470 likes | 608 Views
OAuth -as-a-service using ASP.NET Web API and Windows Azure Access Control. Maarten Balliauw @ maartenballiauw. Who am I?. Maarten Balliauw Technical Evangelist, JetBrains AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider
E N D
OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control Maarten Balliauw@maartenballiauw
Who am I? • Maarten Balliauw • Technical Evangelist, JetBrains • AZUG • Focus on web • ASP.NET MVC, Windows Azure, SignalR, ... • MVP Windows Azure & ASPInsider • http://blog.maartenballiauw.be • @maartenballiauw • Shameless self promotion: Pro NuGet - http://amzn.to/pronuget
Agenda • Whywould I needan API? • API characteristics • ASP.NET MVC Web API • Windows Azure ACS
Consuming the web • 2000-2008: Desktop browser • 2008-2012: Mobile browser • 2008-2012: iPhoneandAndroidapps • 2010-2014: Tablets, tablets, tablets • 2014-2016: Your fridge (Internet of Things)
Twitter & Facebook By show of hands
Make everyone API (as the French say)
Expose services to 3rd parties • Valuable • Flexible • Managed • Supported • Have a plan
What is an API? • Software-to-Software interface • Contract between software anddevelopers • Functionalities, constraints (technical / legal) Programming instructionsandstandards • Open services toother software developers (public or private)
Flavours • Transport • HTTP • Sockets • Message contract • SOAP • XML • Binary • JSON • HTML • …
Technical • Most API’suse HTTP and REST extensively • Addressing • HTTP Verbs • Media types • HTTP status codes • Hypermedia (*)
The Web is an API Demo
HTTP Verbs • GET – return data • HEAD – check if the data exists • POST – create or update data • PUT – put data • MERGE – merge values with existing data • DELETE – delete data
Status codes • 200 OK – Everything is OK, your expected data is in the response. • 401 Unauthorized – You either have to log in or you are not allowed to access the resource. • 404 Not Found – The resource could not be found. • 500 Internal Server Error – The server failed processing your request. • …
Be detailed! Remember the RFC! Think RFC2324!
ASP.NET Web API • Part of ASP.NET MVC 4 • Framework tobuild HTTP Services (REST) • Solid features • Modern HTTP programming model • Content negotiation (e.g. xml, json, ...) • Query composition (OData query support) • Model binding andvalidation (conversionto .NET objects) • Routes • Filters (e.g. Validation, exception handling, ...) • And more!
ASP.NET Web API is easy! • HTTP Verb = action • “Content-type” header = data format in • “Accept” header = data format out • Return meaningful status code
Creatingan API using ASP.NET Web API Demo
Securingyour API • No authentication • Basic/Windows authentication • [Authorize] attribute
The world of API clients is complex AuthN + AuthZ Username/password? Basic auth? NTLM / Kerberos? Client certificate? Shared secret? Clients • HTML5+JS • SPA • Native apps • Server-to-server
A lot of public API’s… “your API consumer isn’t really your user,but an application acting on behalf of a user” (or: API consumer != user)
Guest badges • Building owner / colleague full-access badge • Guest badge • Your name on it • Limited scope (only 7th floor) • Limited validity (onlytoday)
Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!
OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
Quick side note… • There are 3 major authentication flows • Based on type of client • Variants possible
Access tokens / Refresh tokens • In theory: whatever format you want • Widely used: JWT (“JSON Web Token”) • Less widely used: SWT (“Simple Web Token”) • Signed / Encrypted
JWT Header:{"alg":"none"} Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
Whatyou have toimplement • OAuthauthorization server • Keep track of supportedconsumers • Keep track of user consent • OAuth token expiration & refresh • Oh, andyour API
ACS - Identity in Windows Azure • Active Directory federation • Graph API • Web SSO • Link appstoidentity providers usingrules • Support WS-Security, WS-Federation, SAML • Little known feature: OAuth2 delegation
OAuth2 delegation? • You: OAuthauthorization server • ACS: Keep track of supportedconsumers • ACS: Keep track of user consent • ACS: OAuthtoken expiration & refresh • You: Your API
Keytakeaways • API’s are the new apps • Valuable • HTTP • ASP.NET Web API • OAuth2 • Windows Azure Access Control Service
http://blog.maartenballiauw.be@maartenballiauw Thankyou! http://amzn.to/pronuget