oauth in the new .net world (owin)

Emad Alashi

• Senior Developer at Readify• ASP.NET/IIS MVP

• www.DotNetArabi.com• www.EmadAshi.com• @emadashi

OAuth 2.0 & .NETLive with others

Pre-OAuth era(Yeah, History!)

Username & password

Resources

Images

Username & password

Facebook Auth

Google AuthSub

Flickr API

Yahoo BBAuth Web Services

So how does it work?

Resource owner Authorization Server

Resource ServerClientMyAuthorization/Resources Server

302 to fb.com/auth? data auth? clientID & scope & redirectUri=myPD.com/signin

302 to myPD.com/signin? datamyPD.com/signin? code & scope

fb.com/auth? clientId & code & redirectUri

accessToken & tokenType & expires & refreshToken

Welcome

myPodcast.com

This app wants…are you sure?

Yes please, allow

OAuth in MVC 4 DotNetOpenAuth

& OAuthWebSecurity

OAuth in MVC 5 OWIN

owin.org

OWIN (Open Web Interface for .NET)

OWIN with IIS

Invoke(IOwinContext con){

DoINeedToAlterRequest? { }

AllowSubsequentMiddleWares? { base.Next.Invoke(con); } NeedToAlterResponse? { }

Middleware 1

Middleware 2

Middleware 3

Authentication middleware

Authentication middleware Application

ApplyResponseGrant

Invoke

ApplyResponseChallenge

AuthenticateCoreAsync

Facebook example

Facebook middleware

Cookies middleware Application

401 (facebook)

302 to Fb.com/oauth?redirectUri=signin-facebook

302 to Account/External

Get: Account/External

AuthenticateCoreAsync----

Create Idnetity

ApplyResponseGrant------

wrap claims in App ticketCreate cookie

Post: myPd.com/Account/Login(Facebook)

Get: myPd.com/signin-facebook?code=djlsjjce

ApplyResponseChallenge302 to fb.com/oauth

302 to myPD.com/Account/External

SignInExternal----

Create Idnetity

Oauth Auth mid.Oauth Server mid. Application

redirectUri?token=uhuihuhkn

/auth?clientId&Response_Type/token?code=tyggyug

aPageAuthHead: Bearer ygugjygj

ApplyResponseGrant

signInsignIn

AuthenticateCoreAsync

Invoke---

validations

Microsoft.Owin.Security.Infrastructure

AuthenticationMiddleware• Constructor• CreateHandler

AuthenticationHandler• AuthenticateCoreAsync• InvokeAsync• ApplyResponseGrantAsync• ApplyResponseChallengeAsync

Authentication Middleware

• Facebook• Google• Twitter• OAuth• Server• Authentication

Emad.ashi@gmail

@EmadAshi

oauth in the new .net world (owin)

oauth server mid

facebook example20

preoauth era

code scope302

datawelcome fb

authentication middleware18

owin open web interface

validationsoauth auth

Technology

owin tarina 2006-2014

the essential oauth primer: understanding oauth...

owin and katana - sdd...

oregon wireless interoperability network (owin) project

how to make own framework built on owin

owin and katana

owin from spec to application

owin middleware in vnext

owin - .netにおけるpsgi -

mastering oauth 2 - adobe inc.€¦ · leveraging the oauth...

owin why should i care?

reducing the attack surface of a .net owin website ·...

mini-training owin katana

oauth 2 und openid connect securing microservices … ·...

project k, vnext and owin

angular owin katana typescript

o que é esse tal de owin?

1 - owin and katana

campus days 2014 owin

oauth tokens