OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

  • 6,308 views
Uploaded on

API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a …

API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • I'm having a REAL tough time integrating JWT token consumption and validation on my API from ACS. I was wondering if you had any samples for JWT integration?
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
6,308
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
19
Comments
1
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Maarten
  • Kinepolis: veel static content / in-frame caching
  • A couple of years ago, having a web-based application was enough. Users would navigate to it using their computer’s browser, do their dance and log out again. Nowadays, a web-based application isn’t enough anymore. People have smartphones, tablets and maybe even a refrigerator with Internet access on which applications can run. Applications or “apps”. We’re moving from the web towards apps.
  • A great example of an API is Twitter. They have a massive data store containing tweets and data related to that. They have user profiles. And a web site. And an API. Are you using www.twitter.com to post tweets? I am using the website, maybe once a year. All other tweets come either from my Windows Phone 7’s Twitter application or through www.hootsuite.com, a third-party Twitter client which provides added value in the form of statistics and scheduling. Both the app on my phone as well as the third-party service are using the Twitter API. By exposing an API, Twitter has created a rich ecosystem which drives their real value: data.
  • If you want to expose your data and services to external third-parties, you may want to think about building an API. Having an API gives you a giant advantage on the Internet nowadays. Having an API will allow your web application to reach more users. App developers will jump onto your API and build their app around it. Other websites or apps will integrate with your services by consuming your API. The only thing you have to do is expose a valuable, managed and supported API and get people to know it. Apps will come. Integration will come.
  • The mainidea of API’s is tobroadenyourreach. Youcan’tcreateappsthatcanbeused on every fridge out there, it’s way toocostly. But ifyou have a valuable service which is supported, peoplewillbuildappsaround it. Andifitmakes sense toanyonetocreate a fridge app on top of your API, itwill happen.
  • You’renot the onlyone. Thenumber of API’s is growing at a fast pace and the number of appsandmashups on different devicesgrowswiththat. Ifyou want market share, your best chance of growingit is in building a valuable API.
  • An API is simply a software-to-software interface, defined by whoever is exposing the API to public or private users. It defines constraints, both technical as well as legal. Twitter for example defines a usage constraint: if you are using their API without paying you will be limited to a certain number or requests.
  • We can inform the server of what we intend to do using one of the standard HTTP verbs. There are more verbs if you like, but these are the most widely used.
  • There’s a large number possible status codes you can use. Here are some you will most commonly encounter:200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed to access the resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.See the theme? 1XX are informational. 2XX codes mean “successful”. 3XXX tell you to go elsewhere, like our 302 example above. 4XX means the client has done something wrong. A wrong address or a wrong request. 5XX means the server has had a problem, like the feared error 500 – Internal Server Error you see on some websites.
  • Here are four basic conventions for ASP.NET Web API:Requests have an HTTP verb defined. This maps to the API controller’s action method.Requests have an Accept header. This is handled by ASP.NET Web API’s MediaTypeFormatter and will transform the request to your controller from JSON, XML or whatever format you want to add as a MediaTypeFormatter.Responses have an HTTP status code.Responses are formatted by ASP.NET Web API’s MediaTypeFormatter into JSON, XML or whatever format you want to add as a MediaTypeFormatter.
  • If you decide that your API isn’t public or specific actions can only be done for a certain user (get me my tweets, Twitter!), you’ll be facing authentication and authorization problems. With ASP.NET Web API, this is simple: add an [Authorize] attribute on top of a controller or action method and you’re done, right? When using the out-of-the-box authentication/authorization mechanisms of ASP.NET Web API, you are relying on either forms authentication or Windows authentication. Both require the user to log in. And as your API user isn’t really your user, but an application acting on behalf of a user, that means that the application should know the user’s credentials. Would you give your username and password to a third-party website to access your Twitter account? I don’t think so.
  • I want you to remember one sentence: “your API user isn’t really your user, but an application acting on behalf of a user”. It has implications. It means you are “delegating” access to an API to a consuming application.
  • Maybeyouwork at a company which hands out guest badges tovisitors. You have a badge with full access to the office, yourguests have a guest badge. Your name is on that badge: ifanythinggoes wrong or has tobedone, colleaguescanidentify the guest as someonewho’sthere on your call.The guest badge canbelimited in scope (only the 7th foor) or in validityduration (onlytoday).Wouldn’tthisbe a great approach toprotectyour API?
  • As anexample, take lanyrd.com. They keep track of conferences you’llbespeaking at and conferences thepeopleyou follow on Twitter are speaking at. To get that data, theyneed access to the list of peopleyou follow on Twitter. Here’swhathappens:You want to log in on Lanyrd, theyredirectyoutoTwitter’s login page. Notice the token in the address bar: itidentifies the callingapplicationtoTwitter.You log in on Twitterandgive consent with a limited scope: Lanyrdwillbeabletoseeyourtimelineand get the list of peopleyou follow. The scope is limitedtothat: Lanyrdcan’ttweet on mybehalf. Theycan’tfavoritetweets. Or sendmessages. Or do anythingelse.Twitterredirects me back toLanyrd, posting back a “refresh” tokenWhatyoudon’tsee:Lanyrdusesthat token torequestan “access token” fromTwitter.Twitter checks the validity of the incoming token and checks the origin, to make sure no otherapplication but Lanyrdcomes in withthat token.Whenvalid, Twitter returns an access token toLanyrd, containing:An access keyA new refresh tokenThe allowed scopeValiditydurationA signature- When the token expires, Lanyrduses the new refresh token to go throughthisprocessagain.
  • There’s a lot toimplement.
  • One of the interesting components in the Windows Azure platform is the Access Control Service (ACS). ACS allows you to outsource your authentication and authorization woes and have Microsoft handle those. At www.myget.org, an application me and a colleague have been working on, you’ll find that you can log in through a variety of identity providers (Windows Live ID, Google, Facebook, GitHub, …). We don’t have to do anything for that: ACS solves this and presents us with a set of claims about the user, such as his username on GitHub. If we want to add another identity provider, we simply configure it in ACS and without modifying our code, you can login through that new identity provider.Next to that, ACS provides a little known feature: OAuth2 delegation support. The idea with that is that your application’s only job is to ask the user if a specific application can act on his or her behalf and store that decision in ACS. From then on, the client application will always have to go to ACS to fetch an access token and a refresh token which can be presented to your API.
  • This approach comes in very handy! Every client application will only have to ask our Authorization server once for user consent, after which ACS will take care of handing out access tokens, expiring tokens, renewing tokens and so on. ACS handles all the authentication and authorization load for us, even with 1 billion apps and users consuming my API. And all of that for just 19 US$ per million actions on ACS (see pricing calculator).
  • There’s a lot toimplement. Whynot outsource itto Windows Azure ACS?You: OAuthauthorization server  youdecidewho is granted access andwho’snot. You’ll have totell ACS aboutthis, but apart fromthatyou have nothingto do.ACS: Keep track of supportedconsumers based on your inputACS: Keep track of user consent  based on the user’s inputACS: OAuth token expiration & refresh based on all of the aboveYou: Your API  of course!
  • API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.We’re moving from the web towards apps. Next to your website, apps are becoming more and more popular as an alternative manner to consume your data and services. Why not use that as a lever to reach more users? By exposing an API, you’re giving third party app developers the opportunity to interface with your services and at the same time, they are the advocate of them. Embrace them, give them a good API.Of course, that API should be protected. OAuth2 is becoming the de-facto standard for that but requires some server-side coding on your part. If you just want to focus on the API and delegate the heavy lifting and scaling of the OAuth2 protocol, you may as well delegate it to the Windows Azure Access Control Service. WindowsAzure.Acs.Oauth2 will help you with that.

