Presentation is loading. Please wait.

Presentation is loading. Please wait.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Published byClifton Hampton Modified over 9 years ago

Similar presentations

Presentation on theme: "OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten"— Presentation transcript:

1 OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten Balliauw @maartenballiauw

2 Abstract API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.

3 Who am I? Maarten Balliauw Technical Evangelist, JetBrains AZUG Focus on web ASP.NET MVC, Windows Azure, SignalR,... MVP Windows Azure & ASPInsider http://blog.maartenballiauw.be @maartenballiauw Shameless self promotion: Pro NuGet - http://amzn.to/pronuget http://amzn.to/pronuget

4 Agenda Why would I need an API? API characteristics ASP.NET MVC Web API Windows Azure ACS

5 Why would I need an API?

6 Consuming the web 2000-2008: Desktop browser 2008-2012: Mobile browser 2008-2012: iPhone and Android apps 2010-2014: Tablets, tablets, tablets 2014-2016: Your fridge (Internet of Things)

7

8 Twitter & Facebook By show of hands

9 Make everyone API (as the French say)

10 Expose services to 3rd parties Valuable Flexible Managed Supported Have a plan

11 API Characteristics

12 What is an API? Software-to-Software interface Contract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standards Open services to other software developers (public or private)

13 Flavours Transport HTTP Sockets Message contract SOAP XML Binary JSON HTML …

14 Technical Most API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)

15 The Web is an API Demo

16 HTTP Verbs GET – return data HEAD – check if the data exists POST – create or update data PUT – put data MERGE – merge values with existing data DELETE – delete data

17 Status codes 200 OK – Everything is OK, your expected data is in the response. 401 Unauthorized – You either have to log in or you are not allowed to access the resource. 404 Not Found – The resource could not be found. 500 Internal Server Error – The server failed processing your request. …

18 Hypermedia in action!

19 demo Be detailed! Remember the RFC! Think RFC2324!

20 ASP.NET Web API

21 Part of ASP.NET MVC 4 Framework to build HTTP Services (REST) Solid features Modern HTTP programming model Content negotiation (e.g. xml, json,...) Query composition (OData query support) Model binding and validation (conversion to.NET objects) Routes Filters (e.g. Validation, exception handling,...) And more!

22 ASP.NET Web API is easy! HTTP Verb = action “Content-type” header = data format in “Accept” header = data format out Return meaningful status code

23 demo Creating an API using ASP.NET Web API Demo

24 Securing your API No authentication Basic/Windows authentication [Authorize] attribute

25 demo Securing your API

26 The world of API clients is complex CLIENTS HTML5+JS SPA Native apps Server-to-server AUTHN + AUTHZ Username/password? Basic auth? NTLM / Kerberos? Client certificate? Shared secret?

27 A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)

28 OAuth2

29 Guest badges Building owner / colleague full-access badge Guest badge Your name on it Limited scope (only 7th floor) Limited validity (only today)

30 Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | | | | | Client | | Reception | | | | Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+ And tomorrow, you’ll have to refresh your badge!

31

32 OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | | | Authorization | | Client | | Server | | | | Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31

33 Quick side note… There are 3 major authentication flows Based on type of client Variants possible

34

35 On the web…

36 Access tokens / Refresh tokens In theory: whatever format you want Widely used: JWT (“JSON Web Token”) Less widely used: SWT (“Simple Web Token”) Signed / Encrypted

37 JWT Header: {"alg":"none"} Token: {"iss":"joe", "exp":1300819380, "http://some.ns/read":true}

38 What you have to implement OAuth authorization server Keep track of supported consumers Keep track of user consent OAuth token expiration & refresh Oh, and your API

39

40 Windows Azure Access Control Service

41 ACS - Identity in Windows Azure Active Directory federation Graph API Web SSO Link apps to identity providers using rules Support WS-Security, WS-Federation, SAML Little known feature: OAuth2 delegation

42 OAuth flow using ACS

43 demo ASP.NET Web API, OAuth2, Windows Azure ACS

44 OAuth2 delegation? You: OAuth authorization server ACS: Keep track of supported consumers ACS: Keep track of user consent ACS: OAuth token expiration & refresh You: Your API

45 Conclusion

46 Key takeaways API’s are the new apps Valuable HTTP ASP.NET Web API OAuth2 Windows Azure Access Control Service

47 Thank you! http://blog.maartenballiauw. be @maartenballiauw http://amzn.to/pronuget

48

Download ppt "OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten"

Similar presentations

Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio

Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
& Silverlight, Windows Phone 7, Windows Azure, jQuery, OData and RIA Services. Shaken, not stirred. Kevin

& Silverlight, Windows Phone 7, Windows Azure, jQuery, OData and RIA Services. Shaken, not stirred. Kevin
06 | Implementing Web APIs Jon Galloway | Tech Evangelist Christopher Harrison | Head Geek.

06 | Implementing Web APIs Jon Galloway | Tech Evangelist Christopher Harrison | Head Geek.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
ASP. Net is a rich web framework that leverages well known patterns and JavaScript frameworks to build great web experiences quickly.

ASP. Net is a rich web framework that leverages well known patterns and JavaScript frameworks to build great web experiences quickly.
ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:

ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:
REST.  REST is an acronym standing for Representational State Transfer  A software architecture style for building scalable web services  Typically,

REST.  REST is an acronym standing for Representational State Transfer  A software architecture style for building scalable web services  Typically,
Getting Started with the ASP.NET Web API Dhananjay Kumar Infragistics Consultant Microsoft MVP

Getting Started with the ASP.NET Web API Dhananjay Kumar Infragistics Consultant Microsoft MVP
Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
ASP.NET Web API. ASP.NET Members MS Open Source ASP.NET MVC 4, ASP.NET Web API and ASP.NET Web Pages v2 (Razor) now all open source ASP.NET MVC 4, ASP.NET.

ASP.NET Web API. ASP.NET Members MS Open Source ASP.NET MVC 4, ASP.NET Web API and ASP.NET Web Pages v2 (Razor) now all open source ASP.NET MVC 4, ASP.NET.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Open Data Protocol * Han Wang 11/30/2012 *

Open Data Protocol * Han Wang 11/30/2012 *

Similar presentations

Ads by Google