OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - TechDays Belgium 2013
53
-
Upload
maarten-balliauw -
Category
Technology
-
view
1.827 -
download
2
description
API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.
Transcript of OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - TechDays Belgium 2013
OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control
Maarten Balliauw@maartenballiauw
Who am I?
Maarten BalliauwTechnical Evangelist, JetBrainsMyGet.orgAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider
Buy me a beer! http://amzn.to/pronuget
http://blog.maartenballiauw.be @maartenballiauw Shameless self promotion: Pro NuGet -
http://amzn.to/pronuget
Agenda
Why would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS
Why would I need an API?
Consuming the web
2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)
Twitter & FacebookBy show of hands
Make everyone API(as the French say)
Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan
Reach More Clients
You’re not the only one
Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
API Characteristics
What is an API?
Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions
and standards
Open services to other software developers (public or private)
Flavours
Transport HTTP Sockets
Message contract SOAP XML Binary JSON HTML …
Technical
Most API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)
The Web is an API
Demo
HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data
Status codes
200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed to access the resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…
Be detailed!
Think RFC2324!
ASP.NET Web API
ASP.NET Web API
Part of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
ASP.NET Web API is easy!
HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code
Creating an APIusing ASP.NET Web API
Demo
Securing your API
No authenticationBasic/Windows authentication[Authorize] attribute
Securing your API
Demo
The world of API clients is complex
CLIENTS
HTML5+JSSPANative appsServer-to-server
AUTHN + AUTHZ
Username/password?Basic auth?NTLM / Kerberos?Client certificate?Shared secret?
A lot of public API’s…
“your API consumer isn’t really your user,but an application acting on behalf of a user”
(or: API consumer != user)
OAuth2
TechDays badges
“I received a ticket with a Barcode I can hand to the Reception which gives me a
Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March”
TechDays badges
+--------+ +---------------+ | |--(A)– Register for TechDays-->| Resource | | | | Owner | | |<-(B)-Sure! Here’s an e-ticket-| Microsoft | | | +---------------+ | | . | | +---------------+ | Client |--(C)----- Was invited! ------>| Authorization | | Me | | Server | | |<-(D)---- Here’s a badge! -----| Reception | | | (5-7 March;speaker) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F)-- Enter speakers room ---| Kinepolis | +--------+ +---------------+
Next year, I will have to refresh my badge
TechDays badges
“I received a ticket with a Barcode I can hand to the Reception which gives me a Badge stating Microsoft gives Me access to Kinepolis as a
Speaker on 5-7 March”
Me = ClientBarcode = Access CodeReception = Authorization ServerMicrosoft = Resource OwnerKinepolis = Resource ServerBadge = Access TokenSpeaker = Scope5-7 March = Token Lifetime
Del
egat
ion
Maarten Balliauw
OAuth2
+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+
Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
On the Web
Demo
Quick side note…
There are 3 major authentication flowsBased on type of clientVariants possible
OAuth2 – Initial flow
OAuth2 – “Refresh” (one of those variants)
Access tokens / Refresh tokens
In theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted
JWT
Header:{"alg":"none"}
Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
Is OAuth2 different from OpenID?Yes.OpenID = authNOAuth2 = authN (optional) + authZ
http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thinghttp://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
What you have to implement
OAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API
Windows AzureAccess Control Service
ACS - Identity in Windows Azure
Active Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation
OAuth flow using ACS
ASP.NET Web API, OAuth2Windows Azure ACS
Demo
OAuth2 delegation?
You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API
Conclusion
Key takeaways
API’s are the new appsValuableHTTPASP.NET Web APIOAuth2Windows Azure Access Control Service
Thank you!
http://blog.maartenballiauw.be
@maartenballiauw
http://amzn.to/pronuget
