resource app resource app resource authorization server authorization endpoint token endpoint a a r
TRANSCRIPT
![Page 1: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/1.jpg)
![Page 2: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/2.jpg)
Securing Windows Store applicationsand REST services with Active DirectoryVittorio Bertocci - @vibronetPrincipal Program Manager3-518
![Page 3: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/3.jpg)
Building a Modern Business App
Resource
App
Resource
![Page 4: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/4.jpg)
Access resources outside of the corporate network.Handle authentication and session mechanics.Apply access policies on non-domain joined devices.
Tackle those, and you’ve got yourself a nice business app.
Checklist
![Page 5: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/5.jpg)
Access resources outside of the corporate network
![Page 6: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/6.jpg)
REST, OAuth2
AppResource
authorization server
authorizationendpoint
tokenendpoint
A
A
R4
![Page 7: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/7.jpg)
Windows Azure Active Directory
Contoso’s On-Premises Directory
AM
Windows Azure Active Directory
Dir
Sync
Contoso’s tenant
SAML-P
WS-Federation
Metadata
OAuth2Management Portal
Graph API
![Page 8: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/8.jpg)
Registration• Today - via
Graph Explorer• Soon - via
Windows Azure Portal
Clients and Resources in Windows Azure AD
App Resource
App Resource
![Page 9: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/9.jpg)
Demo
![Page 10: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/10.jpg)
ADFS in Windows Server 2012 R2
New! OAuth2 code grantResources represented as classic Relying Party Trust entriesClients registered via PowerShell• No permission table entry necessary
Support for JWT format
New! Registered devices authenticationMore details later in the session
![Page 11: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/11.jpg)
Demo
![Page 12: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/12.jpg)
Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens
Handle authentication and session mechanics.Apply access policies on non-domain joined devices.
Tackle those, and you’ve got yourself a nice business app.
Checklist
![Page 13: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/13.jpg)
Handle authentication and session mechanics
![Page 14: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/14.jpg)
Windows Azure Authentication Library (AAL)Helps developers to add authentication capabilities to rich client appsUser authentication experienceObtaining tokensToken lifecycle management (caching, automatic token refresh, etc)Assisted authority discovery
Works with both Windows Azure AD and Windows Server 2012 R2 ADFSShips out of band as NuGet package.NET and Windows Store in developer preview• details here• download from VS2012 or here
![Page 15: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/15.jpg)
AAL is a Windows Runtime Component
Windows Azure Authentication Library
OS
Windows Runtime (WinRT)
AAL for Windows Store .WINMD
C#Windows Store App
JS/HTML5Windows Store App
Application
System
![Page 16: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/16.jpg)
Essential AAL Usage (C#)
AuthenticationContext aCtx = new AuthenticationContext("https://login.windows.net/contoso.onmicrosoft.com");
AuthenticationResult result = await authorizationContext.AcquireTokenAsync("http://host.com/shipmentservice", clientID);
Authenticate the user to get a token
HttpClient httpClient = new HttpClient();httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);//...
Use the token to invoke a REST service
![Page 17: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/17.jpg)
Demo
![Page 18: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/18.jpg)
Notes on User Experience
AAL wraps the WebAuthenticationBroker API in WinRTNew in Windows 8.1: built-in account selection experienceSee Karanbir’s session later today (3-113)
![Page 19: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/19.jpg)
Demo
![Page 20: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/20.jpg)
AAL for Windows Store offers a persistent token cache
AAL Cache
ValueKey
Authority
ClientID
Resource
User
AccessToken
RefreshToken
Expiration
ValueKey
Authority
ClientID
Resource
User
AccessToken
RefreshToken
Expiration
![Page 21: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/21.jpg)
AAL Cache[authority],resource,
clientid, user
matching cache entry?
valid access token?
refresh token?
success?
success?
return cache entry
use the refresh token to refresh the access
token
prompt the user via WebAuthenticationBrok
er
cache access token, refresh
token, validity
replace cache entry
return error info
YES
NO
YES
YES
YES
NO
NO
NO
YES
NO
![Page 22: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/22.jpg)
Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens
Handle authentication and session mechanics.Use the Windows Azure Authentication Library.
Apply access policies on non-domain joined devices.
Tackle those, and you’ve got yourself a nice business app.
Checklist
![Page 23: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/23.jpg)
Apply access policies on non-domain joined devices
![Page 24: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/24.jpg)
Workplace-join in Windows 8.1
Especially useful foruser-owned devicesDevices incapable of joining a domain
Allows administrator to apply access control policies in a wide range of scenariosWorkplace-join ability available directly in Windows 8.1
![Page 25: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/25.jpg)
Workplace Join Mechanics
25
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
![Page 26: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/26.jpg)
On the clientEnsure your app manifest has the right capabilities• WebAuthenticationBroker should be invoked in
SSO modeIn AAL: you should use the AcquireTokenAsync(resource, clientid) overload
In ADFSServer-wide: enable device authenticationPer-RP: Add device-related issuance authorization rules
Some constraints about how authentication should take place to apply device-aware access policies
Using Device Authentication Info to Drive Access
![Page 27: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/27.jpg)
Demo
![Page 28: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/28.jpg)
Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens
Handle authentication and session mechanics.Use the Windows Azure Authentication Library.
Apply access policies on non-domain joined devices.Use Windows 8.1 Workplace-join and ADFS rules.
Tackle those, and you’ve got yourself a nice business app.
Checklist
![Page 29: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/29.jpg)
In summary
![Page 30: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/30.jpg)
all you need to build great modern business app
App
Resource
Windows AzureAuthentication Library
![Page 31: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/31.jpg)
Resources
Windows Azure AD homeWindow Server AD homeWindows Azure and Windows Server AD Team BlogWindows azure AD Walkthroughs
Find me:On twitter - @vibronetOn the web – www.cloudidentity.com
![Page 32: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/32.jpg)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 33: Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R](https://reader035.vdocument.in/reader035/viewer/2022081421/56649db45503460f94aa46c0/html5/thumbnails/33.jpg)
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!