oauth in the new .net world (owin)
Post on 15-Jan-2015
4.261 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
Emad Alashi
• Senior Developer at Readify• ASP.NET/IIS MVP
• www.DotNetArabi.com• www.EmadAshi.com• @emadashi
2
OAuth 2.0 & .NETLive with others
3
Pre-OAuth era(Yeah, History!)
4
Username & password
Resources
Images
Etc.
data
Username & password
Username & password
Username & password
Username & password
5
Facebook Auth
Google AuthSub
Flickr API
Yahoo BBAuth Web Services
6
7
So how does it work?
8
Resource owner Authorization Server
Resource ServerClientMyAuthorization/Resources Server
11
My
302 to fb.com/auth? data auth? clientID & scope & redirectUri=myPD.com/signin
302 to myPD.com/signin? datamyPD.com/signin? code & scope
fb.com/auth? clientId & code & redirectUri
accessToken & tokenType & expires & refreshToken
Welcome
myPodcast.com
This app wants…are you sure?
Yes please, allow
12
OAuth in MVC 4 DotNetOpenAuth
& OAuthWebSecurity
13
OAuth in MVC 5 OWIN
14
owin.org
15
OWIN (Open Web Interface for .NET)
16
OWIN with IIS
17
Invoke(IOwinContext con){
DoINeedToAlterRequest? { }
AllowSubsequentMiddleWares? { base.Next.Invoke(con); } NeedToAlterResponse? { }
}
Middleware 1
Middleware 2
Middleware 3
18
Authentication middleware
19
Authentication middleware Application
ApplyResponseGrant
Invoke
ApplyResponseChallenge
AuthenticateCoreAsync
20
Facebook example
21
Facebook middleware
Cookies middleware Application
401 (facebook)
302 to Fb.com/oauth?redirectUri=signin-facebook
302 to Account/External
Get: Account/External
AuthenticateCoreAsync----
Create Idnetity
ApplyResponseGrant------
wrap claims in App ticketCreate cookie
Post: myPd.com/Account/Login(Facebook)
Get: myPd.com/signin-facebook?code=djlsjjce
ApplyResponseChallenge302 to fb.com/oauth
302 to myPD.com/Account/External
SignInExternal----
Create Idnetity
22
Oauth Auth mid.Oauth Server mid. Application
redirectUri?token=uhuihuhkn
/auth?clientId&Response_Type/token?code=tyggyug
aPageAuthHead: Bearer ygugjygj
ApplyResponseGrant
signInsignIn
AuthenticateCoreAsync
Invoke---
validations
23
Microsoft.Owin.Security.Infrastructure
AuthenticationMiddleware• Constructor• CreateHandler
AuthenticationHandler• AuthenticateCoreAsync• InvokeAsync• ApplyResponseGrantAsync• ApplyResponseChallengeAsync
24
Authentication Middleware
• Facebook• Google• Twitter• OAuth• Server• Authentication
top related