Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf

13,539 views

Published on

API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.

Published in: Technology
  • Be the first to comment

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf

  1. OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control Maarten Balliauw - @maartenballiauw
  2. Thanks to the sponsors
  3. Who am I?• Maarten Balliauw• Antwerp, Belgium• www.realdolmen.com• Focus on web – ASP.NET MVC, Windows Azure, SignalR, ... – MVP Windows Azure & ASPInsider• http://blog.maartenballiauw.be• @maartenballiauw• Author: Pro NuGet - http://amzn.to/pronuget• www.myget.org
  4. Agenda• Why would I need an API?• API characteristics• ASP.NET MVC Web API• Windows Azure ACS
  5. WHY WOULD I NEED AN API?
  6. Consuming the web• 2000-2008: Desktop browser• 2008-2012: Mobile browser• 2008-2012: iPhone and Android apps• 2010-2014: Tablets, tablets, tablets• 2014-2016: Your fridge (Internet of Things)
  7. TWITTER & FACEBOOKBy show of hands…
  8. MAKE EVERYONE API(as the French say)
  9. Expose services to 3rd parties• Valuable• Flexible• Managed• Supported• Have a plan
  10. Reach More Clients
  11. You’re not the only oneSource: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
  12. API CHARACTERISTICS
  13. What is an API?• Software-to-Software interface• Contract between software and developers – Functionalities, constraints (technical / legal) Programming instructions and standards• Open services to other software developers (public or private)
  14. Flavours• Transport • Message contract – HTTP – SOAP – Sockets – XML – Binary – JSON – HTML –…
  15. Technical• Most API’s use HTTP and REST extensively – Addressing – HTTP Verbs – Media types – HTTP status codes
  16. THE WEB IS AN APIDemo
  17. HTTP Verbs• GET – return data• HEAD – check if the data exists• POST – create or update data• PUT – put data• MERGE – merge values with existing data• DELETE – delete data
  18. Status codes• 200 OK – Everything is OK, your expected data is in the response.• 401 Unauthorized – You either have to log in or you are not allowed to access the resource.• 404 Not Found – The resource could not be found.• 500 Internal Server Error – The server failed processing your request.• …
  19. BE DETAILED!Think RFC2324!
  20. ASP.NET WEB API
  21. ASP.NET Web API• Part of ASP.NET MVC 4• Framework to build HTTP Services (REST)• Solid features – Modern HTTP programming model – Content negotiation (e.g. xml, json, ...) – Query composition (OData query support) – Model binding and validation (conversion to .NET objects) – Routes – Filters (e.g. Validation, exception handling, ...) – And more!
  22. ASP.NET Web API is easy!• HTTP Verb = action• “Content-type” header = data format in• “Accept” header = data format out• Return meaningful status code
  23. CREATING AN API USING ASP.NET WEB APIDemo
  24. Securing your API• No authentication• Basic/Windows authentication• [Authorize] attribute
  25. SECURING YOUR APIDemo
  26. A lot of public API’s…“your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  27. OAUTH2
  28. OAuth2+--------+ +---------------+| |--(A)- Authorization Request ->| Resource || | | Owner || |<-(B)-- Authorization Grant ---| || | +---------------+| | .| | +---------------+| |--(C)-- Authorization Grant -->| Authorization || Client | | Server || |<-(D)----- Access Token -------| || | +---------------+| | .| | +---------------+| |--(E)----- Access Token ------>| Resource || | | Server || |<-(F)--- Protected Resource ---| |+--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  29. Guest badges• Building owner / colleague full-access badge• Guest badge – Your name on it – Limited scope (only 7th floor) – Limited validity (only today)
  30. OAuth2 +--------+ +---------------+ | |--(A)- Can has guest access? ->| Building | | | | Owner | | |<-(B)– Sure, ask reception ---| | | | +---------------+ | | . | | +---------------+ | |--(C)–--- Can has badge? ----->| Reception | | Client | | | | |<-(D) Badge (today;7th floor) -| | | | +---------------+ | | . | | +---------------+ | |--(E)-------- Badge ---------->| 7th floor | | | | coffee | | |<-(F)-------- Coffee! ---------| machine | +--------+ +---------------+By the way: tomorrow, you’ll have to go to the reception again to “refresh” your badge.
  31. Quick side note…• There are 3 major authentication flows• Based on type of client• Variants possible
  32. On the web…
  33. OAuth2 – Initial flow
  34. OAuth2 – “Refresh” (one of those variants)
  35. Access tokens / Refresh tokens• In theory: whatever format you want• Widely used: JWT (“JSON Web Token”)• Less widely used: SWT (“Simple Web Token”)• Signed / Encrypted
  36. Header:{"alg":"none"}Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  37. Is OAuth2 different from OpenID?• Yes.• OpenID = authN• OAuth2 = authN (optional) + authZ• http://softwareas.com/oauth-openid-youre- barking-up-the-wrong-tree-if-you-think-theyre- the-same-thing
  38. What you have to implement• OAuth authorization server• Keep track of supported consumers• Keep track of user consent• OAuth token expiration & refresh• Oh, and your API
  39. WINDOWS AZUREACCESS CONTROL SERVICE
  40. ACS - Identity in Windows Azure• Active Directory federation• Graph API• Web SSO• Link apps to identity providers using rules• Support WS-Security, WS-Federation, SAML• Little known feature: OAuth2 delegation
  41. OAuth flow using ACS
  42. ASP.NET WEB API, OAUTH2, WINDOWS AZURE ACSDemo
  43. OAuth2 delegation?• You: OAuth authorization server• ACS: Keep track of supported consumers• ACS: Keep track of user consent• ACS: OAuth token expiration & refresh• You: Your API
  44. CONCLUSION
  45. Key takeaways• API’s are the new apps• Valuable• HTTP• ASP.NET Web API• Windows Azure Access Control Service
  46. Thank you! http://blog.maartenballiauw.be @maartenballiauwPlease rate this sessionScan the code, go online, rate this session

×