What we will learn today:What is OAuth (Intro)The new authentication model of MVC 5 & OWIN and how it relates to OAuthThe .net components Microsoft put that deals with OAuth like Facebook authenticationNote:We will be fast
Everyone had access to your entire resources unconditionedIncluding the fool and the evilOnce in their hands, can never revoke their access unless you change the password
OAuth started 2006Blain Cook (Twitter)Chris Messina Larry HalffDavidRecordonEran HammerLater in 2008 it moved under the umbrella of Internet Engineering Task Force (IETF)
The flow illustrated in Figure 3 includes the following steps:(A) The client initiates the flow by directing the resource owner’suser-agent to the authorization endpoint. The client includesits client identifier, requested scope, local state, and aredirection URI to which the authorization server will send theuser-agent back once access is granted (or denied).(B) The authorization server authenticates the resource owner (viathe user-agent) and establishes whether the resource ownergrants or denies the client’s access request.(C) Assuming the resource owner grants access, the authorizationserver redirects the user-agent back to the client using theredirection URI provided earlier (in the request or duringclient registration). The redirection URI includes anauthorization code and any local state provided by the clientearlier.(D) The client requests an access token from the authorizationserver’s token endpoint by including the authorization codereceived in the previous step. When making the request, theclient authenticates with the authorization server. The clientincludes the redirection URI used to obtain the authorizationcode for verification.(E) The authorization server authenticates the client, validates theauthorization code, and ensures that the redirection URIreceived matches the URI used to redirect the client instep (C). If valid, the authorization server responds back withan access token and, optionally, a refresh token.
KatanaAuthentication is a Middleware
Invoke: Check if should handle or notAuthenticateCore: create Authentication Ticket (Identity wrapper)ApplyResponseGrant: add token, remove tokenApplyResponseChallenge: handle 401