SlideShare a Scribd company logo
1 of 49
Download to read offline
OAuth-as-a-service
using ASP.NET Web API and Windows Azure
              Access Control
  Maarten Balliauw - @maartenballiauw
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf
Thanks to the sponsors
Who am I?
•   Maarten Balliauw
•   Antwerp, Belgium
•   www.realdolmen.com
•   Focus on web
    – ASP.NET MVC, Windows Azure, SignalR, ...
    – MVP Windows Azure & ASPInsider
•   http://blog.maartenballiauw.be
•   @maartenballiauw
•   Author: Pro NuGet - http://amzn.to/pronuget
•   www.myget.org
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf
Agenda
•   Why would I need an API?
•   API characteristics
•   ASP.NET MVC Web API
•   Windows Azure ACS
WHY WOULD I NEED AN API?
Consuming the web
•   2000-2008: Desktop browser
•   2008-2012: Mobile browser
•   2008-2012: iPhone and Android apps
•   2010-2014: Tablets, tablets, tablets
•   2014-2016: Your fridge (Internet of Things)
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf
TWITTER & FACEBOOK
By show of hands…
MAKE EVERYONE API
(as the French say)
Expose services to 3rd parties
•   Valuable
•   Flexible
•   Managed
•   Supported
•   Have a plan
Reach More Clients
You’re not the only one




Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
API CHARACTERISTICS
What is an API?
• Software-to-Software interface
• Contract between software and developers
  – Functionalities, constraints (technical / legal)
    Programming instructions and standards
• Open services to other software developers
  (public or private)
Flavours
• Transport      • Message contract
  – HTTP           – SOAP
  – Sockets        – XML
                   – Binary
                   – JSON
                   – HTML
                   –…
Technical
• Most API’s use HTTP and REST extensively
  – Addressing
  – HTTP Verbs
  – Media types
  – HTTP status codes
THE WEB IS AN API
Demo
HTTP Verbs
•   GET – return data
•   HEAD – check if the data exists
•   POST – create or update data
•   PUT – put data
•   MERGE – merge values with existing data
•   DELETE – delete data
Status codes
• 200 OK – Everything is OK, your expected data is in the
  response.
• 401 Unauthorized – You either have to log in or you are
  not allowed to access the resource.
• 404 Not Found – The resource could not be found.
• 500 Internal Server Error – The server failed processing
  your request.
• …
BE DETAILED!
Think RFC2324!
ASP.NET WEB API
ASP.NET Web API
• Part of ASP.NET MVC 4
• Framework to build HTTP Services (REST)
• Solid features
   –   Modern HTTP programming model
   –   Content negotiation (e.g. xml, json, ...)
   –   Query composition (OData query support)
   –   Model binding and validation (conversion to .NET objects)
   –   Routes
   –   Filters (e.g. Validation, exception handling, ...)
   –   And more!
ASP.NET Web API is easy!
•   HTTP Verb = action
•   “Content-type” header = data format in
•   “Accept” header = data format out
•   Return meaningful status code
CREATING AN API USING ASP.NET WEB API
Demo
Securing your API
• No authentication
• Basic/Windows authentication
• [Authorize] attribute
SECURING YOUR API
Demo
A lot of public API’s…

“your API consumer isn’t really your user, but an
    application acting on behalf of a user”

              (or: API consumer != user)
OAUTH2
OAuth2
+--------+                               +---------------+
|        |--(A)- Authorization Request ->|   Resource    |
|        |                               |     Owner     |
|        |<-(B)-- Authorization Grant ---|               |
|        |                               +---------------+
|        |                                               .
|        |                               +---------------+
|        |--(C)-- Authorization Grant -->| Authorization |
| Client |                               |     Server    |
|        |<-(D)----- Access Token -------|               |
|        |                               +---------------+
|        |                                               .
|        |                               +---------------+
|        |--(E)----- Access Token ------>|    Resource   |
|        |                               |     Server    |
|        |<-(F)--- Protected Resource ---|               |
+--------+                               +---------------+

