SlideShare une entreprise Scribd logo
1  sur  19
Télécharger pour lire hors ligne
SPA OAUTH DEMO
AngularJS + WebApi
Source Code: https://github.com/szahn/AngularWebApiOAuthDemo
 SPA: Single Page Application
 OAuth: OAuth is an open standard for
authorization. OAuth provides client applications a
'secure delegated access' to server resources on
behalf of a resource owner. It specifies a process
for resource owners to authorize third-party access
to their server resources without sharing their
credentials.
OAUTH FLOWS
There is one OAuth spec describing several flows
This demo covers a password grant flow which assumes a
trust relationship between the client, auth server, and api
(resource server), meaning both the client and server are
within the same domain (not your typical oauth scenario)
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAUTH 2.0 (IMPLICIT FLOW)
“The implicit grant is a simplified authorization code
flow optimized for clients implemented in a browser
using a scripting language such as JavaScript. In
the implicit flow, instead of issuing the client an
authorization code, the client is issued an access
token directly”
RESOURCE OWNER PASSWORD
CREDENTIALS FLOW
“The resource owner password credentials (i.e., username
and password) can be used directly as an authorization
grant to obtain an access token. The credentials should
only be used when there is a high degree of trust
between the resource owner and the client (e.g., the
client is part of the device operating system or a highly
privileged application), and when other authorization
grant types are not available (such as an authorization
code). Even though this grant type requires direct client
access to the resource owner credentials, the resource
owner credentials are used for a single request and are
exchanged for an access token. This grant type can
eliminate the need for the client to store the resource
owner credentials for future use, by exchanging the
credentials with a long-lived access token or refresh
token.”
ACCESS TOKENS
“Access tokens are credentials used to access
protected resources. An access token is a string
representing an authorization issued to the client.
The string is usually opaque to the client. Tokens
represent specific scopes and durations of access,
granted by the resource owner, and enforced by the
resource server and authorization server.”
REFRESH TOKENS
“Refresh tokens are credentials used to obtain access
tokens. Refresh tokens are issued to the client by
the authorization server and are used to obtain a
new access token when the current access token
becomes invalid or expires, or to obtain additional
access tokens with identical or narrower scope
(access tokens may have a shorter lifetime and
fewer permissions than authorized by the resource
owner).”
OWIN
 OWIN (Open Web Server Interface for .NET) defines a
standard interface between .NET web servers and web
applications. The goal of the OWIN interface is to decouple
server and application, encourage the development of simple
modules for .NET web development, and, by being an open
standard, stimulate the open source ecosystem of .NET web
development tools.
 Katana is the Microsoft implementation of the OWIN specs,
and provides all the layers, sometimes in more than one
flavor, specified by OWIN. In addition to implementing hosts
and servers, Katana provides a series of APIs to facilitate the
development of OWIN applications, including some functional
components like authentication, diagnostics, static files
serving, and bindings for ASP.NET Web API and SignalR. To
avoid confusion, remember that Katana is not a full-fledged
web server, but just the “glue” between the OWIN world and
IIS.
OWIN
 Meant to be OS independent and can self-host.
With OWIN, your code is not related to the OS
(specifically to System.Web, the “huge” monolithic
library that lies behind the execution of ASP.NET).
