Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

8,034 views

Published on

API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.

Published in: Technology
  • I'm having a REAL tough time integrating JWT token consumption and validation on my API from ACS. I was wondering if you had any samples for JWT integration?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

  1. 1. #warmcrocconfOAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw@maartenballiauw
  2. 2. Who am I?Maarten BalliauwTechnical Evangelist, JetBrainsAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsiderhttp://blog.maartenballiauw.be@maartenballiauwShameless self promotion: Pro NuGet -http://amzn.to/pronuget
  3. 3. AgendaWhy would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS
  4. 4. Why would I need anAPI?
  5. 5. Consuming the web2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)
  6. 6. Twitter & FacebookBy show of hands
  7. 7. Make everyone API(as the French say)
  8. 8. Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan
  9. 9. Reach More Clients
  10. 10. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
  11. 11. API Characteristics
  12. 12. What is an API?Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standardsOpen services to other software developers (public or private)
  13. 13. FlavoursTransport Message contract HTTP SOAP Sockets XML Binary JSON HTML …
  14. 14. TechnicalMost API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)
  15. 15. The Web is an APIDemo
  16. 16. HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data
  17. 17. Status codes200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed to accessthe resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…
  18. 18. Hypermedia in action!
  19. 19. demoBe detailed!Remember the RFC! Think RFC2324!
  20. 20. ASP.NET Web API
  21. 21. ASP.NET Web APIPart of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
  22. 22. ASP.NET Web API is easy!HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code
  23. 23. demoCreating an APIusing ASP.NET Web API Demo
  24. 24. Securing your APINo authenticationBasic/Windows authentication[Authorize] attribute
  25. 25. demoSecuring your API
  26. 26. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  27. 27. OAuth2
  28. 28. Guest badgesBuilding owner / colleague full-access badgeGuest badge Your name on it Limited scope (only 7th floor) Limited validity (only today)
  29. 29. Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!
  30. 30. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  31. 31. Quick side note…There are 3 major authentication flowsBased on type of clientVariants possible
  32. 32. On the web…
  33. 33. OAuth2 – Initial flow
  34. 34. OAuth2 – “Refresh” (one of those variants)
  35. 35. Access tokens / Refresh tokensIn theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted
  36. 36. JWTHeader:{"alg":"none"}Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  37. 37. Is OAuth2 different from OpenID?Yes.OpenID = authNOAuth2 = authN (optional) + authZhttp://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thinghttp://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
  38. 38. What you have to implementOAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API
  39. 39. Windows AzureAccess ControlService
  40. 40. ACS - Identity in Windows AzureActive Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation
  41. 41. OAuth flow using ACS
  42. 42. demoASP.NET Web API, OAuth2,Windows Azure ACS
  43. 43. OAuth2 delegation?You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API
  44. 44. Conclusion
  45. 45. Key takeawaysAPI’s are the new appsValuableHTTPASP.NET Web APIWindows Azure Access Control Service
  46. 46. http://blog.maartenballiauw. be @maartenballiauw http://amzn.to/pronugetThank you!

×