              Figure 1: Abstract Protocol Flow
               http://tools.ietf.org/html/draft-ietf-oauth-v2-31
Guest badges
• Building owner / colleague full-access badge
• Guest badge
  – Your name on it
  – Limited scope (only 7th floor)
  – Limited validity (only today)
OAuth2
                +--------+                               +---------------+
                |        |--(A)- Can has guest access? ->|   Building    |
                |        |                               |     Owner     |
                |        |<-(B)– Sure, ask reception ---|                |
                |        |                               +---------------+
                |        |                                               .
                |        |                               +---------------+
                |        |--(C)–--- Can has badge? ----->|   Reception   |
                | Client |                               |               |
                |        |<-(D) Badge (today;7th floor) -|               |
                |        |                               +---------------+
                |        |                                               .
                |        |                               +---------------+
                |        |--(E)-------- Badge ---------->|   7th floor   |
                |        |                               |    coffee     |
                |        |<-(F)-------- Coffee! ---------|    machine    |
                +--------+                               +---------------+

By the way: tomorrow, you’ll have to go to the reception again to “refresh” your badge.
Quick side note…
• There are 3 major authentication flows
• Based on type of client
• Variants possible
On the web…
OAuth2 – Initial flow
OAuth2 – “Refresh” (one of those variants)
Access tokens / Refresh tokens
•   In theory: whatever format you want
•   Widely used: JWT (“JSON Web Token”)
•   Less widely used: SWT (“Simple Web Token”)
•   Signed / Encrypted
Header:
{"alg":"none"}

Token:
{"iss":"joe",
   "exp":1300819380,
   "http://some.ns/read":true}
Is OAuth2 different from OpenID?
• Yes.
• OpenID = authN
• OAuth2 = authN (optional) + authZ

• http://softwareas.com/oauth-openid-youre-
  barking-up-the-wrong-tree-if-you-think-theyre-
  the-same-thing
What you have to implement
•   OAuth authorization server
•   Keep track of supported consumers
•   Keep track of user consent
•   OAuth token expiration & refresh
•   Oh, and your API
WINDOWS AZURE
ACCESS CONTROL SERVICE
ACS - Identity in Windows Azure
•   Active Directory federation
•   Graph API
•   Web SSO
•   Link apps to identity providers using rules
•   Support WS-Security, WS-Federation, SAML
• Little known feature: OAuth2 delegation
OAuth flow using ACS
ASP.NET WEB API, OAUTH2, WINDOWS AZURE ACS
Demo
OAuth2 delegation?
•   You: OAuth authorization server
•   ACS: Keep track of supported consumers
•   ACS: Keep track of user consent
•   ACS: OAuth token expiration & refresh
•   You: Your API
CONCLUSION
Key takeaways
•   API’s are the new apps
•   Valuable
•   HTTP
•   ASP.NET Web API
•   Windows Azure Access Control Service
Thank you!
                    http://blog.maartenballiauw.be
                    @maartenballiauw




Please rate this session
Scan the code, go online, rate this session

More Related Content

What's hot

Server-side Java Programming
Server-side Java ProgrammingServer-side Java Programming
Server-side Java ProgrammingChris Schalk
 
Server-Side Programming Primer
Server-Side Programming PrimerServer-Side Programming Primer
Server-Side Programming PrimerIvano Malavolta
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postvamsi krishna
 
2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A StudyVijay Prasad Gupta
 
HTML5 Server Sent Events/JSF JAX 2011 Conference
HTML5 Server Sent Events/JSF  JAX 2011 ConferenceHTML5 Server Sent Events/JSF  JAX 2011 Conference
HTML5 Server Sent Events/JSF JAX 2011 ConferenceRoger Kitain
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersKevin Hazzard
 
ITB2016 - Building ColdFusion RESTFul Services
ITB2016 - Building ColdFusion RESTFul ServicesITB2016 - Building ColdFusion RESTFul Services
ITB2016 - Building ColdFusion RESTFul ServicesOrtus Solutions, Corp
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSam Brannen
 
Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using PhpSudheer Satyanarayana
 
Introduction server Construction
Introduction server ConstructionIntroduction server Construction
Introduction server ConstructionJisu Park
 

What's hot (20)

Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
 
Server-side Java Programming
Server-side Java ProgrammingServer-side Java Programming
Server-side Java Programming
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
 
Server-Side Programming Primer
Server-Side Programming PrimerServer-Side Programming Primer
Server-Side Programming Primer
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,post
 
Web servers
Web serversWeb servers
Web servers
 
2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
 
HTML5 Refresher
HTML5 RefresherHTML5 Refresher
HTML5 Refresher
 
HTML5 Server Sent Events/JSF JAX 2011 Conference
HTML5 Server Sent Events/JSF  JAX 2011 ConferenceHTML5 Server Sent Events/JSF  JAX 2011 Conference
HTML5 Server Sent Events/JSF JAX 2011 Conference
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for Beginners
 
Introduction to asp.net web api
Introduction to asp.net web apiIntroduction to asp.net web api
Introduction to asp.net web api
 
Alfresco Architecture
Alfresco ArchitectureAlfresco Architecture
Alfresco Architecture
 
SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
 
ITB2016 - Building ColdFusion RESTFul Services
ITB2016 - Building ColdFusion RESTFul ServicesITB2016 - Building ColdFusion RESTFul Services
ITB2016 - Building ColdFusion RESTFul Services
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
 
Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using Php
 
Java servlets and CGI
Java servlets and CGIJava servlets and CGI
Java servlets and CGI
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Web services intro.
Web services intro.Web services intro.
Web services intro.
 