This means that you can use whatever you want
instead of IIS (i.e. Katana or Nowin) and update it
when necessary, instead of updating the OS.
Moreover, if you need it, you can build your custom
host and insert whatever you want in the HTTP
request processing pipeline (i.e. your custom
authentication logic).
 OAuth is an OWIN middleware component
SETTING UP ASP.NET WEB API WITH OWIN
 Create a new ASP.NET Web Application, choose
the Empty template, and tick the Web API option under “Add
folders and core references for”: this will install all the Nuget
packages needed for a Web API project, and will setup the
folder structure;
 Install the Owin packages and the Owin-Web API “bridge”: by
installing the Microsoft.AspNet.WebApi.Owin you’ll get
everything you need;
 Install Microsoft.Owin.Host.SystemWeb to run the within
IIS.
 Configure the Owin Startup class to fire up Web API: just add
a OWIN Startup class from Visual Studio contextual menu
and add to the Configuration method the right configuration for
Web API.
SETTING UP OAUTH AUTHORIZATION SERVER
 Register OWIN OAuth middleware
app.UseOAuthAuthorizationServer
app.UseOAuthBearerAuthentication
 Define options for token format, expiration
 Setup endpoint to receive authorization grant
INSTALLING ANGULAR
 bower install angular (preferably Angular 1.4+)
AUTHENTICATION FLOW
 Both the API (resource server) and authorization
server are owned by the same company and are
trusted.
 Authentication over HTTPS to public client
 Upon login, user/password and client id is sent to
auth server and access token is returned. Access
token in HTML5 local storage.
 Client id is used to validate the user.
 Requests are made to the API with the access
token in the header.
 When an access token expires, a new one is
generated.
OAUTH ACCESS TOKENS
 Encrypt Bearer Tokens
 Bearer Tokens must be short lived (several hours to
days)
 Don't pass in urls, put in header
 Refresh tokens periodically
 Validate SSL Certs
THIRD PARTY OAUTH SOLUTIONS
Client
 ngOAuth: https://github.com/andreareginato/oauth-
ng/
 Satellizer: https://github.com/sahat/satellizer
Server
 IdentityServer3:
https://github.com/IdentityServer/IdentityServer3
 Auth0: https://auth0.com
TIPS AND TRICKS
 Prevent hot linking of sensitive images by returning
a Base64 string and placing it has a background-
image on a div. Authorize the request using
[AuthorizeAttribute].
 If writing your own auth server
 validate requests for access tokens and refresh tokens
on a database
 Include the option to disable client ids or users if
compromised.
 Use strong encryptions such as rijndael. Asynmetric
keys are also possible but difficult to do it, just like
writing your own auth server.
PLURALSIGHT COURSES
 Creating Apps With Angular, Node, and Token Authentication:
http://www.pluralsight.com/courses/creating-apps-angular-node-token-
authentication
 AngularJS Security Fundamentals:
http://www.pluralsight.com/courses/angularjs-security-fundamentals
 Implementing an API in ASP.NET Web API:
http://www.pluralsight.com/courses/implementing-restful-aspdotnet-web-api
 Introduction to OAuth2, OpenID Connect and JSON Web Tokens (JWT):
http://www.pluralsight.com/courses/oauth2-json-web-tokens-openid-connect-
introduction
ADDITIONAL READING
 OAuth 2.0 specs: https://tools.ietf.org/html/rfc6749
 Oauth Security: http://www.oauthsecurity.com
 Oauth Bible: http://authbible.com
 Persisting Refresh Token: http://timney.net/persisting-your-refresh-tokens
 OAuth Resource Password Flow Refresh Token with Web
Api: http://timney.net/oauth-resource-password-flow-refresh-token-with-web-
api
 OAuth Resource Password Flow with Web Api: http://timney.net/oauth-
resource-password-flow-with-web-api
 OAuth 2.0 Threat Model: http://tools.ietf.org/html/rfc6819
 Beginner’s Guide to OAuth: http://oauth.net/documentation/getting-started
 Intro to OAuth2: https://www.digitalocean.com/community/tutorials/an-
introduction-to-oauth-2

