OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw@maartenballiauw

#warmcrocconf

Who am I? Maarten Balliauw

Technical Evangelist, JetBrains

AZUG

Focus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

http://blog.maartenballiauw.be

@maartenballiauw

Shameless self promotion: Pro NuGet - http://amzn.to/pronuget

Agenda Why would I need an API?

API characteristics

ASP.NET MVC Web API

Windows Azure ACS

Why would I need an API?

Consuming the web 2000-2008: Desktop browser

2008-2012: Mobile browser

2008-2012: iPhone and Android apps

2010-2014: Tablets, tablets, tablets

2014-2016: Your fridge (Internet of Things)

Twitter & FacebookBy show of hands

Make everyone API(as the French say)

Expose services to 3rd parties

Valuable

Flexible

Managed

Supported

Have a plan

Reach More Clients

You’re not the only one

Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/

API Characteristics

What is an API? Software-to-Software interface

Contract between software and developers Functionalities, constraints (technical / legal) Programming

instructions and standards

Open services to other software developers (public or private)

Flavours Transport HTTP Sockets

Message contract SOAP XML Binary JSON HTML …

Technical Most API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)

The Web is an API

Demo

HTTP Verbs

GET – return data

HEAD – check if the data exists

POST – create or update data

PUT – put data

MERGE – merge values with existing data

DELETE – delete data

Status codes 200 OK – Everything is OK, your expected data is in the response.

401 Unauthorized – You either have to log in or you are not allowed to access the resource.

404 Not Found – The resource could not be found.

500 Internal Server Error – The server failed processing your request.

…

Hypermedia in action!

dem

o

Be detailed!Remember the RFC!

Think RFC2324!

ASP.NET Web API

ASP.NET Web API Part of ASP.NET MVC 4

Framework to build HTTP Services (REST)

Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!

ASP.NET Web API is easy! HTTP Verb = action

“Content-type” header = data format in

“Accept” header = data format out

Return meaningful status code

dem

o

Creating an APIusing ASP.NET Web API

Demo

Securing your API No authentication

Basic/Windows authentication

[Authorize] attribute

dem

o

Securing your API

A lot of public API’s…

“your API consumer isn’t really your user,but an application acting on behalf of a user”

(or: API consumer != user)

OAuth2

Guest badges Building owner / colleague full-access badge

Guest badge Your name on it Limited scope (only 7th floor) Limited validity (only today)

Guest badges +--------+ +---------------+ | |--(A)-- Can access tomorrow?-->| Resource | | | | Owner | | |<-(B)- Sure! Here’s invite ----| | | | +---------------+ | | . | | +---------------+ | |--(C)----- Was invited! ------>| | | Client | | Reception | | |<-(D)---- Here’s a badge! -----| | | | (today;7th floor) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F) Sure you can get coffee! | | +--------+ +---------------+

And tomorrow, you’ll have to refresh your badge!

OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+

Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31

Quick side note… There are 3 major authentication flows

Based on type of client

Variants possible

On the web…

OAuth2 – Initial flow

OAuth2 – “Refresh” (one of those variants)

Access tokens / Refresh tokens In theory: whatever format you want

Widely used: JWT (“JSON Web Token”)

Less widely used: SWT (“Simple Web Token”)

Signed / Encrypted

JWT

Header:{"alg":"none"}

Token:{"iss":"joe",

"exp":1300819380,

"http://some.ns/read":true}

Is OAuth2 different from OpenID? Yes.

OpenID = authN

OAuth2 = authN (optional) + authZ

http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing

http://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx

What you have to implement OAuth authorization server

Keep track of supported consumers

Keep track of user consent

OAuth token expiration & refresh

Oh, and your API

Windows AzureAccess Control Service

ACS - Identity in Windows Azure Active Directory federation

Graph API

Web SSO

Link apps to identity providers using rules

Support WS-Security, WS-Federation, SAML

Little known feature: OAuth2 delegation

OAuth flow using ACS

dem

o

ASP.NET Web API, OAuth2, Windows Azure ACS

OAuth2 delegation? You: OAuth authorization server

ACS: Keep track of supported consumers

ACS: Keep track of user consent

ACS: OAuth token expiration & refresh

You: Your API

Conclusion

Key takeaways API’s are the new apps

Valuable

HTTP

ASP.NET Web API

Windows Azure Access Control Service

Thank you!

http://blog.maartenballiauw.be

@maartenballiauw

http://amzn.to/pronuget