1 / 47

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control. Maarten Balliauw @ maartenballiauw. Who am I?. Maarten Balliauw Technical Evangelist, JetBrains AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

nelia
Download Presentation

OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control Maarten Balliauw@maartenballiauw

  2. Who am I? • Maarten Balliauw • Technical Evangelist, JetBrains • AZUG • Focus on web • ASP.NET MVC, Windows Azure, SignalR, ... • MVP Windows Azure & ASPInsider • http://blog.maartenballiauw.be • @maartenballiauw • Shameless self promotion: Pro NuGet - http://amzn.to/pronuget

  3. Agenda • Whywould I needan API? • API characteristics • ASP.NET MVC Web API • Windows Azure ACS

  4. Whywould I needan API?

  5. Consuming the web • 2000-2008: Desktop browser • 2008-2012: Mobile browser • 2008-2012: iPhoneandAndroidapps • 2010-2014: Tablets, tablets, tablets • 2014-2016: Your fridge (Internet of Things)

  6. Twitter & Facebook By show of hands

  7. Make everyone API (as the French say)

  8. Expose services to 3rd parties • Valuable • Flexible • Managed • Supported • Have a plan

  9. API Characteristics

  10. What is an API? • Software-to-Software interface • Contract between software anddevelopers • Functionalities, constraints (technical / legal) Programming instructionsandstandards • Open services toother software developers (public or private)

  11. Flavours • Transport • HTTP • Sockets • Message contract • SOAP • XML • Binary • JSON • HTML • …

  12. Technical • Most API’suse HTTP and REST extensively • Addressing • HTTP Verbs • Media types • HTTP status codes • Hypermedia (*)

  13. The Web is an API Demo

  14. HTTP Verbs • GET – return data • HEAD – check if the data exists • POST – create or update data • PUT – put data • MERGE – merge values with existing data • DELETE – delete data

  15. Status codes • 200 OK – Everything is OK, your expected data is in the response. • 401 Unauthorized – You either have to log in or you are not allowed to access the resource. • 404 Not Found – The resource could not be found. • 500 Internal Server Error – The server failed processing your request. • …

  16. Hypermedia in action!

  17. Be detailed! Remember the RFC! Think RFC2324!

  18. ASP.NET Web API

  19. ASP.NET Web API • Part of ASP.NET MVC 4 • Framework tobuild HTTP Services (REST) • Solid features • Modern HTTP programming model • Content negotiation (e.g. xml, json, ...) • Query composition (OData query support) • Model binding andvalidation (conversionto .NET objects) • Routes • Filters (e.g. Validation, exception handling, ...) • And more!

  20. ASP.NET Web API is easy! • HTTP Verb = action • “Content-type” header = data format in • “Accept” header = data format out • Return meaningful status code

  21. Creatingan API using ASP.NET Web API Demo

  22. Securingyour API • No authentication • Basic/Windows authentication • [Authorize] attribute

  23. Securing your API

  24. The world of API clients is complex AuthN + AuthZ Username/password? Basic auth? NTLM / Kerberos? Client certificate? Shared secret? Clients • HTML5+JS • SPA • Native apps • Server-to-server

  25. A lot of public API’s… “your API consumer isn’t really your user,but an application acting on behalf of a user” (or: API consumer != user)

  26. OAuth2

  27. Guest badges • Building owner / colleague full-access badge • Guest badge • Your name on it • Limited scope (only 7th floor) • Limited validity (onlytoday)

  28. Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!

  29. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31

  30. Quick side note… • There are 3 major authentication flows • Based on type of client • Variants possible

  31. On the web…

  32. Access tokens / Refresh tokens • In theory: whatever format you want • Widely used: JWT (“JSON Web Token”) • Less widely used: SWT (“Simple Web Token”) • Signed / Encrypted

  33. JWT Header:{"alg":"none"} Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}

  34. Whatyou have toimplement • OAuthauthorization server • Keep track of supportedconsumers • Keep track of user consent • OAuth token expiration & refresh • Oh, andyour API

  35. Windows AzureAccess Control Service

  36. ACS - Identity in Windows Azure • Active Directory federation • Graph API • Web SSO • Link appstoidentity providers usingrules • Support WS-Security, WS-Federation, SAML • Little known feature: OAuth2 delegation

  37. OAuth flow using ACS

  38. ASP.NET Web API, OAuth2, Windows Azure ACS

  39. OAuth2 delegation? • You: OAuthauthorization server • ACS: Keep track of supportedconsumers • ACS: Keep track of user consent • ACS: OAuthtoken expiration & refresh • You: Your API

  40. Conclusion

  41. Keytakeaways • API’s are the new apps • Valuable • HTTP • ASP.NET Web API • OAuth2 • Windows Azure Access Control Service

  42. http://blog.maartenballiauw.be@maartenballiauw Thankyou! http://amzn.to/pronuget

More Related