Contenu connexe

Tendances

Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 

Tendances (20)

Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 

En vedette

Power BI Single Page Applications Boise Code Camp 2017
Power BI Single Page Applications Boise Code Camp 2017Power BI Single Page Applications Boise Code Camp 2017
Power BI Single Page Applications Boise Code Camp 2017Stuart
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...Maarten Balliauw
 
Introducing Excel as a Powerfull Tool
Introducing Excel as a Powerfull ToolIntroducing Excel as a Powerfull Tool
Introducing Excel as a Powerfull ToolChristine Shahin
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw
 
Dashboards for Everyone with Microsoft Power BI & Excel
Dashboards for Everyone with Microsoft Power BI &  ExcelDashboards for Everyone with Microsoft Power BI &  Excel
Dashboards for Everyone with Microsoft Power BI & ExcelSparkhound Inc.
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw
 
Dashboard for Life Series “Episode 1 - Vishal's Server SQL Info Dashboard
Dashboard for Life Series “Episode 1 - Vishal's Server SQL Info DashboardDashboard for Life Series “Episode 1 - Vishal's Server SQL Info Dashboard
Dashboard for Life Series “Episode 1 - Vishal's Server SQL Info DashboardVishal Pawar
 
Learn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce Data
Learn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce DataLearn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce Data
Learn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce DataNetwoven Inc.
 
Formulating Power BI Enterprise Strategy
Formulating Power BI Enterprise StrategyFormulating Power BI Enterprise Strategy
Formulating Power BI Enterprise StrategyTeo Lachev
 
Power BI Create lightning fast dashboard with power bi & Its Components
Power BI Create lightning fast dashboard with power bi & Its Components Power BI Create lightning fast dashboard with power bi & Its Components
Power BI Create lightning fast dashboard with power bi & Its Components Vishal Pawar
 
29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview Questions29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview QuestionsArc & Codementor
 
Self service BI overview + Power BI
Self service BI overview + Power BISelf service BI overview + Power BI
Self service BI overview + Power BIArthur Graus
 

En vedette (20)

Javaoop
JavaoopJavaoop
Javaoop
 
Power BI Single Page Applications Boise Code Camp 2017
Power BI Single Page Applications Boise Code Camp 2017Power BI Single Page Applications Boise Code Camp 2017
Power BI Single Page Applications Boise Code Camp 2017
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJS
 
What's new in Angular 2?
What's new in Angular 2?What's new in Angular 2?
What's new in Angular 2?
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
 
Introduction to HTML4
Introduction to HTML4Introduction to HTML4
Introduction to HTML4
 
Introducing Excel as a Powerfull Tool
Introducing Excel as a Powerfull ToolIntroducing Excel as a Powerfull Tool
Introducing Excel as a Powerfull Tool
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
Deep dive into new ASP.NET MVC 4 Features
Deep dive into new ASP.NET MVC 4 Features Deep dive into new ASP.NET MVC 4 Features
Deep dive into new ASP.NET MVC 4 Features
 
Dashboards for Everyone with Microsoft Power BI & Excel
Dashboards for Everyone with Microsoft Power BI &  ExcelDashboards for Everyone with Microsoft Power BI &  Excel
Dashboards for Everyone with Microsoft Power BI & Excel
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-serviceusing ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
Dashboard for Life Series “Episode 1 - Vishal's Server SQL Info Dashboard
Dashboard for Life Series “Episode 1 - Vishal's Server SQL Info DashboardDashboard for Life Series “Episode 1 - Vishal's Server SQL Info Dashboard
Dashboard for Life Series “Episode 1 - Vishal's Server SQL Info Dashboard
 
Learn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce Data
Learn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce DataLearn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce Data
Learn How to Use Microsoft Power BI for Office 365 to Analyze Salesforce Data
 
Formulating Power BI Enterprise Strategy
Formulating Power BI Enterprise StrategyFormulating Power BI Enterprise Strategy
Formulating Power BI Enterprise Strategy
 
Power BI Create lightning fast dashboard with power bi & Its Components
Power BI Create lightning fast dashboard with power bi & Its Components Power BI Create lightning fast dashboard with power bi & Its Components
Power BI Create lightning fast dashboard with power bi & Its Components
 
29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview Questions29 Essential AngularJS Interview Questions
29 Essential AngularJS Interview Questions
 
