Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

5,923 views

Published on

Published in: Technology
  • Be the first to like this

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

  1. 1. SEPTEMBER 25, 2012 | SLIDE 1
  2. 2. OAuth-as-a-service using ASP.NET Web API and Windows AzureMaarten Balliauw Access Control@maartenballiauwTechnical Consultant Windows AzureRealDolmenSEPTEMBER 25, 2012 | SLIDE 2
  3. 3. Who am I?  Maarten Balliauw  Antwerp, Belgium  www.realdolmen.com  Focus on web  ASP.NET MVC, Windows Azure, SignalR, ...  MVP Windows Azure & ASPInsider  http://blog.maartenballiauw.be  @maartenballiauw  Author: Pro NuGet - http://amzn.to/pronugetSEPTEMBER 25, 2012 | SLIDE 4
  4. 4. Agenda  Why would I need an API?  API characteristics  ASP.NET MVC Web API  Windows Azure ACSSEPTEMBER 25, 2012 | SLIDE 5
  5. 5. WHY WOULD I NEED AN API?SEPTEMBER 25, 2012 | SLIDE 6
  6. 6. Consuming the web  2000-2008: Desktop browser  2008-2012: Mobile browser  2008-2012: iPhone and Android apps  2010-2014: Tablets, tablets, tablets  2014-2016: Your fridge (Internet of Things)SEPTEMBER 25, 2012 | SLIDE 7
  7. 7. SEPTEMBER 25, 2012 | SLIDE 8
  8. 8. Twitter & Facebook By show of hands…SEPTEMBER 25, 2012 | SLIDE 9
  9. 9. Make everyone API (as the French say)SEPTEMBER 25, 2012 | SLIDE 10
  10. 10. Expose services to 3rd parties  Valuable  Flexible  Managed  Supported  Have a planSEPTEMBER 25, 2012 | SLIDE 11
  11. 11. Reach More ClientsSEPTEMBER 25, 2012 | SLIDE 12
  12. 12. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/SEPTEMBER 25, 2012 | SLIDE 13
  13. 13. API CHARACTERISTICSSEPTEMBER 25, 2012 | SLIDE 14
  14. 14. What is an API?  Software-to-Software interface  Contract between software and developers  Functionalities, constraints (technical / legal) Programming instructions and standards  Open services to other software developers (public or private)SEPTEMBER 25, 2012 | SLIDE 15
  15. 15. Flavours  Transport  Message contract  HTTP  SOAP  Sockets  XML  Binary  JSON  HTML  …SEPTEMBER 25, 2012 | SLIDE 16
  16. 16. Technical  Most API’s use HTTP and REST extensively  Addressing  HTTP Verbs  Media types  HTTP status codesSEPTEMBER 25, 2012 | SLIDE 17
  17. 17. Demo The Web is an APISEPTEMBER 25, 2012 | SLIDE 18
  18. 18. HTTP Verbs  GET – return data  HEAD – check if the data exists  POST – create or update data  PUT – put data  MERGE – merge values with existing data  DELETE – delete dataSEPTEMBER 25, 2012 | SLIDE 19
  19. 19. Status codes  200 OK – Everything is OK, your expected data is in the response.  401 Unauthorized – You either have to log in or you are not allowed to access the resource.  404 Not Found – The resource could not be found.  500 Internal Server Error – The server failed processing your request.  …SEPTEMBER 25, 2012 | SLIDE 20
  20. 20. Be detailed! Think about RFC 2324 (HTCPCP)SEPTEMBER 25, 2012 | SLIDE 21
  21. 21. ASP.NET WEB APISEPTEMBER 25, 2012 | SLIDE 22
  22. 22. ASP.NET Web API  Part of ASP.NET MVC 4  Framework to build HTTP Services (REST)  Solid features  Modern HTTP programming model  Content negotiation (e.g. xml, json, ...)  Query composition (OData query support)  Model binding and validation (conversion to .NET objects)  Routes  Filters (e.g. Validation, exception handling, ...)  And more!SEPTEMBER 25, 2012 | SLIDE 23
  23. 23. ASP.NET Web API is easy!  HTTP Verb = action  “Content-type” header = data format in  “Accept” header = data format out  Return meaningful status codeSEPTEMBER 25, 2012 | SLIDE 24
  24. 24. Demo Crafting an API using ASP.NET Web APISEPTEMBER 25, 2012 | SLIDE 25
  25. 25. Securing your API  No authentication  Basic/Windows authentication  [Authorize] attribute They all require username/password to be known by the API consumer…SEPTEMBER 25, 2012 | SLIDE 26
  26. 26. “your API user isn’t really your user, but an application acting on behalf of a user” (or: API consumer != end user)SEPTEMBER 25, 2012 | SLIDE 27
  27. 27. OAUTH2SEPTEMBER 25, 2012 | SLIDE 28
  28. 28. Guest badges  Your full-access badge  Guest badge  Your name on it  Limited scope (only 7th floor)  Limited validity (only today)SEPTEMBER 25, 2012 | SLIDE 29
  29. 29. On the web…SEPTEMBER 25, 2012 | SLIDE 30
  30. 30. OAuth2 – Initial flowSEPTEMBER 25, 2012 | SLIDE 31
  31. 31. OAuth2 – “Refresh”SEPTEMBER 25, 2012 | SLIDE 32
  32. 32. What you have to implement  OAuth authorization server  Keep track of supported consumers  Keep track of user consent  OAuth token expiration & refresh  Oh, and your APISEPTEMBER 25, 2012 | SLIDE 33
  33. 33. Windows Azure ACCESS CONTROL SERVICESEPTEMBER 25, 2012 | SLIDE 34
  34. 34. ACS - Identity in Windows Azure  Active Directory federation  Graph API  Web SSO  Link apps to identity providers using rules  Support WS-Security, WS-Federation, SAML  Little known feature: OAuth2 delegationSEPTEMBER 25, 2012 | SLIDE 35
  35. 35. OAuth flow using ACSSEPTEMBER 25, 2012 | SLIDE 36
  36. 36. Demo (the big one) ASP.NET Web API, OAuth2, Windows Azure ACSSEPTEMBER 25, 2012 | SLIDE 37
  37. 37. OAuth2 delegation?  You: OAuth authorization server  ACS: Keep track of supported consumers  ACS: Keep track of user consent  ACS: OAuth token expiration & refresh  You: Your APISEPTEMBER 25, 2012 | SLIDE 38
  38. 38. CONCLUSIONSEPTEMBER 25, 2012 | SLIDE 39
  39. 39. Key takeaways  API’s are the new apps  Valuable  HTTP  ASP.NET Web API  Windows Azure Access Control ServiceSEPTEMBER 25, 2012 | SLIDE 40
  40. 40. http://blog.maartenballiauw.be @maartenballiauw http://amzn.to/pronugetTHANK YOU!SEPTEMBER 25, 2012 | SLIDE 41

×