OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

47
OAuth-as-a- service using ASP.NET Web API and Windows Azure Access Control Maarten Balliauw @maartenballiauw

description

API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.

Transcript of OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Page 1: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw@maartenballiauw

Page 2: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Who am I? Maarten Balliauw

Technical Evangelist, JetBrains

AZUG

Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

http://blog.maartenballiauw.be

@maartenballiauw

Shameless self promotion: Pro NuGet - http://amzn.to/pronuget

Page 3: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Agenda Why would I need an API?

API characteristics

ASP.NET MVC Web API

Windows Azure ACS

Page 4: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Why would I need an API?

Page 5: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Consuming the web 2000-2008: Desktop browser

2008-2012: Mobile browser

2008-2012: iPhone and Android apps

2010-2014: Tablets, tablets, tablets

2014-2016: Your fridge (Internet of Things)

Page 7: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Twitter & FacebookBy show of hands

Page 8: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Make everyone API(as the French say)

Page 9: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Expose services to 3rd parties

Valuable

Flexible

Managed

Supported

Have a plan

Page 10: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

API Characteristics

Page 11: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

What is an API? Software-to-Software interface

Contract between software and developers Functionalities, constraints (technical / legal) Programming

instructions and standards

Open services to other software developers (public or private)

Page 12: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Flavours Transport HTTP Sockets

Message contract SOAP XML Binary JSON HTML …

Page 13: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Technical Most API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)

Page 14: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

The Web is an API

Demo

Page 15: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

HTTP Verbs

GET – return data

HEAD – check if the data exists

POST – create or update data

PUT – put data

MERGE – merge values with existing data

DELETE – delete data

Page 16: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Status codes 200 OK – Everything is OK, your expected data is in the response.

401 Unauthorized – You either have to log in or you are not allowed to access the resource.

404 Not Found – The resource could not be found.

500 Internal Server Error – The server failed processing your request.

Page 17: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Hypermedia in action!

Page 18: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

dem

o

Be detailed!Remember the RFC!

Think RFC2324!

Page 19: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

ASP.NET Web API

Page 20: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

ASP.NET Web API Part of ASP.NET MVC 4

Framework to build HTTP Services (REST)

Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!

Page 21: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

ASP.NET Web API is easy! HTTP Verb = action

“Content-type” header = data format in

“Accept” header = data format out

Return meaningful status code

Page 22: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

dem

o

Creating an APIusing ASP.NET Web API

Demo

Page 23: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Securing your API No authentication

Basic/Windows authentication

[Authorize] attribute

Page 24: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

dem

o

Securing your API

Page 25: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

The world of API clients is complexCLIENTS

HTML5+JS

SPA

Native apps

Server-to-server

AUTHN + AUTHZ

Username/password?

Basic auth?

NTLM / Kerberos?

Client certificate?

Shared secret?

Page 26: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

A lot of public API’s…

“your API consumer isn’t really your user,but an application acting on behalf of a user”

(or: API consumer != user)

Page 27: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

OAuth2

Page 28: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Guest badges Building owner / colleague full-access badge

Guest badge Your name on it Limited scope (only 7th floor) Limited validity (only today)

Page 29: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+

And tomorrow, you’ll have to refresh your badge!

Page 30: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013
Page 31: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+

Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31

Page 32: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Quick side note… There are 3 major authentication flows

Based on type of client

Variants possible

Page 33: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013
Page 34: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

On the web…

Page 35: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Access tokens / Refresh tokens In theory: whatever format you want

Widely used: JWT (“JSON Web Token”)

Less widely used: SWT (“Simple Web Token”)

Signed / Encrypted

Page 36: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

JWT

Header:{"alg":"none"}

Token:{"iss":"joe",

"exp":1300819380,

"http://some.ns/read":true}

Page 37: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

What you have to implement OAuth authorization server

Keep track of supported consumers

Keep track of user consent

OAuth token expiration & refresh

Oh, and your API

Page 38: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013
Page 39: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Windows AzureAccess Control Service

Page 40: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

ACS - Identity in Windows Azure Active Directory federation

Graph API

Web SSO

Link apps to identity providers using rules

Support WS-Security, WS-Federation, SAML

Little known feature: OAuth2 delegation

Page 41: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

OAuth flow using ACS

Page 42: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

dem

o

ASP.NET Web API, OAuth2, Windows Azure ACS

Page 43: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

OAuth2 delegation? You: OAuth authorization server

ACS: Keep track of supported consumers

ACS: Keep track of user consent

ACS: OAuth token expiration & refresh

You: Your API

Page 44: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Conclusion

Page 45: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Key takeaways API’s are the new apps

Valuable

HTTP

ASP.NET Web API

OAuth2

Windows Azure Access Control Service

Page 46: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

Thank you!

http://blog.maartenballiauw.be

@maartenballiauw

http://amzn.to/pronuget

Page 47: OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013