oauth and rest
DESCRIPTION
Websites usually communicate via web services — REST API is one such technology that can be used to create a web service. OAuth is an open standard for authorization that provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair). This session would cover introduction to OAuth and securing rest service using OAuth.TRANSCRIPT
Presenter: Jnana Ranjan SwainDate: 27-6-2014
OAuth And REST Services
Presenter:Jnana Ranjan Swain, Mindfire Solutions
About Me
MCTS-70-515 - Microsoft .NET 4.0, Web App Development
ASP.NET, WCF, SQLServer, Jquery, jQueryUI, WindowsAzure, EntityFramework, MVC
Facebook: http://www.facebook.com/jnanaswainLinkedIn: http://www.linkedin.com/in/jnanaswainTwitter: https://twitter.com/jnanaswain
Email: [email protected]: mfsi_jnanas
Skills
Connect Me
Contact Me
Certification
Agenda
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Introduction To OAuth
OAuth Security Framework
OAuth .Net API
Building Rest Service using Asp.net WebAPI
Securing Rest API
Live Demo
OAuth
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Introduction to OAuth
Presenter:Jnana Ranjan Swain, Mindfire Solutions
The OAuth protocol enables a third-party application to obtain limited access to a HTTP services, on behalf of a resource owner,without giving credentials.
OAuth 2.0 is the recent version,which is in development phase.
Facebook, Twitter, Google, Microsoft and many more companies are using OAuth.
Presenter:Jnana Ranjan Swain, Mindfire Solutions
OAuth Framework
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Resource Owner - Granting access to a protected resource.
Resource Server - The server hosting the protected resources, capable of accepting
and responding to protected resource requests using access tokens.
Client - An application making protected resource requests on behalf of the resource owner and with its authorization. Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
OAuth Roles
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Access Token Access tokens are credentials used to access protected
resources. An access token is a string representing an authorization issued to the client
The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource.
It can have different formats, structures, and methods ofutilization (e.g., cryptographic properties) based on the resource
server security requirements.
GET /plus/v1/people/me HTTP/1.1Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3ZgHost: googleapis.com
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Access Token Types
Bearer Token
A Bearer Token is set in the Authorization header of every inline action HTTP Request.
Example :- Authorization:Bearer 4qF-UL0BGzu6n0YBJ
Mac Token
Message authentication code (MAC) algorithm to provide cryptographic verification of portions of HTTP requests
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Refresh Token
Refresh tokens are credentials used to obtain access tokens.
Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires,
If the authorization server issues a refresh token, it is included when issuing an access token.
Example :{ "access_token":"1/fFAGRNJru1FTz70BzhT3Zg", "expires_in":3920, "token_type":"Bearer", "refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"}
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Oauth .Net API
- Microsoft.Owin.Security
- API for creating Autherization server new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), AllowInsecureHttp = true };
Presenter:Jnana Ranjan Swain, Mindfire Solutions
It controls the lifecycle of Authorization Server
Used by Authorization Server to communicate with the web application while processing requests.
It enables OAuth bearer token authentication middleware which will receive and validate bearer token from authorization header in the request.
OnValidateClientRedirectUri OnValidateClientAuthentication ValidateClientAuthentication GrantResourceOwnerCredentials OnGrantClientCredentials
OAuthAuthorizationServerProvider
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Introduction to REST
Web services communicate via either SOAP or REST.
Representational state transfer is a way to create, read, update or delete information on a server using simple HTTP calls. It is an alternative to more complex mechanisms like SOAP.
Easily created using MVC 5 WebAPI and WCF
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Building Rest Service using Asp.net WebAPI
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Securing REST API
SSL
Cross-origin resource sharing (CORS)
OAUTH
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Live Demo
Presenter:Jnana Ranjan Swain, Mindfire Solutions
References
http://oauth.net/http://tools.ietf.org/http://www.asp.nethttps://developers.google.comhttp://blog.rfaisal.com/
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Question and Answer
Presenter:Jnana Ranjan Swain, Mindfire Solutions
Thank you
Presenter:Jnana Ranjan Swain, Mindfire Solutions
http://www.linkedin.com/company/mindfire-solutions
http://twitter.com/mindfires
Presenter: Jnana Ranjan Swain, Mindfire Solutions
http://www.mindfiresolutions.com
https://www.facebook.com/MindfireSolutions