Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

5,040 views

Published on

API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

  1. 1. OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw@maartenballiauw
  2. 2. Who am I?Maarten BalliauwTechnical Evangelist, JetBrainsAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsiderhttp://blog.maartenballiauw.be@maartenballiauwShameless self promotion: Pro NuGet -http://amzn.to/pronuget
  3. 3. AgendaWhy would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS
  4. 4. Why would I need anAPI?
  5. 5. Consuming the web2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)
  6. 6. Twitter & FacebookBy show of hands
  7. 7. Make everyone API(as the French say)
  8. 8. Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan
  9. 9. API Characteristics
  10. 10. What is an API?Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standardsOpen services to other software developers (public or private)
  11. 11. FlavoursTransport Message contract HTTP SOAP Sockets XML Binary JSON HTML …
  12. 12. TechnicalMost API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)
  13. 13. The Web is an APIDemo
  14. 14. HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data
  15. 15. Status codes200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed to accessthe resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…
  16. 16. Hypermedia in action!
  17. 17. demoBe detailed!Remember the RFC! Think RFC2324!
  18. 18. ASP.NET Web API
  19. 19. ASP.NET Web APIPart of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
  20. 20. ASP.NET Web API is easy!HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code
  21. 21. demoCreating an APIusing ASP.NET Web API Demo
  22. 22. Securing your APINo authenticationBasic/Windows authentication[Authorize] attribute
  23. 23. demoSecuring your API
  24. 24. The world of API clients is complexCLIENTS AUTHN + AUTHZHTML5+JS Username/password?SPA Basic auth?Native apps NTLM / Kerberos?Server-to-server Client certificate? Shared secret?
  25. 25. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  26. 26. OAuth2
  27. 27. Guest badgesBuilding owner / colleague full-access badgeGuest badge Your name on it Limited scope (only 7th floor) Limited validity (only today)
  28. 28. Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!
  29. 29. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  30. 30. Quick side note…There are 3 major authentication flowsBased on type of clientVariants possible
  31. 31. On the web…
  32. 32. Access tokens / Refresh tokensIn theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted
  33. 33. JWTHeader:{"alg":"none"}Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  34. 34. What you have to implementOAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API
  35. 35. Windows AzureAccess ControlService
  36. 36. ACS - Identity in Windows AzureActive Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation
  37. 37. OAuth flow using ACS
  38. 38. demoASP.NET WebAPI, OAuth2, Windows AzureACS
  39. 39. OAuth2 delegation?You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API
  40. 40. Conclusion
  41. 41. Key takeawaysAPI’s are the new appsValuableHTTPASP.NET Web APIOAuth2Windows Azure Access Control Service
  42. 42. http://blog.maartenballiauw. be @maartenballiauw http://amzn.to/pronugetThank you!

×