OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
1.
2. Who am I?
Maarten Balliauw
Technical Evangelist, JetBrains
MyGet.org
AZUG
Focus on web
ASP.NET MVC, Windows Azure, SignalR, ...
MVP Windows Azure & ASPInsider
Buy me a beer! http://amzn.to/pronuget
http://blog.maartenballiauw.be
Shameless self promotion: Pro NuGet -
@maartenballiauw
http://amzn.to/pronuget
3. Agenda
Why would I need an API?
API characteristics
ASP.NET MVC Web API
Windows Azure ACS
5. Consuming the web
2000-2008: Desktop browser
2008-2012: Mobile browser
2008-2012: iPhone and Android apps
2010-2014: Tablets, tablets, tablets
2014-2016: Your fridge (Internet of Things)
13. What is an API?
Software-to-Software interface
Contract between software and developers
Functionalities, constraints (technical / legal) Programming instructions and
standards
Open services to other software developers (public or private)
14. Flavours
Transport Message contract
HTTP SOAP
Sockets XML
Binary
JSON
HTML
…
15. Technical
Most API’s use HTTP and REST extensively
Addressing
HTTP Verbs
Media types
HTTP status codes
Hypermedia (*)
17. HTTP Verbs
GET – return data
HEAD – check if the data exists
POST – create or update data
PUT – put data
MERGE – merge values with existing data
DELETE – delete data
18. Status codes
200 OK – Everything is OK, your expected data is in the response.
401 Unauthorized – You either have to log in or you are not allowed to
access the resource.
404 Not Found – The resource could not be found.
500 Internal Server Error – The server failed processing your request.
…
21. ASP.NET Web API
Part of ASP.NET MVC 4
Framework to build HTTP Services (REST)
Solid features
Modern HTTP programming model
Content negotiation (e.g. xml, json, ...)
Query composition (OData query support)
Model binding and validation (conversion to .NET objects)
Routes
Filters (e.g. Validation, exception handling, ...)
And more!
22. ASP.NET Web API is easy!
HTTP Verb = action
“Content-type” header = data format in
“Accept” header = data format out
Return meaningful status code
30. TechDays badges
“I received a ticket with a Barcode I can hand to
the Reception which gives me a Badge stating
Microsoft gives Me access to Kinepolis as a
Speaker on 5-7 March”
31. TechDays badges
+--------+ +---------------+
| |--(A)– Register for TechDays-->| Resource |
| | | Owner |
| |<-(B)-Sure! Here’s an e-ticket-| Microsoft |
| | +---------------+
| | .
| | +---------------+
| Client |--(C)----- Was invited! ------>| Authorization |
| Me | | Server |
| |<-(D)---- Here’s a badge! -----| Reception |
| | (5-7 March;speaker) +---------------+
| | .
| | +---------------+
| |--(E)------ Show badge ------->| Resource |
| | | Server |
| |<-(F)-- Enter speakers room ---| Kinepolis |
+--------+ +---------------+
Next year, I will have to refresh my badge
32. TechDays badges
“I received a ticket with a Barcode I can hand to the Reception which gives me a
Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March”
Me = Client
Delegation
Barcode = Access Code
Reception = Authorization Server
Microsoft = Resource Owner
Kinepolis = Resource Server
Badge = Access Token
Speaker = Scope
5-7 March = Token Lifetime
40. Access tokens / Refresh tokens
In theory: whatever format you want
Widely used: JWT (“JSON Web Token”)
Less widely used: SWT (“Simple Web Token”)
Signed / Encrypted
42. Is OAuth2 different from OpenID?
Yes.
OpenID = authN
OAuth2 = authN (optional) + authZ
http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing
http://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
43. What you have to implement
OAuth authorization server
Keep track of supported consumers
Keep track of user consent
OAuth token expiration & refresh
Oh, and your API
46. ACS - Identity in Windows Azure
Active Directory federation
Graph API
Web SSO
Link apps to identity providers using rules
Support WS-Security, WS-Federation, SAML
Little known feature: OAuth2 delegation
49. OAuth2 delegation?
You: OAuth authorization server
ACS: Keep track of supported consumers
ACS: Keep track of user consent
ACS: OAuth token expiration & refresh
You: Your API