Introduction server Construction
Introduction server ConstructionIntroduction server Construction
Introduction server Construction
 

Viewers also liked

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
C# ASP.NET WEB API APPLICATION DEVELOPMENT
C# ASP.NET WEB API APPLICATION DEVELOPMENTC# ASP.NET WEB API APPLICATION DEVELOPMENT
C# ASP.NET WEB API APPLICATION DEVELOPMENTDr. Awase Khirni Syed
 
29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview Questions29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview QuestionsArc & Codementor
 

Viewers also liked (10)

What's new in Angular 2?
What's new in Angular 2?What's new in Angular 2?
What's new in Angular 2?
 
Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJS
 
Introduction to HTML4
Introduction to HTML4Introduction to HTML4
Introduction to HTML4
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
Web API with ASP.NET MVC by Software development company in india
Web API with ASP.NET  MVC  by Software development company in indiaWeb API with ASP.NET  MVC  by Software development company in india
Web API with ASP.NET MVC by Software development company in india
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
 
C# ASP.NET WEB API APPLICATION DEVELOPMENT
C# ASP.NET WEB API APPLICATION DEVELOPMENTC# ASP.NET WEB API APPLICATION DEVELOPMENT
C# ASP.NET WEB API APPLICATION DEVELOPMENT
 
29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview Questions29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview Questions
 
Javaoop
JavaoopJavaoop
Javaoop
 

Similar to OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf

OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...Maarten Balliauw
 
How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users Bastian Hofmann
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
OpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightOpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightDaisuke Fuke
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0iratao
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptsmueller_sandsmedia
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-IDBastian Hofmann
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureBastian Hofmann
 
MongoDB user group israel May
MongoDB user group israel MayMongoDB user group israel May
MongoDB user group israel MayAlon Horev
 

Similar to OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf (20)

OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
Oauth
OauthOauth
Oauth
 
OpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightOpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech Night
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java script
 
Mashing up JavaScript
Mashing up JavaScriptMashing up JavaScript
Mashing up JavaScript
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-ID
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, Future
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
 
API Connect.pptx
API Connect.pptxAPI Connect.pptx
API Connect.pptx
 
MongoDB user group israel May
MongoDB user group israel MayMongoDB user group israel May
MongoDB user group israel May
 
Share All The Things With UMA
Share All The Things With UMAShare All The Things With UMA
Share All The Things With UMA
 

More from Maarten Balliauw

Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...Maarten Balliauw
 
Building a friendly .NET SDK to connect to Space
Building a friendly .NET SDK to connect to SpaceBuilding a friendly .NET SDK to connect to Space
Building a friendly .NET SDK to connect to SpaceMaarten Balliauw
 
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...Maarten Balliauw
 
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...Maarten Balliauw
 
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...Maarten Balliauw
 
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...Maarten Balliauw
 
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se....NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...Maarten Balliauw
 
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...Maarten Balliauw
 
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and SearchNDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and SearchMaarten Balliauw
 
Approaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days PolandApproaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days PolandMaarten Balliauw
 
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...Maarten Balliauw
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneMaarten Balliauw
 
CodeStock - Exploring .NET memory management - a trip down memory lane
CodeStock - Exploring .NET memory management - a trip down memory laneCodeStock - Exploring .NET memory management - a trip down memory lane
CodeStock - Exploring .NET memory management - a trip down memory laneMaarten Balliauw
 
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...Maarten Balliauw
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingMaarten Balliauw
 
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...Maarten Balliauw
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...Maarten Balliauw
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETMaarten Balliauw
 
VISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingVISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingMaarten Balliauw
 

More from Maarten Balliauw (20)

Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
 
Building a friendly .NET SDK to connect to Space
Building a friendly .NET SDK to connect to SpaceBuilding a friendly .NET SDK to connect to Space
Building a friendly .NET SDK to connect to Space
 
