Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth and Rest

1,741 views

Published on

Websites usually communicate via web services — REST API is one such technology that can be used to create a web service. OAuth is an open standard for authorization that provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair). This session would cover introduction to OAuth and securing rest service using OAuth.

Published in: Software, Technology
  • Be the first to comment

OAuth and Rest

  1. 1. Presenter: Jnana Ranjan Swain Date: 27-6-2014 OAuth And REST Services
  2. 2. Presenter:Jnana Ranjan Swain, Mindfire Solutions About Me MCTS-70-515 - Microsoft .NET 4.0, Web App Development ASP.NET, WCF, SQLServer, Jquery, jQueryUI, WindowsAzure, EntityFramework, MVC Facebook: http://www.facebook.com/jnanaswain LinkedIn: http://www.linkedin.com/in/jnanaswain Twitter: https://twitter.com/jnanaswain Email: jnanas@mindfiresolutions.com Skype: mfsi_jnanas Skills Connect Me Contact Me Certification
  3. 3. Agenda Presenter:Jnana Ranjan Swain, Mindfire Solutions  Introduction To OAuth  OAuth Security Framework  OAuth .Net API  Building Rest Service using Asp.net WebAPI  Securing Rest API  Live Demo
  4. 4. OAuth Presenter:Jnana Ranjan Swain, Mindfire Solutions
  5. 5. Introduction to OAuth Presenter:Jnana Ranjan Swain, Mindfire Solutions  The OAuth protocol enables a third-party application to obtain limited access to a HTTP services, on behalf of a resource owner,without giving credentials.  OAuth 2.0 is the recent version,which is in development phase.  Facebook, Twitter, Google, Microsoft and many more companies are using OAuth.
  6. 6. Presenter:Jnana Ranjan Swain, Mindfire Solutions
  7. 7. OAuth Framework Presenter:Jnana Ranjan Swain, Mindfire Solutions
  8. 8.  Resource Owner - Granting access to a protected resource.  Resource Server - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.  Client - An application making protected resource requests on behalf of the resource owner and with its authorization.  Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. OAuth Roles Presenter:Jnana Ranjan Swain, Mindfire Solutions
  9. 9. Access Token  Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client  The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource.  It can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements. GET /plus/v1/people/me HTTP/1.1 Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg Host: googleapis.com Presenter:Jnana Ranjan Swain, Mindfire Solutions
  10. 10. Access Token Types  Bearer Token A Bearer Token is set in the Authorization header of every inline action HTTP Request. Example :- Authorization:Bearer 4qF-UL0BGzu6n0YBJ  Mac Token Message authentication code (MAC) algorithm to provide cryptographic verification of portions of HTTP requests Presenter:Jnana Ranjan Swain, Mindfire Solutions
  11. 11. Refresh Token  Refresh tokens are credentials used to obtain access tokens.  Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires,  If the authorization server issues a refresh token, it is included when issuing an access token. Example :{ "access_token":"1/fFAGRNJru1FTz70BzhT3Zg", "expires_in":3920, "token_type":"Bearer", "refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C- 259HOF2aQbI" } Presenter:Jnana Ranjan Swain, Mindfire Solutions
  12. 12. Oauth .Net API - Microsoft.Owin.Security - API for creating Autherization server new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), AllowInsecureHttp = true }; Presenter:Jnana Ranjan Swain, Mindfire Solutions
  13. 13.  It controls the lifecycle of Authorization Server  Used by Authorization Server to communicate with the web application while processing requests.  It enables OAuth bearer token authentication middleware which will receive and validate bearer token from authorization header in the request. • OnValidateClientRedirectUri • OnValidateClientAuthentication • ValidateClientAuthentication • GrantResourceOwnerCredentials • OnGrantClientCredentials OAuthAuthorizationServerProvider Presenter:Jnana Ranjan Swain, Mindfire Solutions
  14. 14. Introduction to REST  Web services communicate via either SOAP or REST.  Representational state transfer is a way to create, read, update or delete information on a server using simple HTTP calls. It is an alternative to more complex mechanisms like SOAP.  Easily created using MVC 5 WebAPI and WCF Presenter:Jnana Ranjan Swain, Mindfire Solutions
  15. 15. Building Rest Service using Asp.net WebAPI Presenter:Jnana Ranjan Swain, Mindfire Solutions
  16. 16. Securing REST API  SSL  Cross-origin resource sharing (CORS)  OAUTH Presenter:Jnana Ranjan Swain, Mindfire Solutions
  17. 17. Live Demo Presenter:Jnana Ranjan Swain, Mindfire Solutions
  18. 18. References http://oauth.net/ http://tools.ietf.org/ http://www.asp.net https://developers.google.com http://blog.rfaisal.com/ Presenter:Jnana Ranjan Swain, Mindfire Solutions
  19. 19. Question and Answer Presenter:Jnana Ranjan Swain, Mindfire Solutions
  20. 20. Thank you Presenter:Jnana Ranjan Swain, Mindfire Solutions
  21. 21. http://www.linkedin.com/company/mindfire-solutions http://twitter.com/mindfires Presenter: Jnana Ranjan Swain, Mindfire Solutions http://www.mindfiresolutions.com https://www.facebook.com/MindfireSolutions

×