OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control

Maarten Balliauw@maartenballiauw

Who am I?

Maarten BalliauwTechnical Evangelist, JetBrainsMyGet.orgAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsider

Buy me a beer! http://amzn.to/pronuget

http://blog.maartenballiauw.be @maartenballiauw Shameless self promotion: Pro NuGet -

http://amzn.to/pronuget

Agenda

Why would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS

Why would I need an API?

Consuming the web

2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)

Twitter & FacebookBy show of hands

Make everyone API(as the French say)

Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan

Reach More Clients

You’re not the only one

Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/

API Characteristics

What is an API?

Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions

and standards

Open services to other software developers (public or private)

Flavours

Transport HTTP Sockets

Message contract SOAP XML Binary JSON HTML …

Technical

Most API’s use HTTP and REST extensively Addressing HTTP Verbs Media types HTTP status codes Hypermedia (*)

The Web is an API

Demo

HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data

Status codes

200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed to access the resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…

Be detailed!

Think RFC2324!

ASP.NET Web API

ASP.NET Web API

Part of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!

ASP.NET Web API is easy!

HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code

Creating an APIusing ASP.NET Web API

Demo

Securing your API

No authenticationBasic/Windows authentication[Authorize] attribute

Securing your API

Demo

The world of API clients is complex

CLIENTS

HTML5+JSSPANative appsServer-to-server

AUTHN + AUTHZ

Username/password?Basic auth?NTLM / Kerberos?Client certificate?Shared secret?

A lot of public API’s…

“your API consumer isn’t really your user,but an application acting on behalf of a user”

(or: API consumer != user)

OAuth2

TechDays badges

“I received a ticket with a Barcode I can hand to the Reception which gives me a

Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March”

TechDays badges

+--------+ +---------------+ | |--(A)– Register for TechDays-->| Resource | | | | Owner | | |<-(B)-Sure! Here’s an e-ticket-| Microsoft | | | +---------------+ | | . | | +---------------+ | Client |--(C)----- Was invited! ------>| Authorization | | Me | | Server | | |<-(D)---- Here’s a badge! -----| Reception | | | (5-7 March;speaker) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F)-- Enter speakers room ---| Kinepolis | +--------+ +---------------+

Next year, I will have to refresh my badge

TechDays badges

“I received a ticket with a Barcode I can hand to the Reception which gives me a Badge stating Microsoft gives Me access to Kinepolis as a

Speaker on 5-7 March”

Me = ClientBarcode = Access CodeReception = Authorization ServerMicrosoft = Resource OwnerKinepolis = Resource ServerBadge = Access TokenSpeaker = Scope5-7 March = Token Lifetime

Del

egat

ion

OAuth2

+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+

Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31

On the Web

Demo

Quick side note…

There are 3 major authentication flowsBased on type of clientVariants possible

OAuth2 – Initial flow

OAuth2 – “Refresh” (one of those variants)

Access tokens / Refresh tokens

In theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted

JWT

Header:{"alg":"none"}

Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}

Is OAuth2 different from OpenID?Yes.OpenID = authNOAuth2 = authN (optional) + authZ

http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thinghttp://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx

What you have to implement

OAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API

Windows AzureAccess Control Service

ACS - Identity in Windows Azure

Active Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation

OAuth flow using ACS

ASP.NET Web API, OAuth2Windows Azure ACS

Demo

OAuth2 delegation?

You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API

Conclusion

Key takeaways

API’s are the new appsValuableHTTPASP.NET Web APIOAuth2Windows Azure Access Control Service

Thank you!

http://blog.maartenballiauw.be

@maartenballiauw

http://amzn.to/pronuget