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
 
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
 
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
 
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
 
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se....NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
 
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
 
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and SearchNDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
 
Approaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days PolandApproaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days Poland
 
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
 
CodeStock - Exploring .NET memory management - a trip down memory lane
CodeStock - Exploring .NET memory management - a trip down memory laneCodeStock - Exploring .NET memory management - a trip down memory lane
CodeStock - Exploring .NET memory management - a trip down memory lane
 
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
 
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NET
 
VISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingVISUG - Approaches for application request throttling
VISUG - Approaches for application request throttling
 

Recently uploaded

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Recently uploaded (20)

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf

  • 1. OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten Balliauw - @maartenballiauw
  • 3. Thanks to the sponsors
  • 4. Who am I? • Maarten Balliauw • Antwerp, Belgium • www.realdolmen.com • Focus on web – ASP.NET MVC, Windows Azure, SignalR, ... – MVP Windows Azure & ASPInsider • http://blog.maartenballiauw.be • @maartenballiauw • Author: Pro NuGet - http://amzn.to/pronuget • www.myget.org
  • 6. Agenda • Why would I need an API? • API characteristics • ASP.NET MVC Web API • Windows Azure ACS
  • 7. WHY WOULD I NEED AN API?
  • 8. Consuming the web • 2000-2008: Desktop browser • 2008-2012: Mobile browser • 2008-2012: iPhone and Android apps • 2010-2014: Tablets, tablets, tablets • 2014-2016: Your fridge (Internet of Things)
  • 10. TWITTER & FACEBOOK By show of hands…
  • 11. MAKE EVERYONE API (as the French say)
  • 12. Expose services to 3rd parties • Valuable • Flexible • Managed • Supported • Have a plan
  • 14. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
  • 16. What is an API? • Software-to-Software interface • Contract between software and developers – Functionalities, constraints (technical / legal) Programming instructions and standards • Open services to other software developers (public or private)
  • 17. Flavours • Transport • Message contract – HTTP – SOAP – Sockets – XML – Binary – JSON – HTML –…
  • 18. Technical • Most API’s use HTTP and REST extensively – Addressing – HTTP Verbs – Media types – HTTP status codes
  • 19. THE WEB IS AN API Demo
  • 20. HTTP Verbs • GET – return data • HEAD – check if the data exists • POST – create or update data • PUT – put data • MERGE – merge values with existing data • DELETE – delete data
  • 21. Status codes • 200 OK – Everything is OK, your expected data is in the response. • 401 Unauthorized – You either have to log in or you are not allowed to access the resource. • 404 Not Found – The resource could not be found. • 500 Internal Server Error – The server failed processing your request. • …
  • 24. ASP.NET Web API • Part of ASP.NET MVC 4 • Framework to build HTTP Services (REST) • Solid features – Modern HTTP programming model – Content negotiation (e.g. xml, json, ...) – Query composition (OData query support) – Model binding and validation (conversion to .NET objects) – Routes – Filters (e.g. Validation, exception handling, ...) – And more!
  • 25. ASP.NET Web API is easy! • HTTP Verb = action • “Content-type” header = data format in • “Accept” header = data format out • Return meaningful status code
  • 26. CREATING AN API USING ASP.NET WEB API Demo
  • 27. Securing your API • No authentication • Basic/Windows authentication • [Authorize] attribute
  • 29. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  • 31. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  • 32. Guest badges • Building owner / colleague full-access badge • Guest badge – Your name on it – Limited scope (only 7th floor) – Limited validity (only today)
  • 33. OAuth2 +--------+ +---------------+ | |--(A)- Can has guest access? ->| Building | | | | Owner | | |<-(B)– Sure, ask reception ---| | | | +---------------+ | | . | | +---------------+ | |--(C)–--- Can has badge? ----->| Reception | | Client | | | | |<-(D) Badge (today;7th floor) -| | | | +---------------+ | | . | | +---------------+ | |--(E)-------- Badge ---------->| 7th floor | | | | coffee | | |<-(F)-------- Coffee! ---------| machine | +--------+ +---------------+ By the way: tomorrow, you’ll have to go to the reception again to “refresh” your badge.
  • 34. Quick side note… • There are 3 major authentication flows • Based on type of client • Variants possible
  • 37. OAuth2 – “Refresh” (one of those variants)
  • 38. Access tokens / Refresh tokens • In theory: whatever format you want • Widely used: JWT (“JSON Web Token”) • Less widely used: SWT (“Simple Web Token”) • Signed / Encrypted
  • 39. Header: {"alg":"none"} Token: {"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  • 40. Is OAuth2 different from OpenID? • Yes. • OpenID = authN • OAuth2 = authN (optional) + authZ • http://softwareas.com/oauth-openid-youre- barking-up-the-wrong-tree-if-you-think-theyre- the-same-thing
  • 41. What you have to implement • OAuth authorization server • Keep track of supported consumers • Keep track of user consent • OAuth token expiration & refresh • Oh, and your API
  • 43. ACS - Identity in Windows Azure • Active Directory federation • Graph API • Web SSO • Link apps to identity providers using rules • Support WS-Security, WS-Federation, SAML • Little known feature: OAuth2 delegation
  • 45. ASP.NET WEB API, OAUTH2, WINDOWS AZURE ACS Demo
  • 46. OAuth2 delegation? • You: OAuth authorization server • ACS: Keep track of supported consumers • ACS: Keep track of user consent • ACS: OAuth token expiration & refresh • You: Your API
  • 48. Key takeaways • API’s are the new apps • Valuable • HTTP • ASP.NET Web API • Windows Azure Access Control Service
  • 49. Thank you! http://blog.maartenballiauw.be @maartenballiauw Please rate this session Scan the code, go online, rate this session

