OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

4,277 views

Published on

More info on http://www.techdays.be

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,277
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control

  1. 1. Who am I?Maarten BalliauwTechnical Evangelist, JetBrainsMyGet.orgAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsiderBuy me a beer! http://amzn.to/pronugethttp://blog.maartenballiauw.be Shameless self promotion: Pro NuGet -@maartenballiauw http://amzn.to/pronuget
  2. 2. AgendaWhy would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS
  3. 3. Why would I need an API?
  4. 4. Consuming the web2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)
  5. 5. Twitter & FacebookBy show of hands
  6. 6. Make everyone API(as the French say)
  7. 7. Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan
  8. 8. Reach More Clients
  9. 9. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
  10. 10. API Characteristics
  11. 11. What is an API?Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standardsOpen services to other software developers (public or private)
  12. 12. FlavoursTransport Message contract HTTP  SOAP Sockets  XML  Binary  JSON  HTML  …
  13. 13. Technical Most API’s use HTTP and REST extensively  Addressing  HTTP Verbs  Media types  HTTP status codes  Hypermedia (*)
  14. 14. Demo
  15. 15. HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data
  16. 16. Status codes200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed toaccess the resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…
  17. 17. Think RFC2324!
  18. 18. ASP.NET Web API
  19. 19. ASP.NET Web APIPart of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
  20. 20. ASP.NET Web API is easy!HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code
  21. 21. Demo
  22. 22. Securing your APINo authenticationBasic/Windows authentication[Authorize] attribute
  23. 23. Demo
  24. 24. The world of API clients is complex CLIENTS AUTHN + AUTHZ HTML5+JS Username/password? SPA Basic auth? Native apps NTLM / Kerberos? Server-to-server Client certificate? Shared secret?
  25. 25. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  26. 26. OAuth2
  27. 27. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me a Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March”
  28. 28. TechDays badges +--------+ +---------------+ | |--(A)– Register for TechDays-->| Resource | | | | Owner | | |<-(B)-Sure! Here’s an e-ticket-| Microsoft | | | +---------------+ | | . | | +---------------+ | Client |--(C)----- Was invited! ------>| Authorization | | Me | | Server | | |<-(D)---- Here’s a badge! -----| Reception | | | (5-7 March;speaker) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F)-- Enter speakers room ---| Kinepolis | +--------+ +---------------+ Next year, I will have to refresh my badge
  29. 29. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me aBadge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March” Me = ClientDelegation Barcode = Access Code Reception = Authorization Server Microsoft = Resource Owner Kinepolis = Resource Server Badge = Access Token Speaker = Scope 5-7 March = Token Lifetime
  30. 30. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  31. 31. Demo
  32. 32. Quick side note…There are 3 major authentication flowsBased on type of clientVariants possible
  33. 33. OAuth2 – Initial flow
  34. 34. OAuth2 – “Refresh” (one of those variants)
  35. 35. Access tokens / Refresh tokensIn theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted
  36. 36. JWTHeader:{"alg":"none"}Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  37. 37. Is OAuth2 different from OpenID?Yes.OpenID = authNOAuth2 = authN (optional) + authZhttp://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thinghttp://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
  38. 38. What you have to implementOAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API
  39. 39. Windows AzureAccess Control Service
  40. 40. ACS - Identity in Windows AzureActive Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation
  41. 41. OAuth flow using ACS
  42. 42. Demo
  43. 43. OAuth2 delegation?You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API
  44. 44. Conclusion
  45. 45. Key takeawaysAPI’s are the new appsValuableHTTPASP.NET Web APIOAuth2Windows Azure Access Control Service
  46. 46. http://blog.maartenballiauw.be @maartenballiauw http://amzn.to/pronugetThank you!

×