Presentation is loading. Please wait.

Presentation is loading. Please wait.

Today’s Applications Web API Browser Native app Web API Web API

Published byTamsyn Perkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Today’s Applications Web API Browser Native app Web API Web API"— Presentation transcript:

1 Building native client and mobile apps using Azure Active Directory for sign in

2 Today’s Applications Web API Browser Native app Web API Web API
Web application Web API Browser Native app Web API Web API Server app Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages

3 Standard based, HTTP based authentication protocols
WS-Fed, SAML 2.0, OpenID Connect Web application Web API Browser OAuth Native app OAuth Web API OAuth Web API Server app OAuth

4 What is Azure Active Directory?
Cloud-based identity service Authentication Directory Identity management Designed for organizations Manage access to cloud apps Can extend on-premises AD Designed for cloud and mobile HTTP/REST & industry standard protocols

5 Active Directory - Then vs. now

6 So what’s cooking How AAD represents resources Implementing OAuth2 ADAL Protecting your own API

7 Azure Active Directory Application Model
WebApp 1 NativeApp 1 Permission 1 Permission 2 Exposes: WebApp 1 Permission 1 Requires:

8 Azure Active Directory

9 Azure Active Directory - Users

10 Azure Active Directory – Applications - Web

11 Azure Active Directory – Applications - Native

12 Azure Active Directory – Applications - Permissions

13 OAuth for native apps A T <HTML> --code-- --code--
Exchange Online Exposes: Full access to user’s mailbox Read user’s contacts Read user’s mail A <HTML> --code-- T --code-- My cool App Office 365 Read user’s mail Requires:

14 Auth Code Request/Response
GET ?response_type=code &resource= &client_id=fb715b0e-3ca9-45b a776b42d &redirect_uri= &prompt=login << Stuff happens here to sign the user in... >> 302 Found ?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-_cqhsBff… I’d like a code please To access this service This is me Send the code here Here’s your code!

15 Token Request/Response
I have a code POST grant_type=authorization_code &code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm… &client_id=fb715b0e-3ca9-45b a776b42d &redirect_uri= &resource= 200 OK {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…", "token_type":"Bearer", "expires_in":"3599", "expires_on":" ", "resource":" "refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…", "scope":"user_impersonation", "id_token":eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiJmY…n0."} This is me I asked you to send the code here I need to use this service Here is your bearer token When it expires It’s for this service The refresh token Your permissions Info about the user

16 Server-Based Sign-In User Experience
Native client sign-in UI is web-based Same sign-in UI as web app sign-in Web UI allows arbitrary interaction Consent to use application Multi-factor authentication Account compromise detection … and more stuff we haven’t dreamed up yet Plan to offer non-interactive methods Name/password Kerberos These will return error if user interaction required

17 Active Directory Authentication Libraries (ADAL)
Abstracts away most protocol considerations Handles tokens persistence & refresh automatically var ctx = new AuthenticationContext( " AuthenticationResult rez = await ctx.AcquireTokenAsync( " "5fc4a5a2-78d5-4d94-b890-a6e6b ");

18 Active Directory Authentication Libraries (ADAL)
Available on multiple platforms .NET, Windows Store, iOS, Android, Node.JS, Java Open source (or in the process to be) Same primitives, native programming models Sophisticated features Works across Windows Server and Azure Active Directory Cache and automatic refresh Multi user support

19 Protecting Your Own API with AAD
Big OAuth2 providers issue tokens for their own resources Facebook for the Facebook Graph, AAD for the Graph, Azure management, Office… Azure AD allows you to secure your own API Easy as 1-2-3 Add an entry for your API in your AAD tenant Define which permissions your app recognizes Add middleware in front of your API to validate AAD access tokens

20 Adding an entry for your WebAPI in AAD
AAD needs to know how to identify your API You can add an entry via the portal… …or you can use VS2013

21 The application’s manifest
AAD needs to know which permissions your API exposes You provide that info by uploading a manifest for your app JSON file holding a description of your app Download the default one, edit the AppPermissions node, upload it back Still VERY MUCH in preview Fun fact: an API can also be a client of some other API! The RequiredResourceAccess node lists the resources & permissions the API requires

22 TheIdentityHub Sensor Apps Facebook Android Twitter Apple iOS Google
Apple iOS Google Windows Phone Microsoft Windows 8 Active Directory Web Legacy Legacy Apps Office 365

23 A big thank you to our sponsors
Platinum Partners Gold Partners Silver & Track Partners

Download ppt "Today’s Applications Web API Browser Native app Web API Web API"

Similar presentations

Staying in Sync with Cloud 2 Device Messaging. About Me Chris Risner Twitter: chrisrisner.

Staying in Sync with Cloud 2 Device Messaging. About Me Chris Risner Twitter: chrisrisner.
Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
Azure AD & Office 365 1. Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.

Azure AD & Office Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.
W alkie Doggie is a web application that allows dog owners to help each other with their dog walks. It’s main feature is the walkies, which are the user’s.

W alkie Doggie is a web application that allows dog owners to help each other with their dog walks. It’s main feature is the walkies, which are the user’s.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
Desktop Mobile Xbox IoT Holographic Surface Hub Universal Windows Platform Core APIs.

Desktop Mobile Xbox IoT Holographic Surface Hub Universal Windows Platform Core APIs.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
Build 2015 4/17/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /17/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
| Basel Discovering Windows Azure Mobile Services and Media Services Ken Casada

| Basel Discovering Windows Azure Mobile Services and Media Services Ken Casada
Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R.

Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
© User:Digitalsignal / Wikimedia Commons / CC-BY-SA-3.0User:DigitalsignalWikimedia CommonsCC-BY-SA-3.0.

© User:Digitalsignal / Wikimedia Commons / CC-BY-SA-3.0User:DigitalsignalWikimedia CommonsCC-BY-SA-3.0.
Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.

Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

Similar presentations

Ads by Google