log in or you are not allowed to access the resource.
  • 404 Not Found – The resource could not be found.
  • 500 Internal Server Error – The server failed processing your request.
be detailed

Be detailed!

Remember the RFC!

Think RFC2324!

asp net web api1
ASP.NET Web API
  • Part of ASP.NET MVC 4
  • Framework tobuild HTTP Services (REST)
  • Solid features
    • Modern HTTP programming model
    • Content negotiation (e.g. xml, json, ...)
    • Query composition (OData query support)
    • Model binding andvalidation (conversionto .NET objects)
    • Routes
    • Filters (e.g. Validation, exception handling, ...)
    • And more!
asp net web api is easy
ASP.NET Web API is easy!
  • HTTP Verb = action
  • “Content-type” header = data format in
  • “Accept” header = data format out
  • Return meaningful status code
creating an api

Creatingan API

using ASP.NET Web API

Demo

securing your api
Securingyour API
  • No authentication
  • Basic/Windows authentication
  • [Authorize] attribute
the world of api clients is complex
The world of API clients is complex

AuthN + AuthZ

Username/password?

Basic auth?

NTLM / Kerberos?

Client certificate?

Shared secret?

Clients

  • HTML5+JS
  • SPA
  • Native apps
  • Server-to-server
a lot of public api s
A lot of public API’s…

“your API consumer isn’t really your user,but an application acting on behalf of a user”

(or: API consumer != user)

guest badges
Guest badges
  • Building owner / colleague full-access badge
  • Guest badge
    • Your name on it
    • Limited scope (only 7th floor)
    • Limited validity (onlytoday)
guest badges1
Guest badges

+--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!

oauth21
OAuth2

+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow

http://tools.ietf.org/html/draft-ietf-oauth-v2-31

quick side note
Quick side note…
  • There are 3 major authentication flows
  • Based on type of client
  • Variants possible
access tokens refresh tokens
Access tokens / Refresh tokens
  • In theory: whatever format you want
  • Widely used: JWT (“JSON Web Token”)
  • Less widely used: SWT (“Simple Web Token”)
  • Signed / Encrypted
slide36
JWT

Header:{"alg":"none"}

Token:{"iss":"joe",

"exp":1300819380,

"http://some.ns/read":true}

what you have to implement
Whatyou have toimplement
  • OAuthauthorization server
  • Keep track of supportedconsumers
  • Keep track of user consent
  • OAuth token expiration & refresh
  • Oh, andyour API
acs identity in windows azure
ACS - Identity in Windows Azure
  • Active Directory federation
  • Graph API
  • Web SSO
  • Link appstoidentity providers usingrules
  • Support WS-Security, WS-Federation, SAML
  • Little known feature: OAuth2 delegation
oauth2 delegation
OAuth2 delegation?
  • You: OAuthauthorization server
  • ACS: Keep track of supportedconsumers
  • ACS: Keep track of user consent
  • ACS: OAuthtoken expiration & refresh
  • You: Your API
key takeaways
Keytakeaways
  • API’s are the new apps
  • Valuable
  • HTTP
  • ASP.NET Web API
  • OAuth2
  • Windows Azure Access Control Service
thank you

http://[email protected]

Thankyou!

http://amzn.to/pronuget

ad