Power BI for CEO
Power BI for CEOPower BI for CEO
Power BI for CEO
 
Self service BI overview + Power BI
Self service BI overview + Power BISelf service BI overview + Power BI
Self service BI overview + Power BI
 

Similaire à OAuth with AngularJS and WebAPI - SoCal Code Camp 2015

.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Authentication across the Atlassian Ecosystem - AtlasCamp 2011
Authentication across the Atlassian Ecosystem - AtlasCamp 2011Authentication across the Atlassian Ecosystem - AtlasCamp 2011
Authentication across the Atlassian Ecosystem - AtlasCamp 2011Atlassian
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 

Similaire à OAuth with AngularJS and WebAPI - SoCal Code Camp 2015 (20)

.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Restful api
Restful apiRestful api
Restful api
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
O auth 2
O auth 2O auth 2
O auth 2
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Api security
Api security Api security
Api security
 
Authentication across the Atlassian Ecosystem - AtlasCamp 2011
Authentication across the Atlassian Ecosystem - AtlasCamp 2011Authentication across the Atlassian Ecosystem - AtlasCamp 2011
Authentication across the Atlassian Ecosystem - AtlasCamp 2011
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 

Dernier

Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 

Dernier (20)

Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 

OAuth with AngularJS and WebAPI - SoCal Code Camp 2015

  • 1. SPA OAUTH DEMO AngularJS + WebApi Source Code: https://github.com/szahn/AngularWebApiOAuthDemo
  • 2.  SPA: Single Page Application  OAuth: OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.
  • 3. OAUTH FLOWS There is one OAuth spec describing several flows This demo covers a password grant flow which assumes a trust relationship between the client, auth server, and api (resource server), meaning both the client and server are within the same domain (not your typical oauth scenario)
  • 5. OAUTH 2.0 (IMPLICIT FLOW) “The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of issuing the client an authorization code, the client is issued an access token directly”
  • 6. RESOURCE OWNER PASSWORD CREDENTIALS FLOW “The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code). Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.”
  • 7. ACCESS TOKENS “Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.”
  • 8. REFRESH TOKENS “Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner).”
  • 9. OWIN  OWIN (Open Web Server Interface for .NET) defines a standard interface between .NET web servers and web applications. The goal of the OWIN interface is to decouple server and application, encourage the development of simple modules for .NET web development, and, by being an open standard, stimulate the open source ecosystem of .NET web development tools.  Katana is the Microsoft implementation of the OWIN specs, and provides all the layers, sometimes in more than one flavor, specified by OWIN. In addition to implementing hosts and servers, Katana provides a series of APIs to facilitate the development of OWIN applications, including some functional components like authentication, diagnostics, static files serving, and bindings for ASP.NET Web API and SignalR. To avoid confusion, remember that Katana is not a full-fledged web server, but just the “glue” between the OWIN world and IIS.
  • 10. OWIN  Meant to be OS independent and can self-host. With OWIN, your code is not related to the OS (specifically to System.Web, the “huge” monolithic library that lies behind the execution of ASP.NET). This means that you can use whatever you want instead of IIS (i.e. Katana or Nowin) and update it when necessary, instead of updating the OS. Moreover, if you need it, you can build your custom host and insert whatever you want in the HTTP request processing pipeline (i.e. your custom authentication logic).  OAuth is an OWIN middleware component
