Filip Ekberg
Building APIs with MVC 6 and OAuth
@fekberg
I’m Filip EkbergAuthor. Blogger. Speaker. MS MVP. Xamarin MVP. Geek.
Senior Software Engineer @
Agenda
ASP.NET 5 OAuth Consuming APIs
Using ASP.NET 5
• Everything!• Cross-platform• Open Source• Modular design (split into NuGet packages)• And much more..
What’s new in ASP.NET 5
• Ctrl + H (Find and Replace) Upgrades• Until RTM
- anything can be renamed- anything can be removed
• Side-by-side versions makes it easy (dnvm upgrade)
Using Bleeding Edge Tech
• Powershell, powershell and more powershell…
Continuous Delivery and Integration$out = (Get-Item -Path ".\" -Verbose).FullName
$(dnu restore --no-cache --lock --unlock --parallel)
get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object { !$_.Directory.FullName.Contains("artifacts")} | ForEach-Object { $res = $(cd $_.Directory;$?) -and $(dnu build | Out-Host;$?) -and $(dnu pack --configuration release --out $out\Build\Packages) if (!$res) { Write-Error "Build failed!" Exit 1 }}
$out = (Get-Item -Path ".\" -Verbose).FullName
get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object { $_.Directory.FullName.Contains("Tests")} | ForEach-Object { $(cd $_.Directory;$?) $testOutput = $(dnx . test | Write-Host)
if ($testOutput -contains "*[FAIL]*") { Write-Error "Tests failed!" Exit 1 }}
• Use your own APIs• Find pain-points before your customers• Invite other teams to build something
Dogfooding
• Allows you to introduce new tech early• Up-scale and prepare team for the future• Mitigating risk
Building on-top of legacy
Building an API
OAuth
Disclaimer
• Don’t rely on a third party for a critical system• Less headaches for your integrators• Could be added as an option
What about Twitter, Facebook, etc?
Roll your own OAuth implementation?
• Built by industry experts• Open Source• Allows you to use OAuth 2.0 and OpenId
Connect• Lots and lots of examples and help
available
IdentityServer
https://github.com/IdentityServer/IdentityServer3
Tokens
Tokens and Codes
Authorization CodeTrade code for an Access Token
Access TokenLets you access a given resource
Refresh TokenLets you keep your Access Token fresh
Storing Tokens
Treat your Tokens like passwords!
Remember, they give you access to a potential private resource
• JSON Web Token• Payload (Claims) include Scopes, User info,
etc• Signed
JWT
What happens when you don’t validate a token?
Build your software to assume tokens are invalid and expired
Inspecting the Token
Securing the API
Choosing an OAuth Flow
Authorization Code & Implicit Flow
Resource Owner Password Flow
Client Credential Flow
Leverage current infrastructure
What if we already have authentication?
Identify this in pre-authentication and skip OAuth login screen
Authenticate against current system
Authentication vs AuthorizationAuthentication is the process of ascertaining that somebody really is who they claims to be
Authorization refers to rules that determine who is allowed to do what. E.g. Filip may be authorized to create and delete databases, while Josh is only authorized to read.http://stackoverflow.com/a/6556548/39106
Authentication vs AuthorizationAuthenticationlogin + password (who you are)
Authorizationpermissions (what you are allowed to do)
http://stackoverflow.com/a/20638421/39106
• More than just “OK you access this resource” (OAuth)• Authorization (Permissions) +
Authentication (Login)• IdentityServer provides OAuth 2.0 + OpenId
Connect
OAuth + OpenId Connect
Securing the API
Consuming APIs
Testing your API
• Client Id• Secret• Scope(s)• Return URL• Grant type• Credentials / Authorization Code (Flow
dependent)
What I need to get a Token
Resource Owner Password Token Retrieval
{ "access_token": "eyJ0eXAiO.....", "expires_in": 3600, "token_type": "Bearer", "refresh_token": "cfba7b409dcbb662216bfc5bba80afbc"}
Using a Token
GET /api/products HTTP/1.1Host: localhost:1337Authorization: Bearer eyJ0eXAiOiJK...
Getting data from the API
Scopes
Adding support for Scopes
[HttpDelete][Authorize("write")][Route("/accounts/{accountId}/documents/{documentId}")]public async Task<JsonResult> DeleteAsync(string accountId,
long documentId)
LeveragingScopes
Wrap-up
ASP.NET 5
Open Source Go-Live! Cross-Platform
Building Secure APIs
Don’t roll your own security framework
Read the OAuth 2.0 Specification
OAuth
Know your flows
Authentication vs Authorization
Leverage Claims
Want to introduce new and shiny tech?Build on-top of existing infrastructure
Start with non-mission critical parts of the business
Download the code
http://bit.ly/ddd-oauth
Please support our sponsors
Fill out your feedbackTo go into the draw for prizes, please remember to complete your feedback at:
http://www.dddbrisbane.com/feedback
No feedback = No Prizes!
@fekberg
Thank you, I’m Filip Ekberg!Author. Blogger. Speaker. MS MVP. Xamarin MVP. Geek.
Senior Software Engineer @
Top Related