0
DEVintersection
Session AS17

End-to-End Security for Your
Web API and MVC Applications
Michele Leroux Bustamante
micheleb...
Michele Leroux Bustamante
Managing Partner
Solliance (solliance.net)
CEO and Cofounder
Snapboard (snapboard.com)
Microsoft...
Hello World!
1992
Hello
World!
Hello World!
2013
WPF
Client

Windows
Phone 8
Windows
Phone 7

iPhone

Windows
8/Surface

Android

Mobile
Browsers

iPad

Web
API

Web API
(...
Things are complicated…
So we seek simplicity
where we can
WS-Federation
WS-ReliableMessaging

WS-PolicyAttachment
OASIS Web Services Security

WS*
HELL

WSDL

WS-Coordination

WS-C...
WS-Federation
WS-ReliableMessaging

WS-PolicyAttachment
OASIS Web Services Security

WS*
HELL

WSDL

WS-Coordination

WS-C...
Authentication / Authorization Considerations
 Authentication




Windows, username/password, cert
WS-Federation, SAML ...
Browsers
HTML
View

JS

OK

ajax

View
Controller

Web API
Controller

MVC
Web API
Controller

Web API
Mobile

Browsers

Devices

HTML
View

JS

OK

ajax

View
Controller

View/API
Controller

View
View
Views

MVC
WPF

Client
OK

API
Controller

Web API
Windows
Clients
OK

Windows Mobile

Devices
OK

Other
Clients
OK

iOS Mobile

Android Mobile

Devices

Devices

OK

OK

AP...
Wherever possible
choose the lowest
common denominator
Demo

WebSecurity and Claims
POINTS: WebSecurity and Claims
 Initialize WebSecurity early
 Use ClaimsPrincipal to get all claims (Roles)
 Install Au...
Demo

Enabling WIF Sessions
POINTS: WIF Sessions
 Create a custom SessionAuthenticationModule


Encapsulate cookie write/delete, ClaimsPrincipal
cre...
POINTS: Additional WIF Techniques
 ClaimsAuthenticationManager


Transform claims from user authentication into
applicat...
Demo

Calling Web API
POINTS: Web API Calls
 Must authenticate calls to Web API
 Trusted Subsystem



No need to authenticate the user again...
Social Login and User Consent
 OAuth 2.0



Supports variations of passive and active federation
Popular for used for u...
User Consent

Browser

3

Login
Page

11
Requested
Information

1

5

4
Authorization
Code

6
Client
Application

8

Store...
Social Login / Delegated Authorization
 Typical choices for B-to-B




Username/password
Twitter
Linked In

 Typical ...
Registration Options
Create Account
Facebook Registration
Facebook Registration (2)
Twitter Registration
Social Login
Demo

Social Login
Login or Register?
 Make both available
 Make it obvious
 Navigation bar is one option

33

© DEVintersection. All righ...
Access Control &
Twitter
Browser
3
Google
1

6

2

FaceBook

Yahoo!

Windows
Live

5

Access
Control

Your App

Twitter

4...
Your App &
Facebook / Twitter
Browser

FaceBook

Twitter

Your App

OAuthWebSecurity
Access Control, Social
& Azure AD (vision)
Browser

Google
Yahoo!

Access
Control

Your App

User
Profile

Azure
AD

FaceB...
Identity and Access Management Tools
 Windows Azure Active Directory




Sync directories with domain
Spin up new dire...
References
 Conference resources:


http://michelebusta.com

 See my snapboards:




Currently at the alpha site:
htt...
Upcoming SlideShare
Loading in...5
×

End to End Security with MVC and Web API

3,289

Published on

This session discussed the authentication, authorization techniques of today for web and api applications based on ASP.NET MVC and Web API.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,289
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "End to End Security with MVC and Web API"

