Filip Ekberg is a software engineer, author, blogger, and speaker. He discusses ASP.NET 5 and OAuth, highlighting that it is cross-platform, open source, and has a modular design. He provides tips for using OAuth with ASP.NET 5, including consuming APIs, securing APIs, and choosing an OAuth flow. He emphasizes best practices like validating tokens, securing tokens like passwords, and leveraging claims-based authentication.
6. • Ctrl + H (Find and Replace) Upgrades
• Until RTM
- anything can be renamed
- anything can be removed
• Side-by-side versions makes it easy (dnvm upgrade)
13. • Don’t rely on a third party for a critical system
• Less headaches for your integrators
• Could be added as an option
14.
15. • Built by industry experts
• Open Source
• Allows you to use OAuth 2.0 and OpenId Connect
• Lots and lots of examples and help available
https://github.com/IdentityServer/IdentityServer3
17. Authorization Code
Trade code for an
Access Token
Access Token
Lets you access a
given resource
Refresh Token
Lets you keep your
Access Token fresh
18. Treat your Tokens like
passwords!
Remember, they give you
access to a potential
private resource
19. • JSON Web Token
• Payload (Claims) include Scopes, User info, etc
• Signed
28. What if we
already have
authentication?
Identify this in
pre-authentication
and skip OAuth
login screen
Authenticate
against current
system
29. Authentication is the
process of ascertaining
that somebody really is
who they claims to be
Authorization refers to
rules that determine who
is allowed to do what. E.g.
Filip may be authorized to
create and delete
databases, while Josh is
only authorized to read.
http://stackoverflow.com/a/6556548/39106
31. • More than just “OK you access this resource” (OAuth)
• Authorization (Permissions) + Authentication (Login)
• IdentityServer provides OAuth 2.0 + OpenId
Connect
32.
33.
34.
35. • Client Id
• Secret
• Scope(s)
• Return URL
• Grant type
• Credentials / Authorization Code (Flow dependent)
49. To go into the draw for prizes, please
remember to complete your feedback at:
http://www.dddbrisbane.com/feedback
No feedback = No Prizes!
50. @fekberg
Thank you,
I’m Filip Ekberg!
Author. Blogger. Speaker. MS MVP. Xamarin MVP. Geek.
Senior Software Engineer @
Editor's Notes
In this talk we’ll go through a lot of content that will help you build a powerful and hopefully more secure API.
We’ll start off by talking about ASP.NET 5 for those of you that need to freshen your knowledge, and then we are going to discuss how we can secure this API by introducing OAuth. Of course, we will also talk about how we can consume the API in different scenarios.
If you got any questions, or objections during the talk, please feel free to interrupt me!
ASP.NET 5, the hot-topic of 2015! It’s fair to say that over the past 12 months, we’ve seen so many good changes coming from Microsoft in terms of open source, hardware, frameworks and software releases that it’s really hard to keep up.
ASP.NET 5 is one of these amazing things Microsoft have been working on, and they’ve done this in the open. Everything is open source and freely available on github – you can even help out if you are so inclined!
If you’re coming from an earlier version of ASP.NET, a lot of it will look similar, if not the same, don’t let that fool you though, it’s completely re-written and it’s now leveraging a modular architecture that allows you to really pick and choose what parts you want to include in your software.
Show how to build an API with ASP.NET 5, include some of the fundamentals
-- 15 minutes to this slide --
Now that we have an API, it lets us retrieve the data we want – how do we lock this down and make it secure?
We want to avoid introducing something custom built that no one will know about, it’s much better if we can adhere to a specification, such as OAuth 2.0.
While I introduced Oauth, I found myself becoming best friends with the specification, at least we had a love-hate relationship. More than once I got home from work with a bit of a headache – it’s a lot of interesting concepts and processes to keep in your head at all times!
So, we now want to lock down our API by introducing a bit of security. The idea here is that we’ll use something that people consuming our API will be comfortable using.
This is where OAuth comes into the picture.
Before we start talking about OAuth, security and all those really fun topics – I just want to say that I am by no means a security expert. I’m leveraging as much as possible from what industry experts have already created, and I limit the amount of customization to avoid introducing security holes.
If you are working on a critical piece of software that is core to your business, it’s always worth consulting a security expert before going live and doing so on a regular basis. It’s been proven over and over again that even the largest companies with some of the smartest people in the world keep doing small mistakes that can trash their entire reputation.
With that out of the way, let’s talk about how we can tighten the security of our API!
Show JWT.io
Show how to enable IdentityServer on the API that we built in the first demo.
Start off with the In-Memory examples and elaborate into a customized solution