View
4.424
Download
2
Category
Tags:
Preview:
DESCRIPTION
API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.
Citation preview
OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw@maartenballiauw
Who am I? Maarten Balliauw
Technical Evangelist, JetBrains
AZUG
Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider
http://blog.maartenballiauw.be
@maartenballiauw
Shameless self promotion: Pro NuGet - http://amzn.to/pronuget
Agenda Why would I need an API?
API characteristics
ASP.NET MVC Web API
Windows Azure ACS
Why would I need an API?
Consuming the web 2000-2008: Desktop browser
2008-2012: Mobile browser
2008-2012: iPhone and Android apps
2010-2014: Tablets, tablets, tablets
2014-2016: Your fridge (Internet of Things)
Twitter & FacebookBy show of hands
Make everyone API(as the French say)
Expose services to 3rd parties
Valuable
Flexible
Managed
Supported
Have a plan
API Characteristics
What is an API? Software-to-Software interface
Contract between software and developers Functionalities, constraints (technical / legal) Programming
instructions and standards
Open services to other software developers (public or private)
Flavours Transport HTTP Sockets
Message contract SOAP XML Binary JSON HTML …
Technical Most API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)
The Web is an API
Demo
HTTP Verbs
GET – return data
HEAD – check if the data exists
POST – create or update data
PUT – put data
MERGE – merge values with existing data
DELETE – delete data
Status codes 200 OK – Everything is OK, your expected data is in the response.
401 Unauthorized – You either have to log in or you are not allowed to access the resource.
404 Not Found – The resource could not be found.
500 Internal Server Error – The server failed processing your request.
…
Hypermedia in action!
dem
o
Be detailed!Remember the RFC!
Think RFC2324!
ASP.NET Web API
ASP.NET Web API Part of ASP.NET MVC 4
Framework to build HTTP Services (REST)
Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
ASP.NET Web API is easy! HTTP Verb = action
“Content-type” header = data format in
“Accept” header = data format out
Return meaningful status code
dem
o
Creating an APIusing ASP.NET Web API
Demo
Securing your API No authentication
Basic/Windows authentication
[Authorize] attribute
dem
o
Securing your API
The world of API clients is complexCLIENTS
HTML5+JS
SPA
Native apps
Server-to-server
AUTHN + AUTHZ
Username/password?
Basic auth?
NTLM / Kerberos?
Client certificate?
Shared secret?
A lot of public API’s…
“your API consumer isn’t really your user,but an application acting on behalf of a user”
(or: API consumer != user)
OAuth2
Guest badges Building owner / colleague full-access badge
Guest badge Your name on it Limited scope (only 7th floor) Limited validity (only today)
Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+
And tomorrow, you’ll have to refresh your badge!
OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+
Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
Quick side note… There are 3 major authentication flows
Based on type of client
Variants possible
On the web…
Access tokens / Refresh tokens In theory: whatever format you want
Widely used: JWT (“JSON Web Token”)
Less widely used: SWT (“Simple Web Token”)
Signed / Encrypted
JWT
Header:{"alg":"none"}
Token:{"iss":"joe",
"exp":1300819380,
"http://some.ns/read":true}
What you have to implement OAuth authorization server
Keep track of supported consumers
Keep track of user consent
OAuth token expiration & refresh
Oh, and your API
Windows AzureAccess Control Service
ACS - Identity in Windows Azure Active Directory federation
Graph API
Web SSO
Link apps to identity providers using rules
Support WS-Security, WS-Federation, SAML
Little known feature: OAuth2 delegation
OAuth flow using ACS
dem
o
ASP.NET Web API, OAuth2, Windows Azure ACS
OAuth2 delegation? You: OAuth authorization server
ACS: Keep track of supported consumers
ACS: Keep track of user consent
ACS: OAuth token expiration & refresh
You: Your API
Conclusion
Key takeaways API’s are the new apps
Valuable
HTTP
ASP.NET Web API
OAuth2
Windows Azure Access Control Service
Thank you!
http://blog.maartenballiauw.be
@maartenballiauw
http://amzn.to/pronuget
Recommended