OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
-
Upload
maarten-balliauw -
Category
Technology
-
view
5.116 -
download
0
description
Transcript of OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
APRIL 7, 2023 | SLIDE 1
APRIL 7, 2023 | SLIDE 2
Maarten Balliauw@maartenballiauwTechnical Consultant Windows AzureRealDolmen
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
APRIL 7, 2023 | SLIDE 4
Who am I? Maarten Balliauw Antwerp, Belgium www.realdolmen.com Focus on web
ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider
http://blog.maartenballiauw.be @maartenballiauw Author: Pro NuGet - http://amzn.to/pronuget
APRIL 7, 2023 | SLIDE 5
Agenda Why would I need an API? API characteristics ASP.NET MVC Web API Windows Azure ACS
APRIL 7, 2023 | SLIDE 6
WHY WOULD I NEED AN API?
APRIL 7, 2023 | SLIDE 7
Consuming the web 2000-2008: Desktop browser 2008-2012: Mobile browser 2008-2012: iPhone and Android apps 2010-2014: Tablets, tablets, tablets 2014-2016: Your fridge (Internet of Things)
APRIL 7, 2023 | SLIDE 8
APRIL 7, 2023 | SLIDE 9
Twitter & FacebookBy show of hands…
APRIL 7, 2023 | SLIDE 10
(as the French say)
Make everyone API
APRIL 7, 2023 | SLIDE 11
Expose services to 3rd parties
Valuable Flexible Managed Supported Have a plan
APRIL 7, 2023 | SLIDE 12
Reach More Clients
APRIL 7, 2023 | SLIDE 13
You’re not the only one
Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
APRIL 7, 2023 | SLIDE 14
API CHARACTERISTICS
APRIL 7, 2023 | SLIDE 15
What is an API? Software-to-Software interface Contract between software and developers
Functionalities, constraints (technical / legal) Programming instructions and standards
Open services to other software developers (public or private)
APRIL 7, 2023 | SLIDE 16
Flavours Transport
HTTP Sockets
Message contract SOAP XML Binary JSON HTML …
APRIL 7, 2023 | SLIDE 17
Technical Most API’s use HTTP and REST extensively
Addressing HTTP Verbs Media types HTTP status codes
APRIL 7, 2023 | SLIDE 18
DemoThe Web is an API
APRIL 7, 2023 | SLIDE 19
HTTP Verbs
GET – return data HEAD – check if the data exists POST – create or update data PUT – put data MERGE – merge values with existing data DELETE – delete data
APRIL 7, 2023 | SLIDE 20
Status codes 200 OK – Everything is OK, your expected data is in
the response. 401 Unauthorized – You either have to log in or you
are not allowed to access the resource. 404 Not Found – The resource could not be found. 500 Internal Server Error – The server failed
processing your request. …
APRIL 7, 2023 | SLIDE 21
Be detailed!Think about RFC 2324 (HTCPCP)
APRIL 7, 2023 | SLIDE 22
ASP.NET WEB API
APRIL 7, 2023 | SLIDE 23
ASP.NET Web API Part of ASP.NET MVC 4 Framework to build HTTP Services (REST) Solid features
Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
APRIL 7, 2023 | SLIDE 24
ASP.NET Web API is easy! HTTP Verb = action “Content-type” header = data format in “Accept” header = data format out Return meaningful status code
APRIL 7, 2023 | SLIDE 25
DemoCrafting an API using ASP.NET Web API
APRIL 7, 2023 | SLIDE 26
Securing your API No authentication Basic/Windows authentication [Authorize] attribute
They all require username/password to be known by the API consumer…
APRIL 7, 2023 | SLIDE 27
“your API user isn’t really your user, but an application acting on behalf of a user”
(or: API consumer != end user)
APRIL 7, 2023 | SLIDE 28
OAUTH2
APRIL 7, 2023 | SLIDE 29
Guest badges Your full-access badge Guest badge
Your name on it Limited scope (only 7th floor) Limited validity (only today)
APRIL 7, 2023 | SLIDE 30
On the web…
APRIL 7, 2023 | SLIDE 31
OAuth2 – Initial flow
APRIL 7, 2023 | SLIDE 32
OAuth2 – “Refresh”
APRIL 7, 2023 | SLIDE 33
What you have to implement OAuth authorization server Keep track of supported consumers Keep track of user consent OAuth token expiration & refresh Oh, and your API
AARGH!
APRIL 7, 2023 | SLIDE 34
ACCESS CONTROL SERVICEWindows Azure
APRIL 7, 2023 | SLIDE 35
ACS - Identity in Windows Azure
Active Directory federation Graph API Web SSO Link apps to identity providers using rules Support WS-Security, WS-Federation, SAML Little known feature: OAuth2 delegation
APRIL 7, 2023 | SLIDE 36
OAuth flow using ACS
APRIL 7, 2023 | SLIDE 37
Demo (the big one)ASP.NET Web API, OAuth2, Windows Azure ACS
APRIL 7, 2023 | SLIDE 38
OAuth2 delegation? You: OAuth authorization server ACS: Keep track of supported consumers ACS: Keep track of user consent ACS: OAuth token expiration & refresh You: Your API
APRIL 7, 2023 | SLIDE 39
CONCLUSION
APRIL 7, 2023 | SLIDE 40
Key takeaways API’s are the new apps Valuable HTTP ASP.NET Web API Windows Azure Access Control Service
APRIL 7, 2023 | SLIDE 41
THANK YOU!
http://blog.maartenballiauw.be@maartenballiauw
http://amzn.to/pronuget