Editor's Notes

  1. Maarten
  2. Kinepolis: veel static content / in-frame caching
  3. A couple of years ago, having a web-based application was enough. Users would navigate to it using their computer’s browser, do their dance and log out again. Nowadays, a web-based application isn’t enough anymore. People have smartphones, tablets and maybe even a refrigerator with Internet access on which applications can run. Applications or “apps”. We’re moving from the web towards apps.
  4. A great example of an API is Twitter. They have a massive data store containing tweets and data related to that. They have user profiles. And a web site. And an API. Are you using www.twitter.com to post tweets? I am using the website, maybe once a year. All other tweets come either from my Windows Phone 7’s Twitter application or through www.hootsuite.com, a third-party Twitter client which provides added value in the form of statistics and scheduling. Both the app on my phone as well as the third-party service are using the Twitter API. By exposing an API, Twitter has created a rich ecosystem which drives their real value: data.
  5. If you want to expose your data and services to external third-parties, you may want to think about building an API. Having an API gives you a giant advantage on the Internet nowadays. Having an API will allow your web application to reach more users. App developers will jump onto your API and build their app around it. Other websites or apps will integrate with your services by consuming your API. The only thing you have to do is expose a valuable, managed and supported API and get people to know it. Apps will come. Integration will come.
  6. The mainidea of API’s is tobroadenyourreach. Youcan’tcreateappsthatcanbeused on every fridge out there, it’s way toocostly. But ifyou have a valuable service which is supported, peoplewillbuildappsaround it. Andifitmakes sense toanyonetocreate a fridge app on top of your API, itwill happen.
  7. You’renot the onlyone. Thenumber of API’s is growing at a fast pace and the number of appsandmashups on different devicesgrowswiththat. Ifyou want market share, your best chance of growingit is in building a valuable API.
  8. An API is simply a software-to-software interface, defined by whoever is exposing the API to public or private users. It defines constraints, both technical as well as legal. Twitter for example defines a usage constraint: if you are using their API without paying you will be limited to a certain number or requests.
  9. We can inform the server of what we intend to do using one of the standard HTTP verbs. There are more verbs if you like, but these are the most widely used.
  10. There’s a large number possible status codes you can use. Here are some you will most commonly encounter:200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed to access the resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.See the theme? 1XX are informational. 2XX codes mean “successful”. 3XXX tell you to go elsewhere, like our 302 example above. 4XX means the client has done something wrong. A wrong address or a wrong request. 5XX means the server has had a problem, like the feared error 500 – Internal Server Error you see on some websites.
  11. Here are four basic conventions for ASP.NET Web API:Requests have an HTTP verb defined. This maps to the API controller’s action method.Requests have an Accept header. This is handled by ASP.NET Web API’s MediaTypeFormatter and will transform the request to your controller from JSON, XML or whatever format you want to add as a MediaTypeFormatter.Responses have an HTTP status code.Responses are formatted by ASP.NET Web API’s MediaTypeFormatter into JSON, XML or whatever format you want to add as a MediaTypeFormatter.
  12. If you decide that your API isn’t public or specific actions can only be done for a certain user (get me my tweets, Twitter!), you’ll be facing authentication and authorization problems. With ASP.NET Web API, this is simple: add an [Authorize] attribute on top of a controller or action method and you’re done, right? When using the out-of-the-box authentication/authorization mechanisms of ASP.NET Web API, you are relying on either forms authentication or Windows authentication. Both require the user to log in. And as your API user isn’t really your user, but an application acting on behalf of a user, that means that the application should know the user’s credentials. Would you give your username and password to a third-party website to access your Twitter account? I don’t think so.