  • 11. SETTING UP ASP.NET WEB API WITH OWIN  Create a new ASP.NET Web Application, choose the Empty template, and tick the Web API option under “Add folders and core references for”: this will install all the Nuget packages needed for a Web API project, and will setup the folder structure;  Install the Owin packages and the Owin-Web API “bridge”: by installing the Microsoft.AspNet.WebApi.Owin you’ll get everything you need;  Install Microsoft.Owin.Host.SystemWeb to run the within IIS.  Configure the Owin Startup class to fire up Web API: just add a OWIN Startup class from Visual Studio contextual menu and add to the Configuration method the right configuration for Web API.
  • 12. SETTING UP OAUTH AUTHORIZATION SERVER  Register OWIN OAuth middleware app.UseOAuthAuthorizationServer app.UseOAuthBearerAuthentication  Define options for token format, expiration  Setup endpoint to receive authorization grant
  • 13. INSTALLING ANGULAR  bower install angular (preferably Angular 1.4+)
  • 14. AUTHENTICATION FLOW  Both the API (resource server) and authorization server are owned by the same company and are trusted.  Authentication over HTTPS to public client  Upon login, user/password and client id is sent to auth server and access token is returned. Access token in HTML5 local storage.  Client id is used to validate the user.  Requests are made to the API with the access token in the header.  When an access token expires, a new one is generated.
  • 15. OAUTH ACCESS TOKENS  Encrypt Bearer Tokens  Bearer Tokens must be short lived (several hours to days)  Don't pass in urls, put in header  Refresh tokens periodically  Validate SSL Certs
  • 16. THIRD PARTY OAUTH SOLUTIONS Client  ngOAuth: https://github.com/andreareginato/oauth- ng/  Satellizer: https://github.com/sahat/satellizer Server  IdentityServer3: https://github.com/IdentityServer/IdentityServer3  Auth0: https://auth0.com
  • 17. TIPS AND TRICKS  Prevent hot linking of sensitive images by returning a Base64 string and placing it has a background- image on a div. Authorize the request using [AuthorizeAttribute].  If writing your own auth server  validate requests for access tokens and refresh tokens on a database  Include the option to disable client ids or users if compromised.  Use strong encryptions such as rijndael. Asynmetric keys are also possible but difficult to do it, just like writing your own auth server.
  • 18. PLURALSIGHT COURSES  Creating Apps With Angular, Node, and Token Authentication: http://www.pluralsight.com/courses/creating-apps-angular-node-token- authentication  AngularJS Security Fundamentals: http://www.pluralsight.com/courses/angularjs-security-fundamentals  Implementing an API in ASP.NET Web API: http://www.pluralsight.com/courses/implementing-restful-aspdotnet-web-api  Introduction to OAuth2, OpenID Connect and JSON Web Tokens (JWT): http://www.pluralsight.com/courses/oauth2-json-web-tokens-openid-connect- introduction
  • 19. ADDITIONAL READING  OAuth 2.0 specs: https://tools.ietf.org/html/rfc6749  Oauth Security: http://www.oauthsecurity.com  Oauth Bible: http://authbible.com  Persisting Refresh Token: http://timney.net/persisting-your-refresh-tokens  OAuth Resource Password Flow Refresh Token with Web Api: http://timney.net/oauth-resource-password-flow-refresh-token-with-web- api  OAuth Resource Password Flow with Web Api: http://timney.net/oauth- resource-password-flow-with-web-api  OAuth 2.0 Threat Model: http://tools.ietf.org/html/rfc6819  Beginner’s Guide to OAuth: http://oauth.net/documentation/getting-started  Intro to OAuth2: https://www.digitalocean.com/community/tutorials/an- introduction-to-oauth-2

Notes de l'éditeur

  1. https://en.wikipedia.org/wiki/OAuth
  2. https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
  3. https://tools.ietf.org/html/rfc6749#section-1.3.2
  4. https://tools.ietf.org/html/rfc6749#section-1.3.2
  5. https://tools.ietf.org/html/rfc6749#section-1.4
  6. https://tools.ietf.org/html/rfc6749#section-1.5
  7. See http://www.syncfusion.com/resources/techportal/ebooks/owin
  8. See http://www.syncfusion.com/resources/techportal/ebooks/owin
  9. http://codeclimber.net.nz/archive/2015/03/16/My-new-free-eBook-is-out-OWIN-Succinctly-by-Syncfusion.aspx