Your SlideShare is downloading. ×
0
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

3,249

Published on

More info on http://www.techdays.be

More info on http://www.techdays.be

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,249
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Who am I?Maarten BalliauwTechnical Evangelist, JetBrainsMyGet.orgAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsiderBuy me a beer! http://amzn.to/pronugethttp://blog.maartenballiauw.be Shameless self promotion: Pro NuGet -@maartenballiauw http://amzn.to/pronuget
  • 2. AgendaWhy would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS
  • 3. Why would I need an API?
  • 4. Consuming the web2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)
  • 5. Twitter & FacebookBy show of hands
  • 6. Make everyone API(as the French say)
  • 7. Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan
  • 8. Reach More Clients
  • 9. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
  • 10. API Characteristics
  • 11. What is an API?Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standardsOpen services to other software developers (public or private)
  • 12. FlavoursTransport Message contract HTTP  SOAP Sockets  XML  Binary  JSON  HTML  …
  • 13. Technical Most API’s use HTTP and REST extensively  Addressing  HTTP Verbs  Media types  HTTP status codes  Hypermedia (*)
  • 14. Demo
  • 15. HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data
  • 16. Status codes200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed toaccess the resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…
  • 17. Think RFC2324!
  • 18. ASP.NET Web API
  • 19. ASP.NET Web APIPart of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
  • 20. ASP.NET Web API is easy!HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code
  • 21. Demo
  • 22. Securing your APINo authenticationBasic/Windows authentication[Authorize] attribute
  • 23. Demo
  • 24. The world of API clients is complex CLIENTS AUTHN + AUTHZ HTML5+JS Username/password? SPA Basic auth? Native apps NTLM / Kerberos? Server-to-server Client certificate? Shared secret?
  • 25. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  • 26. OAuth2
  • 27. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me a Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March”
  • 28. TechDays badges +--------+ +---------------+ | |--(A)– Register for TechDays-->| Resource | | | | Owner | | |<-(B)-Sure! Here’s an e-ticket-| Microsoft | | | +---------------+ | | . | | +---------------+ | Client |--(C)----- Was invited! ------>| Authorization | | Me | | Server | | |<-(D)---- Here’s a badge! -----| Reception | | | (5-7 March;speaker) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F)-- Enter speakers room ---| Kinepolis | +--------+ +---------------+ Next year, I will have to refresh my badge
  • 29. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me aBadge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March” Me = ClientDelegation Barcode = Access Code Reception = Authorization Server Microsoft = Resource Owner Kinepolis = Resource Server Badge = Access Token Speaker = Scope 5-7 March = Token Lifetime
  • 30. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  • 31. Demo
  • 32. Quick side note…There are 3 major authentication flowsBased on type of clientVariants possible
  • 33. OAuth2 – Initial flow
  • 34. OAuth2 – “Refresh” (one of those variants)
  • 35. Access tokens / Refresh tokensIn theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted
  • 36. JWTHeader:{"alg":"none"}Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  • 37. Is OAuth2 different from OpenID?Yes.OpenID = authNOAuth2 = authN (optional) + authZhttp://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thinghttp://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
  • 38. What you have to implementOAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API
  • 39. Windows AzureAccess Control Service
  • 40. ACS - Identity in Windows AzureActive Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation
  • 41. OAuth flow using ACS
  • 42. Demo
  • 43. OAuth2 delegation?You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API
  • 44. Conclusion
  • 45. Key takeawaysAPI’s are the new appsValuableHTTPASP.NET Web APIOAuth2Windows Azure Access Control Service
  • 46. http://blog.maartenballiauw.be @maartenballiauw http://amzn.to/pronugetThank you!

×