  13. I want you to remember one sentence: “your API user isn’t really your user, but an application acting on behalf of a user”. It has implications. It means you are “delegating” access to an API to a consuming application.
  14. Maybeyouwork at a company which hands out guest badges tovisitors. You have a badge with full access to the office, yourguests have a guest badge. Your name is on that badge: ifanythinggoes wrong or has tobedone, colleaguescanidentify the guest as someonewho’sthere on your call.The guest badge canbelimited in scope (only the 7th foor) or in validityduration (onlytoday).Wouldn’tthisbe a great approach toprotectyour API?
  15. As anexample, take lanyrd.com. They keep track of conferences you’llbespeaking at and conferences thepeopleyou follow on Twitter are speaking at. To get that data, theyneed access to the list of peopleyou follow on Twitter. Here’swhathappens:You want to log in on Lanyrd, theyredirectyoutoTwitter’s login page. Notice the token in the address bar: itidentifies the callingapplicationtoTwitter.You log in on Twitterandgive consent with a limited scope: Lanyrdwillbeabletoseeyourtimelineand get the list of peopleyou follow. The scope is limitedtothat: Lanyrdcan’ttweet on mybehalf. Theycan’tfavoritetweets. Or sendmessages. Or do anythingelse.Twitterredirects me back toLanyrd, posting back a “refresh” tokenWhatyoudon’tsee:Lanyrdusesthat token torequestan “access token” fromTwitter.Twitter checks the validity of the incoming token and checks the origin, to make sure no otherapplication but Lanyrdcomes in withthat token.Whenvalid, Twitter returns an access token toLanyrd, containing:An access keyA new refresh tokenThe allowed scopeValiditydurationA signature- When the token expires, Lanyrduses the new refresh token to go throughthisprocessagain.
  16. There’s a lot toimplement.
  17. One of the interesting components in the Windows Azure platform is the Access Control Service (ACS). ACS allows you to outsource your authentication and authorization woes and have Microsoft handle those. At www.myget.org, an application me and a colleague have been working on, you’ll find that you can log in through a variety of identity providers (Windows Live ID, Google, Facebook, GitHub, …). We don’t have to do anything for that: ACS solves this and presents us with a set of claims about the user, such as his username on GitHub. If we want to add another identity provider, we simply configure it in ACS and without modifying our code, you can login through that new identity provider.Next to that, ACS provides a little known feature: OAuth2 delegation support. The idea with that is that your application’s only job is to ask the user if a specific application can act on his or her behalf and store that decision in ACS. From then on, the client application will always have to go to ACS to fetch an access token and a refresh token which can be presented to your API.
  18. This approach comes in very handy! Every client application will only have to ask our Authorization server once for user consent, after which ACS will take care of handing out access tokens, expiring tokens, renewing tokens and so on. ACS handles all the authentication and authorization load for us, even with 1 billion apps and users consuming my API. And all of that for just 19 US$ per million actions on ACS (see pricing calculator).
  19. There’s a lot toimplement. Whynot outsource itto Windows Azure ACS?You: OAuthauthorization server  youdecidewho is granted access andwho’snot. You’ll have totell ACS aboutthis, but apart fromthatyou have nothingto do.ACS: Keep track of supportedconsumers based on your inputACS: Keep track of user consent  based on the user’s inputACS: OAuth token expiration &amp; refresh based on all of the aboveYou: Your API  of course!
  20. API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.We’re moving from the web towards apps. Next to your website, apps are becoming more and more popular as an alternative manner to consume your data and services. Why not use that as a lever to reach more users? By exposing an API, you’re giving third party app developers the opportunity to interface with your services and at the same time, they are the advocate of them. Embrace them, give them a good API.Of course, that API should be protected. OAuth2 is becoming the de-facto standard for that but requires some server-side coding on your part. If you just want to focus on the API and delegate the heavy lifting and scaling of the OAuth2 protocol, you may as well delegate it to the Windows Azure Access Control Service. WindowsAzure.Acs.Oauth2 will help you with that.