• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
End to End Security with MVC and Web API
 

End to End Security with MVC and Web API

on

  • 2,266 views

This session discussed the authentication, authorization techniques of today for web and api applications based on ASP.NET MVC and Web API.

This session discussed the authentication, authorization techniques of today for web and api applications based on ASP.NET MVC and Web API.

Statistics

Views

Total Views
2,266
Views on SlideShare
2,265
Embed Views
1

Actions

Likes
0
Downloads
11
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    End to End Security with MVC and Web API End to End Security with MVC and Web API Presentation Transcript

    • DEVintersection Session AS17 End-to-End Security for Your Web API and MVC Applications Michele Leroux Bustamante michelebusta@solliance.net
    • Michele Leroux Bustamante Managing Partner Solliance (solliance.net) CEO and Cofounder Snapboard (snapboard.com) Microsoft Regional Director Microsoft MVP Author, Speaker Pluralsight courses on the way! Blog: michelebusta.com michelebusta@solliance.net @michelebusta 2 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • Hello World! 1992
    • Hello World!
    • Hello World! 2013
    • WPF Client Windows Phone 8 Windows Phone 7 iPhone Windows 8/Surface Android Mobile Browsers iPad Web API Web API (mobile) (ajax) Web API (business) MVC Web
    • Things are complicated… So we seek simplicity where we can
    • WS-Federation WS-ReliableMessaging WS-PolicyAttachment OASIS Web Services Security WS* HELL WSDL WS-Coordination WS-CAF MTOM WS-Transfer WS-Eventing WS-BusinessActivity WS-ResourceTransfer WSRF DIME WS-Addressing SOAP
    • WS-Federation WS-ReliableMessaging WS-PolicyAttachment OASIS Web Services Security WS* HELL WSDL WS-Coordination WS-CAF MTOM WS-Transfer WS-Eventing WS-BusinessActivity WS-ResourceTransfer WSRF DIME WS-Addressing SOAP
    • Authentication / Authorization Considerations  Authentication   Windows, username/password, cert WS-Federation, SAML 2.0, OAuth2 w/ OpenID Connect  Token Formats   Windows, Basic SAML 1.1, SAML 2.0, JSON Web Token (JWT), SWT (legacy)  Authorization  Roles, Claims, social scenarios and architecture  Message Protection (TLS / SSL / WS*) 10 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • Browsers HTML View JS OK ajax View Controller Web API Controller MVC Web API Controller Web API
    • Mobile Browsers Devices HTML View JS OK ajax View Controller View/API Controller View View Views MVC
    • WPF Client OK API Controller Web API
    • Windows Clients OK Windows Mobile Devices OK Other Clients OK iOS Mobile Android Mobile Devices Devices OK OK API Controller Web API
    • Wherever possible choose the lowest common denominator
    • Demo WebSecurity and Claims
    • POINTS: WebSecurity and Claims  Initialize WebSecurity early  Use ClaimsPrincipal to get all claims (Roles)  Install AuthorizationAttribute as a filter, use AllowAnonymousAttribute  Use AuthorizationAttribute to prevent access by roles  Create utilities to streamline use of claims 17 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • Demo Enabling WIF Sessions
    • POINTS: WIF Sessions  Create a custom SessionAuthenticationModule  Encapsulate cookie write/delete, ClaimsPrincipal create  For Forms redirect, need WebSecurity enabled  Must delete forms cookie + session cookie  Other WIF best practices    Use SSL Server side session cookies (space, load balancing) Shared token cache (replay detection, load balancing) 19 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • POINTS: Additional WIF Techniques  ClaimsAuthenticationManager  Transform claims from user authentication into application claims (assumes stored by app)  ClaimsAuthorizationManager   Use with custom AuthorizationAttribute See Thinktecture library  ClaimsPrincipalPermission  DO NOT USE 20 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • Demo Calling Web API
    • POINTS: Web API Calls  Must authenticate calls to Web API  Trusted Subsystem   No need to authenticate the user again Provide a key (Windows, Certificate, signed token)  JWT   New preferred way to send lightweight token Pass user claims relevant to downstream services 22 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • Social Login and User Consent  OAuth 2.0   Supports variations of passive and active federation Popular for used for user consent flows where an applications wants access to user information from another applications     Sharing flickr photos Sharing tweets Facebook integration NOT for authentication  Authentication    Twitter Facebook Connect OpenID Connect 23 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • User Consent Browser 3 Login Page 11 Requested Information 1 5 4 Authorization Code 6 Client Application 8 Store Tokens 2 Get access token 7 Access + refresh token 9 Authorization Server Request information 10 Requested Information Resource Server
    • Social Login / Delegated Authorization  Typical choices for B-to-B    Username/password Twitter Linked In  Typical choices for B-to-C     Username/password Twitter Facebook (maybe) Google+  Corporate environments    Windows Username/password Live ID 25 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • Registration Options
    • Create Account
    • Facebook Registration
    • Facebook Registration (2)
    • Twitter Registration
    • Social Login
    • Demo Social Login
    • Login or Register?  Make both available  Make it obvious  Navigation bar is one option 33 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • Access Control & Twitter Browser 3 Google 1 6 2 FaceBook Yahoo! Windows Live 5 Access Control Your App Twitter 4 Your STS
    • Your App & Facebook / Twitter Browser FaceBook Twitter Your App OAuthWebSecurity
    • Access Control, Social & Azure AD (vision) Browser Google Yahoo! Access Control Your App User Profile Azure AD FaceBook Windows Live Twitter
    • Identity and Access Management Tools  Windows Azure Active Directory    Sync directories with domain Spin up new directories Connect with other IdP  Thinktecture    Code base for IdP and Authorization Server Fully functional, you own it, you can edit it WS-Fed and OAuth2, SAML2 coming  Auth0   Hosted model, affordable, from small bus to enterprise When you don’t want to own the code, need IdP, Authorization Server/OpenID Connect support 37 © DEVintersection. All rights reserved. http://www.DEVintersection.com
    • References  Conference resources:  http://michelebusta.com  See my snapboards:   Currently at the alpha site: http://snapboardalpha.cloudapp.net/michelebusta Will move these to snapboard.com/michelebusta when we go live on the main site (SOON watch my blog for announcement)  Contact me:   michelebusta@solliance.net @michelebusta 38 © DEVintersection. All rights reserved. http://www.DEVintersection.com