OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
Download as pptx, pdf1 like4,619 views
This document discusses APIs and authentication. It introduces Maarten Balliauw and his focus on web technologies. It then discusses why APIs are needed as applications have expanded beyond desktop browsers. It outlines characteristics of APIs like using HTTP, JSON, and REST. It introduces ASP.NET Web API and demonstrates HTTP verbs and status codes. It discusses securing APIs with OAuth2 and using Windows Azure Access Control Service for authentication.
![Securing your API
No authentication
Basic/Windows authentication
[Authorize] attribute](https://image.slidesharecdn.com/01devroom8oauthasaservicemaartenballiauw19-130320064601-phpapp01/85/OAuth-as-a-service-using-ASP-NET-Web-API-and-Windows-Azure-Access-Control-24-320.jpg)
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
- 2. Who am I? Maarten Balliauw Technical Evangelist, JetBrains MyGet.org AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider Buy me a beer! http://amzn.to/pronuget http://blog.maartenballiauw.be Shameless self promotion: Pro NuGet - @maartenballiauw http://amzn.to/pronuget
- 3. Agenda Why would I need an API? API characteristics ASP.NET MVC Web API Windows Azure ACS
- 4. Why would I need an API?
- 5. Consuming the web 2000-2008: Desktop browser 2008-2012: Mobile browser 2008-2012: iPhone and Android apps 2010-2014: Tablets, tablets, tablets 2014-2016: Your fridge (Internet of Things)
- 7. Twitter & Facebook By show of hands
- 8. Make everyone API (as the French say)
- 9. Expose services to 3rd parties Valuable Flexible Managed Supported Have a plan
- 11. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
- 13. What is an API? Software-to-Software interface Contract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standards Open services to other software developers (public or private)
- 14. Flavours Transport Message contract HTTP SOAP Sockets XML Binary JSON HTML …
- 15. Technical Most API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)
- 16. Demo
- 17. HTTP Verbs GET – return data HEAD – check if the data exists POST – create or update data PUT – put data MERGE – merge values with existing data DELETE – delete data
- 18. Status codes 200 OK – Everything is OK, your expected data is in the response. 401 Unauthorized – You either have to log in or you are not allowed to access the resource. 404 Not Found – The resource could not be found. 500 Internal Server Error – The server failed processing your request. …
- 19. Think RFC2324!
- 20. ASP.NET Web API
- 21. ASP.NET Web API Part of ASP.NET MVC 4 Framework to build HTTP Services (REST) Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
- 22. ASP.NET Web API is easy! HTTP Verb = action “Content-type” header = data format in “Accept” header = data format out Return meaningful status code
- 23. Demo
- 24. Securing your API No authentication Basic/Windows authentication [Authorize] attribute
- 25. Demo
- 26. The world of API clients is complex CLIENTS AUTHN + AUTHZ HTML5+JS Username/password? SPA Basic auth? Native apps NTLM / Kerberos? Server-to-server Client certificate? Shared secret?
- 27. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
- 28. OAuth2
- 30. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me a Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March”
- 31. TechDays badges +--------+ +---------------+ | |--(A)– Register for TechDays-->| Resource | | | | Owner | | |<-(B)-Sure! Here’s an e-ticket-| Microsoft | | | +---------------+ | | . | | +---------------+ | Client |--(C)----- Was invited! ------>| Authorization | | Me | | Server | | |<-(D)---- Here’s a badge! -----| Reception | | | (5-7 March;speaker) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F)-- Enter speakers room ---| Kinepolis | +--------+ +---------------+ Next year, I will have to refresh my badge
- 32. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me a Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March” Me = Client Delegation Barcode = Access Code Reception = Authorization Server Microsoft = Resource Owner Kinepolis = Resource Server Badge = Access Token Speaker = Scope 5-7 March = Token Lifetime
- 34. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
- 36. Demo
- 37. Quick side note… There are 3 major authentication flows Based on type of client Variants possible
- 38. OAuth2 – Initial flow
- 39. OAuth2 – “Refresh” (one of those variants)
- 40. Access tokens / Refresh tokens In theory: whatever format you want Widely used: JWT (“JSON Web Token”) Less widely used: SWT (“Simple Web Token”) Signed / Encrypted
- 41. JWT Header: {"alg":"none"} Token: {"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
- 42. Is OAuth2 different from OpenID? Yes. OpenID = authN OAuth2 = authN (optional) + authZ http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing http://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
- 43. What you have to implement OAuth authorization server Keep track of supported consumers Keep track of user consent OAuth token expiration & refresh Oh, and your API
- 45. Windows Azure Access Control Service
- 46. ACS - Identity in Windows Azure Active Directory federation Graph API Web SSO Link apps to identity providers using rules Support WS-Security, WS-Federation, SAML Little known feature: OAuth2 delegation
- 47. OAuth flow using ACS
- 48. Demo
- 49. OAuth2 delegation? You: OAuth authorization server ACS: Keep track of supported consumers ACS: Keep track of user consent ACS: OAuth token expiration & refresh You: Your API
- 50. Conclusion
- 51. Key takeaways API’s are the new apps Valuable HTTP ASP.NET Web API OAuth2 Windows Azure Access Control Service
- 52. http://blog.maartenballiauw.be @maartenballiauw http://amzn.to/pronuget Thank you!