  1. 1. DEVintersection Session AS17 End-to-End Security for Your Web API and MVC Applications Michele Leroux Bustamante michelebusta@solliance.net
  2. 2. Michele Leroux Bustamante Managing Partner Solliance (solliance.net) CEO and Cofounder Snapboard (snapboard.com) Microsoft Regional Director Microsoft MVP Author, Speaker Pluralsight courses on the way! Blog: michelebusta.com michelebusta@solliance.net @michelebusta 2 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  3. 3. Hello World! 1992
  4. 4. Hello World!
  5. 5. Hello World! 2013
  6. 6. WPF Client Windows Phone 8 Windows Phone 7 iPhone Windows 8/Surface Android Mobile Browsers iPad Web API Web API (mobile) (ajax) Web API (business) MVC Web
  7. 7. Things are complicated… So we seek simplicity where we can
  8. 8. WS-Federation WS-ReliableMessaging WS-PolicyAttachment OASIS Web Services Security WS* HELL WSDL WS-Coordination WS-CAF MTOM WS-Transfer WS-Eventing WS-BusinessActivity WS-ResourceTransfer WSRF DIME WS-Addressing SOAP
  9. 9. WS-Federation WS-ReliableMessaging WS-PolicyAttachment OASIS Web Services Security WS* HELL WSDL WS-Coordination WS-CAF MTOM WS-Transfer WS-Eventing WS-BusinessActivity WS-ResourceTransfer WSRF DIME WS-Addressing SOAP
  10. 10. Authentication / Authorization Considerations  Authentication   Windows, username/password, cert WS-Federation, SAML 2.0, OAuth2 w/ OpenID Connect  Token Formats   Windows, Basic SAML 1.1, SAML 2.0, JSON Web Token (JWT), SWT (legacy)  Authorization  Roles, Claims, social scenarios and architecture  Message Protection (TLS / SSL / WS*) 10 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  11. 11. Browsers HTML View JS OK ajax View Controller Web API Controller MVC Web API Controller Web API
  12. 12. Mobile Browsers Devices HTML View JS OK ajax View Controller View/API Controller View View Views MVC
  13. 13. WPF Client OK API Controller Web API
  14. 14. Windows Clients OK Windows Mobile Devices OK Other Clients OK iOS Mobile Android Mobile Devices Devices OK OK API Controller Web API
  15. 15. Wherever possible choose the lowest common denominator
  16. 16. Demo WebSecurity and Claims
  17. 17. POINTS: WebSecurity and Claims  Initialize WebSecurity early  Use ClaimsPrincipal to get all claims (Roles)  Install AuthorizationAttribute as a filter, use AllowAnonymousAttribute  Use AuthorizationAttribute to prevent access by roles  Create utilities to streamline use of claims 17 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  18. 18. Demo Enabling WIF Sessions
  19. 19. POINTS: WIF Sessions  Create a custom SessionAuthenticationModule  Encapsulate cookie write/delete, ClaimsPrincipal create  For Forms redirect, need WebSecurity enabled  Must delete forms cookie + session cookie  Other WIF best practices    Use SSL Server side session cookies (space, load balancing) Shared token cache (replay detection, load balancing) 19 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  20. 20. POINTS: Additional WIF Techniques  ClaimsAuthenticationManager  Transform claims from user authentication into application claims (assumes stored by app)  ClaimsAuthorizationManager   Use with custom AuthorizationAttribute See Thinktecture library  ClaimsPrincipalPermission  DO NOT USE 20 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  21. 21. Demo Calling Web API
  22. 22. POINTS: Web API Calls  Must authenticate calls to Web API  Trusted Subsystem   No need to authenticate the user again Provide a key (Windows, Certificate, signed token)  JWT   New preferred way to send lightweight token Pass user claims relevant to downstream services 22 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  23. 23. Social Login and User Consent  OAuth 2.0   Supports variations of passive and active federation Popular for used for user consent flows where an applications wants access to user information from another applications     Sharing flickr photos Sharing tweets Facebook integration NOT for authentication  Authentication    Twitter Facebook Connect OpenID Connect 23 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  24. 24. User Consent Browser 3 Login Page 11 Requested Information 1 5 4 Authorization Code 6 Client Application 8 Store Tokens 2 Get access token 7 Access + refresh token 9 Authorization Server Request information 10 Requested Information Resource Server
  25. 25. Social Login / Delegated Authorization  Typical choices for B-to-B    Username/password Twitter Linked In  Typical choices for B-to-C     Username/password Twitter Facebook (maybe) Google+  Corporate environments    Windows Username/password Live ID 25 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  26. 26. Registration Options
  27. 27. Create Account
  28. 28. Facebook Registration
  29. 29. Facebook Registration (2)
  30. 30. Twitter Registration
  31. 31. Social Login
  32. 32. Demo Social Login
  33. 33. Login or Register?  Make both available  Make it obvious  Navigation bar is one option 33 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  34. 34. Access Control & Twitter Browser 3 Google 1 6 2 FaceBook Yahoo! Windows Live 5 Access Control Your App Twitter 4 Your STS
  35. 35. Your App & Facebook / Twitter Browser FaceBook Twitter Your App OAuthWebSecurity
  36. 36. Access Control, Social & Azure AD (vision) Browser Google Yahoo! Access Control Your App User Profile Azure AD FaceBook Windows Live Twitter
  37. 37. Identity and Access Management Tools  Windows Azure Active Directory    Sync directories with domain Spin up new directories Connect with other IdP  Thinktecture    Code base for IdP and Authorization Server Fully functional, you own it, you can edit it WS-Fed and OAuth2, SAML2 coming  Auth0   Hosted model, affordable, from small bus to enterprise When you don’t want to own the code, need IdP, Authorization Server/OpenID Connect support 37 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  38. 38. References  Conference resources:  http://michelebusta.com  See my snapboards:   Currently at the alpha site: http://snapboardalpha.cloudapp.net/michelebusta Will move these to snapboard.com/michelebusta when we go live on the main site (SOON watch my blog for announcement)  Contact me:   michelebusta@solliance.net @michelebusta 38 © DEVintersection. All rights reserved. http://www.DEVintersection.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×