23
Emad Alashi •Senior Developer at Readify •ASP.NET/IIS MVP www.DotNetArabi.com www.EmadAshi.com •@emadashi 1

OAuth in the new .NET world (OWIN)

Tags:

Embed Size (px)

DESCRIPTION

Basic introduction to OAuth, and how it works in the new .net ecosystem, through OWIN and the Authentication Middleware

Citation preview

Page 1: OAuth in the new .NET world (OWIN)

1

Emad Alashi

• Senior Developer at Readify• ASP.NET/IIS MVP

• www.DotNetArabi.com• www.EmadAshi.com• @emadashi

http://www.dotnetarabi.com/
http://www.emadashi.com/
Page 2: OAuth in the new .NET world (OWIN)

2

OAuth 2.0 & .NETLive with others

Page 3: OAuth in the new .NET world (OWIN)

3

Pre-OAuth era(Yeah, History!)

Page 4: OAuth in the new .NET world (OWIN)

4

Username & password

Resources

Images

email

Etc.

data

Username & password

Username & password

Username & password

Username & password

Page 5: OAuth in the new .NET world (OWIN)

5

Facebook Auth

Google AuthSub

Flickr API

Yahoo BBAuth Web Services

Page 6: OAuth in the new .NET world (OWIN)

6

Page 7: OAuth in the new .NET world (OWIN)

7

So how does it work?

Page 8: OAuth in the new .NET world (OWIN)

8

Resource owner Authorization Server

Resource ServerClientMyAuthorization/Resources Server

Page 9: OAuth in the new .NET world (OWIN)

11

My

302 to fb.com/auth? data auth? clientID & scope & redirectUri=myPD.com/signin

302 to myPD.com/signin? datamyPD.com/signin? code & scope

fb.com/auth? clientId & code & redirectUri

accessToken & tokenType & expires & refreshToken

Welcome

myPodcast.com

This app wants…are you sure?

Yes please, allow

Page 10: OAuth in the new .NET world (OWIN)

12

OAuth in MVC 4 DotNetOpenAuth

& OAuthWebSecurity

Page 11: OAuth in the new .NET world (OWIN)

13

OAuth in MVC 5 OWIN

Page 12: OAuth in the new .NET world (OWIN)

14

owin.org

Page 13: OAuth in the new .NET world (OWIN)

15

OWIN (Open Web Interface for .NET)

Page 14: OAuth in the new .NET world (OWIN)

16

OWIN with IIS

Page 15: OAuth in the new .NET world (OWIN)

17

Invoke(IOwinContext con){

DoINeedToAlterRequest? { }

AllowSubsequentMiddleWares? { base.Next.Invoke(con); } NeedToAlterResponse? { }

}

Middleware 1

Middleware 2

Middleware 3

Page 16: OAuth in the new .NET world (OWIN)

18

Authentication middleware

Page 17: OAuth in the new .NET world (OWIN)

19

Authentication middleware Application

ApplyResponseGrant

Invoke

ApplyResponseChallenge

AuthenticateCoreAsync

Page 18: OAuth in the new .NET world (OWIN)

20

Facebook example

Page 19: OAuth in the new .NET world (OWIN)

21

Facebook middleware

Cookies middleware Application

401 (facebook)

302 to Fb.com/oauth?redirectUri=signin-facebook

302 to Account/External

Get: Account/External

AuthenticateCoreAsync----

Create Idnetity

ApplyResponseGrant------

wrap claims in App ticketCreate cookie

Post: myPd.com/Account/Login(Facebook)

Get: myPd.com/signin-facebook?code=djlsjjce

ApplyResponseChallenge302 to fb.com/oauth

302 to myPD.com/Account/External

SignInExternal----

Create Idnetity

Page 20: OAuth in the new .NET world (OWIN)

22

Oauth Auth mid.Oauth Server mid. Application

redirectUri?token=uhuihuhkn

/auth?clientId&Response_Type/token?code=tyggyug

aPageAuthHead: Bearer ygugjygj

ApplyResponseGrant

signInsignIn

AuthenticateCoreAsync

Invoke---

validations

Page 21: OAuth in the new .NET world (OWIN)

23

Microsoft.Owin.Security.Infrastructure

AuthenticationMiddleware• Constructor• CreateHandler

AuthenticationHandler• AuthenticateCoreAsync• InvokeAsync• ApplyResponseGrantAsync• ApplyResponseChallengeAsync

Page 22: OAuth in the new .NET world (OWIN)

24

Authentication Middleware

• Facebook• Google• Twitter• OAuth• Server• Authentication

Page 23: OAuth in the new .NET world (OWIN)

25

Q & A

Emad.ashi@gmail

@EmadAshi

mailto:Emad.ashi@gmail

Angular Owin Katana TypeScript

Angular Owin Katana TypeScript

Technology
H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

Documents
2. owin and katana aspdotnet-mvc5-slides

2. owin and katana aspdotnet-mvc5-slides

Education
Introduction to OWIN

Introduction to OWIN

Technology
Incorporating OAuth: How to integrate OAuth into your mobile app

Incorporating OAuth: How to integrate OAuth into your mobile app

Technology
OWIN Why should i care?

OWIN Why should i care?

Software
OREGON WIRELESS INTEROPERABILITY NETWORK (OWIN) PROJECT

OREGON WIRELESS INTEROPERABILITY NETWORK (OWIN) PROJECT

Documents
OWIN (Open Web Interface for .NET)

OWIN (Open Web Interface for .NET)

Technology
Campus days 2014 owin

Campus days 2014 owin

Software
OpenID/OAuth and YQL with .NET

OpenID/OAuth and YQL with .NET

Technology
OAuth Tokens

OAuth Tokens

Education
Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Documents
1 - OWIN and Katana

1 - OWIN and Katana

Documents
Aspnet Owin

Aspnet Owin

Documents
Owin from spec to application

Owin from spec to application

Software
The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

Documents
Reducing the Attack Surface of a .Net OWIN Website · 2018-12-04 · OVERVIEW OWIN is a .NET alternative to the IIS HTTP pipeline It gives you explicit control of exposed surface

Reducing the Attack Surface of a .Net OWIN Website · 2018-12-04 · OVERVIEW OWIN is a .NET alternative to the IIS HTTP pipeline It gives you explicit control of exposed surface

Documents
The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Technology
OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

Documents
OWIN Board of Directors Regular Meeting Agendaowin.ca/images/meeting/051115/owin_agenda_for_may_2015.pdf · OWIN Board of Directors Regular Meeting Agenda Meeting ... The net sales

OWIN Board of Directors Regular Meeting Agendaowin.ca/images/meeting/051115/owin_agenda_for_may_2015.pdf · OWIN Board of Directors Regular Meeting Agenda Meeting ... The net sales

Documents
Entendiendo oAuth

Entendiendo oAuth

Documents
Twitter OAuth With C#/.NET Code

Twitter OAuth With C#/.NET Code

Design
Owin & katana

Owin & katana

Technology
Owin and Katana

Owin and Katana

Technology
WordPress + OAuth

WordPress + OAuth

Technology
Oauth Tutorial

Oauth Tutorial

Documents
OWIN Middleware in vNext

OWIN Middleware in vNext

Software
The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

Documents
Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

Documents
Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Documents