Download PPTX

adhocjackpotSecurity

Nov 5, 2013 (3 years and 9 months ago)

87 views

OAuth
-
as
-
a
-
service

using ASP.NET Web API and Windows Azure Access Control

Maarten Balliauw

@
maartenballiauw

Who am I?


Maarten Balliauw


Technical Evangelist, JetBrains


AZUG


Focus on web


ASP.NET MVC, Windows Azure, SignalR, ...


MVP Windows Azure & ASPInsider


http://blog.maartenballiauw.be



@maartenballiauw



Shameless self promotion: Pro NuGet
-

http://amzn.to/pronuget

Agenda


Why

would

I
need

an

API?


API
characteristics


ASP.NET MVC Web API


Windows Azure ACS

Why

would

I
need

an

API?

Consuming

the web


2000
-
2008: Desktop browser


2008
-
2012: Mobile browser


2008
-
2012:
iPhone

and

Android

apps


2010
-
2014:
Tablets
,
tablets
,
tablets


2014
-
2016:
Your

fridge (Internet of
Things
)

Twitter & Facebook

By

show of hands

Make everyone API

(as the French say)

Expose

services
to

3rd
parties


Valuable


Flexible


Managed


Supported


Have a plan

API
Characteristics

What

is
an

API?


Software
-
to
-
Software interface


Contract
between

software
and

developers


Functionalities
,
constraints

(
technical

/
legal
) Programming
instructions

and

standards


Open services
to

other

software
developers

(public or private)



Flavours


Transport


HTTP


Sockets










Message contract


SOAP


XML


Binary


JSON


HTML




Technical


Most
API’s

use

HTTP
and

REST
extensively


Addressing


HTTP
Verbs


Media types


HTTP status codes


Hypermedia (*)





The Web is an API


Demo

HTTP
Verbs


GET


return data


HEAD


check if the data
exists


POST


create or update data


PUT


put data


MERGE


merge values with existing data


DELETE


delete
data

Status codes


200 OK


Everything is OK, your expected data is in the response.


401 Unauthorized


You either have to log in or you are not allowed to access
the resource.


404 Not Found


The resource could not be found.


500 Internal Server Error


The server failed processing your request.




Hypermedia in action!

demo

Be
detailed
!

Remember the RFC!

Think RFC2324!

ASP.NET Web API

ASP.NET Web API


Part of ASP.NET MVC 4


Framework
to

build

HTTP Services (REST)


Solid features


Modern HTTP
programming

model


Content
negotiation

(e.g.
x
ml
,
json
, ...)


Query
composition

(
OData

query support)


Model binding
and

validation

(
conversion

to

.NET
objects
)


Routes


Filters (e.g.
Validation
,
exception

handling, ...)


And

more!

ASP.NET Web API is easy!


HTTP
Verb

= action


“Content
-
type” header = data format in


“Accept” header = data format out


Return
meaningful

status code

demo

Creating

an

API

using

ASP.NET Web API

Demo

Securing

your

API


No
authentication


Basic/Windows
authentication


[Authorize]
attribute

demo

Securing your API

The world of API clients is complex

CLIENTS


HTML5+JS


SPA


Native apps


Server
-
to
-
server

AUTHN

+
AUTHZ


Username/password?


Basic
auth
?


NTLM
/

Kerberos?


Client certificate?


Shared secret?

A lot of public API’s…


your API
consumer isn’t
really your
user,

but
an application acting on behalf of a user



(or: API consumer != user)

OAuth2

Guest

badges


Building owner / colleague full
-
access badge


Guest

badge


Your

name on
it


Limited scope (
only

7th floor)


Limited
validity

(
only

today
)

Guest badges



+
--------
+ +
---------------
+


| |
--
(A)
--

Can access tomorrow?
--
>| Resource |


| | | Owner |


| |<
-
(B)
-

Sure! Here’s invite
----
| |


| | +
---------------
+


| | .


| | +
---------------
+


| |
--
(C)
-----

Was invited!
------
>| |


| Client | | Reception |


| |<
-
(D)
----

Here’s a badge!
-----
| |


| | (today;7th floor) +
---------------
+


| | .


| | +
---------------
+


| |
--
(E)
------

Show badge
-------
>| Resource |


| | | Server |


| |<
-
(F) Sure you can get coffee! | |


+
--------
+ +
---------------
+



And tomorrow, you’ll have to refresh your badge!

OAuth2



+
--------
+ +
---------------
+


| |
--
(A)
-

Authorization Request
-
>| Resource |


| | | Owner |


| |<
-
(B)
--

Authorization Grant
---
| |


| | +
---------------
+


| | .


| | +
---------------
+


| |
--
(C)
--

Authorization Grant
--
>| Authorization |


| Client | | Server |


| |<
-
(D)
-----

Access Token
-------
| |


| | +
---------------
+


| | .


| | +
---------------
+


| |
--
(E)
-----

Access Token
------
>| Resource |


| | | Server |


| |<
-
(F)
---

Protected Resource
---
| |


+
--------
+ +
---------------
+



Figure 1: Abstract Protocol Flow


http://tools.ietf.org/html/draft
-
ietf
-
oauth
-
v2
-
31

Quick side note…


There are 3 major authentication flows


Based on type of client


Variants possible

On the web…



Access tokens / Refresh tokens


In theory: whatever format you want


Widely used: JWT (“JSON Web Token”)


Less widely used: SWT (“Simple Web Token”)


Signed / Encrypted



JWT

Header:

{"
alg":"none
"}


Token:

{"
iss
":"joe",


"exp":1300819380,


"http://some.ns/read":true}



What

you

have
to

implement


OAuth

authorization

server


Keep track of
supported

consumers


Keep track of user consent


OAuth

token
expiration

&
refresh


Oh,
and

your

API



Windows Azure

Access Control
Service

ACS
-

Identity in Windows
Azure


Active Directory
federation


Graph

API


Web SSO


Link
apps

to

identity

providers
using

rules


Support WS
-
Security, WS
-
Federation
, SAML


Little
known

feature: OAuth2
delegation

OAuth

flow
using

ACS

demo

ASP.NET Web API, OAuth2,
Windows Azure ACS

OAuth2
delegation
?


You
:
OAuth

authorization

server


ACS: Keep track of
supported

consumers


ACS:
Keep track of user consent


ACS:
OAuth

token
expiration

&
refresh


You
:
Your

API

Conclusion

Key

takeaways


API’s

are the new
apps


Valuable


HTTP


ASP.NET Web API


OAuth2


Windows Azure Access Control Service

Thank

you
!

http://blog.maartenballiauw.
be

@maartenballiauw

http://amzn.to/pronuget