web api 2 token based authentication
TRANSCRIPT
ASP.NET Web API 2 Token Based AuthenticationJ er emy B r o w njer emy@ jer emys br o w n .co m@ J er emySB r o wnh t t p s : / / g i t hub.com/ Jer emySBr ow n/A ut h Token Pr esent at i on
What this talk is about…
• Basic Concepts of Token Based Authentication
• Benefits of Token Authentication
• Quick Overview of OAuth 2.0 (really quick)
• How to use it in an ASP.NET Web API 2 Project
What is Token Authentication?
I t is the process when a Resource Owner or Cl ient is granted a token by providing their credentials to an Authorizat ion Server.
The obtained access token can then be presented to a Resource Server to access a protected resource.
Benefits of Token Authentication
• Allows access between applications without sharing credentials
• Supports Cross-Domain / CORS
• Stateless
• Decoupling
• Mobile Ready
• CSRF/XSRF is not an issue
Access Tokens: The Heart of OAuthQuick Guide to OAuth 2.0
• Roles
• Client Types
• Client Profiles
• Authorization Grant Types
OAuth 2.0 Roles
• Resource Owner: End User
• Resource Server: Host that accepts access tokens
• Client: An application that needs access to a protected Resource
• Authorization Server: Issues token to authenticated owner
Note:Typically ASP.NET Web API projects functions as both the Authorization Server and Resource Server
OAuth 2.0 Client Types & Profiles
• Confidential Clients
• Web Applications (Server Side Only)
• Public Clients
• User Agent Based Applications (JQuery, SPAs, Silverlight, Flash)
• Native Applications (Mobile, Desktop Applications)
OAuth 2.0 Authorization Grant Types
• Resource Owner Password
• Client Credentials
• Authorization Code
• Implicit
• Refresh Token
Development Options
• OWIN – Open Web Interface for .NET
• Middleware components for OAuth and CORS
• http://owin.org
• DotNetOpenAuth
• C# implementation of the OpenID, OAuth and InfoCard protocols
• http://dotnetopenauth.net
Contact Information
• https://github.com/JeremySBrown/AuthTokenPresentation
• @JeremySBrown