Filip Ekberg

Building APIs with MVC 6 and OAuth

@fekberg

I’m Filip EkbergAuthor. Blogger. Speaker. MS MVP. Xamarin MVP. Geek.

Senior Software Engineer @

Agenda

ASP.NET 5 OAuth Consuming APIs

Using ASP.NET 5

• Everything!• Cross-platform• Open Source• Modular design (split into NuGet packages)• And much more..

What’s new in ASP.NET 5

• Ctrl + H (Find and Replace) Upgrades• Until RTM

- anything can be renamed- anything can be removed

• Side-by-side versions makes it easy (dnvm upgrade)

Using Bleeding Edge Tech

• Powershell, powershell and more powershell…

Continuous Delivery and Integration$out = (Get-Item -Path ".\" -Verbose).FullName

$(dnu restore --no-cache --lock --unlock --parallel)

get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object { !$_.Directory.FullName.Contains("artifacts")} | ForEach-Object { $res = $(cd $_.Directory;$?) -and $(dnu build | Out-Host;$?) -and $(dnu pack --configuration release --out $out\Build\Packages) if (!$res) { Write-Error "Build failed!" Exit 1 }}

$out = (Get-Item -Path ".\" -Verbose).FullName

get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object { $_.Directory.FullName.Contains("Tests")} | ForEach-Object { $(cd $_.Directory;$?) $testOutput = $(dnx . test | Write-Host)

if ($testOutput -contains "*[FAIL]*") { Write-Error "Tests failed!" Exit 1 }}

• Use your own APIs• Find pain-points before your customers• Invite other teams to build something

Dogfooding

• Allows you to introduce new tech early• Up-scale and prepare team for the future• Mitigating risk

Building on-top of legacy

Building an API

OAuth

Disclaimer

• Don’t rely on a third party for a critical system• Less headaches for your integrators• Could be added as an option

What about Twitter, Facebook, etc?

Roll your own OAuth implementation?

• Built by industry experts• Open Source• Allows you to use OAuth 2.0 and OpenId

Connect• Lots and lots of examples and help

available

IdentityServer

https://github.com/IdentityServer/IdentityServer3

Tokens

Tokens and Codes

Authorization CodeTrade code for an Access Token

Access TokenLets you access a given resource

Refresh TokenLets you keep your Access Token fresh

Storing Tokens

Treat your Tokens like passwords!

Remember, they give you access to a potential private resource

• JSON Web Token• Payload (Claims) include Scopes, User info,

etc• Signed

JWT

What happens when you don’t validate a token?

Build your software to assume tokens are invalid and expired

Inspecting the Token

Securing the API

Choosing an OAuth Flow

Authorization Code & Implicit Flow

Resource Owner Password Flow

Client Credential Flow

Leverage current infrastructure

What if we already have authentication?

Identify this in pre-authentication and skip OAuth login screen

Authenticate against current system

Authentication vs AuthorizationAuthentication is the process of ascertaining that somebody really is who they claims to be

Authorization refers to rules that determine who is allowed to do what. E.g. Filip may be authorized to create and delete databases, while Josh is only authorized to read.http://stackoverflow.com/a/6556548/39106

Authentication vs AuthorizationAuthenticationlogin + password (who you are)

Authorizationpermissions (what you are allowed to do)

http://stackoverflow.com/a/20638421/39106

• More than just “OK you access this resource” (OAuth)• Authorization (Permissions) +

Authentication (Login)• IdentityServer provides OAuth 2.0 + OpenId

Connect

OAuth + OpenId Connect

Securing the API

Consuming APIs

Testing your API

• Client Id• Secret• Scope(s)• Return URL• Grant type• Credentials / Authorization Code (Flow

dependent)

What I need to get a Token

Resource Owner Password Token Retrieval

{ "access_token": "eyJ0eXAiO.....", "expires_in": 3600, "token_type": "Bearer", "refresh_token": "cfba7b409dcbb662216bfc5bba80afbc"}

Using a Token

GET /api/products HTTP/1.1Host: localhost:1337Authorization: Bearer eyJ0eXAiOiJK...

Getting data from the API

Scopes

Adding support for Scopes

[HttpDelete][Authorize("write")][Route("/accounts/{accountId}/documents/{documentId}")]public async Task<JsonResult> DeleteAsync(string accountId,

long documentId)

LeveragingScopes

Wrap-up

ASP.NET 5

Open Source Go-Live! Cross-Platform

Building Secure APIs

Don’t roll your own security framework

Read the OAuth 2.0 Specification

OAuth

Know your flows

Authentication vs Authorization

Leverage Claims

Want to introduce new and shiny tech?Build on-top of existing infrastructure

Start with non-mission critical parts of the business

Download the code

http://bit.ly/ddd-oauth

Please support our sponsors

Fill out your feedbackTo go into the draw for prizes, please remember to complete your feedback at:

http://www.dddbrisbane.com/feedback

No feedback = No Prizes!

@fekberg

Thank you, I’m Filip Ekberg!Author. Blogger. Speaker. MS MVP. Xamarin MVP. Geek.

Senior Software Engineer @