Websites usually communicate via web services — REST API is one such technology that can be used to create a web service. OAuth is an open standard for authorization that provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair). This session would cover introduction to OAuth and securing rest service using OAuth.
2. Presenter:Jnana Ranjan Swain, Mindfire Solutions
About Me
MCTS-70-515 - Microsoft .NET 4.0, Web App
Development
ASP.NET, WCF, SQLServer, Jquery,
jQueryUI, WindowsAzure,
EntityFramework, MVC
Facebook: http://www.facebook.com/jnanaswain
LinkedIn: http://www.linkedin.com/in/jnanaswain
Twitter: https://twitter.com/jnanaswain
Email: jnanas@mindfiresolutions.com
Skype: mfsi_jnanas
Skills
Connect Me
Contact Me
Certification
3. Agenda
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Introduction To OAuth
OAuth Security Framework
OAuth .Net API
Building Rest Service using Asp.net WebAPI
Securing Rest API
Live Demo
5. Introduction to OAuth
Presenter:Jnana Ranjan Swain, Mindfire Solutions
The OAuth protocol enables a third-party application to obtain
limited access to a HTTP services, on behalf of a resource
owner,without giving credentials.
OAuth 2.0 is the recent version,which is in development phase.
Facebook, Twitter, Google, Microsoft and many more companies are
using OAuth.
8.
Resource Owner
- Granting access to a protected resource.
Resource Server
- The server hosting the protected resources, capable of accepting
and responding to protected resource requests using access tokens.
Client
- An application making protected resource requests on behalf of the
resource owner and with its authorization.
Authorization Server
- The server issuing access tokens to the client after successfully
authenticating the resource owner and obtaining authorization.
OAuth Roles
Presenter:Jnana Ranjan Swain, Mindfire Solutions
9. Access Token
Access tokens are credentials used to access protected
resources. An access token is a string representing an
authorization issued to the client
The resource server MUST validate the access token and
ensure that it has not expired and that its scope covers the
requested resource.
It can have different formats, structures, and methods of
utilization (e.g., cryptographic properties) based on the resource
server security requirements.
GET /plus/v1/people/me HTTP/1.1
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Host: googleapis.com
Presenter:Jnana Ranjan Swain, Mindfire Solutions
10. Access Token Types
Bearer Token
A Bearer Token is set in the Authorization header of every inline
action HTTP Request.
Example :- Authorization:Bearer 4qF-UL0BGzu6n0YBJ
Mac Token
Message authentication code (MAC)
algorithm to provide cryptographic verification of portions of HTTP
requests
Presenter:Jnana Ranjan Swain, Mindfire Solutions
11. Refresh Token
Refresh tokens are credentials used to obtain access tokens.
Refresh tokens are issued to the client by the authorization server
and are used to obtain a new access token when the current access
token becomes invalid or expires,
If the authorization server issues a refresh token, it is included when
issuing an access token.
Example :{
"access_token":"1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in":3920,
"token_type":"Bearer",
"refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-
259HOF2aQbI"
}
Presenter:Jnana Ranjan Swain, Mindfire Solutions
12. Oauth .Net API
- Microsoft.Owin.Security
- API for creating Autherization server
new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId,
UserManagerFactory),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
Presenter:Jnana Ranjan Swain, Mindfire Solutions
13.
It controls the lifecycle of Authorization Server
Used by Authorization Server to communicate with the web
application while processing requests.
It enables OAuth bearer token authentication middleware which will
receive and validate bearer token from authorization header in the
request.
•
OnValidateClientRedirectUri
•
OnValidateClientAuthentication
•
ValidateClientAuthentication
•
GrantResourceOwnerCredentials
•
OnGrantClientCredentials
OAuthAuthorizationServerProvider
Presenter:Jnana Ranjan Swain, Mindfire Solutions
14. Introduction to REST
Web services communicate via either SOAP or REST.
Representational state transfer is a way to create, read, update or delete
information on a server using simple HTTP calls. It is an alternative to
more complex mechanisms like SOAP.
Easily created using MVC 5 WebAPI and WCF
Presenter:Jnana Ranjan Swain, Mindfire Solutions
15. Building Rest Service using Asp.net WebAPI
Presenter:Jnana Ranjan Swain, Mindfire Solutions