Transcript

  • 1. #warmcrocconfOAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw@maartenballiauw
  • 2. Who am I?Maarten BalliauwTechnical Evangelist, JetBrainsAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsiderhttp://blog.maartenballiauw.be@maartenballiauwShameless self promotion: Pro NuGet -http://amzn.to/pronuget
  • 3. AgendaWhy would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS
  • 4. Why would I need anAPI?
  • 5. Consuming the web2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)
  • 6. Twitter & FacebookBy show of hands
  • 7. Make everyone API(as the French say)
  • 8. Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan
  • 9. Reach More Clients
  • 10. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
  • 11. API Characteristics
  • 12. What is an API?Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standardsOpen services to other software developers (public or private)
  • 13. FlavoursTransport Message contract HTTP SOAP Sockets XML Binary JSON HTML …
  • 14. TechnicalMost API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)
  • 15. The Web is an APIDemo
  • 16. HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data
  • 17. Status codes200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed to accessthe resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…
  • 18. Hypermedia in action!
  • 19. demoBe detailed!Remember the RFC! Think RFC2324!
  • 20. ASP.NET Web API
  • 21. ASP.NET Web APIPart of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
  • 22. ASP.NET Web API is easy!HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code
  • 23. demoCreating an APIusing ASP.NET Web API Demo
  • 24. Securing your APINo authenticationBasic/Windows authentication[Authorize] attribute
  • 25. demoSecuring your API
  • 26. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  • 27. OAuth2
  • 28. Guest badgesBuilding owner / colleague full-access badgeGuest badge Your name on it Limited scope (only 7th floor) Limited validity (only today)
  • 29. Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!
  • 30. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  • 31. Quick side note…There are 3 major authentication flowsBased on type of clientVariants possible
  • 32. On the web…
  • 33. OAuth2 – Initial flow
  • 34. OAuth2 – “Refresh” (one of those variants)
  • 35. Access tokens / Refresh tokensIn theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted
  • 36. JWTHeader:{"alg":"none"}Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  • 37. Is OAuth2 different from OpenID?Yes.OpenID = authNOAuth2 = authN (optional) + authZhttp://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thinghttp://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
  • 38. What you have to implementOAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API
  • 39. Windows AzureAccess ControlService
  • 40. ACS - Identity in Windows AzureActive Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation
  • 41. OAuth flow using ACS
  • 42. demoASP.NET Web API, OAuth2,Windows Azure ACS
  • 43. OAuth2 delegation?You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API
  • 44. Conclusion
  • 45. Key takeawaysAPI’s are the new appsValuableHTTPASP.NET Web APIWindows Azure Access Control Service
  • 46. http://blog.maartenballiauw. be @maartenballiauw http://amzn.to/pronugetThank you!