Upload File

web api authentication and authorization

20
CHALERMPON AREEPONG Microsoft MVP ASP.NET MVCRocks.NET Community and https://fb.com/groups/mvcthaidev Founder DevRock #01 Hello New Year 2015

Upload: chalermpon-areepong

Post on 15-Jul-2015

103 views

Category:

Technology


0 download

Report

Tags:

TRANSCRIPT

Page 1: Web API authentication and authorization

CHALERMPON AREEPONG

Microsoft MVP ASP.NET

MVCRocks.NET Community and https://fb.com/groups/mvcthaidev Founder

DevRock #01 Hello New Year 2015

https://fb.com/groups/mvcthaidev
Page 2: Web API authentication and authorization

DevRock #01 Hello New Year 2015

CHALERMPON AREEPONG

Microsoft MVP – ASP.NET 9 Years

Page 3: Web API authentication and authorization

DevRock #01 Hello New Year 2015

ASP.NET Web APIs

The ways to secure your Web APIs.

Web Security Scenarios

Explain each scenarios

demo

How to

Summaries

Page 4: Web API authentication and authorization

Basic Understanding ASP.NET WEB APIs

DevRock #01 Hello New Year 2015

Page 5: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Support HTTP Content-Types

json, xml, plain text, …, custom

Client can use HTTP to access the APIs

HTTP Verbs to access resources

GET, POST, PUT, DELETE, etc….

Response HTTP Status Code

20x, 30x, 40x, 50x

Multiple Host Types

IIS, WAS, Windows Service, Console, ..

Extensible and Customizable

Page 6: Web API authentication and authorization

DevRock #01 Hello New Year 2015

DEMO

Page 7: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Web

Mobile

Device

Application

Any Client send HTTP Request

Page 8: Web API authentication and authorization

Basic Understanding Web Security

DevRock #01 Hello New Year 2015

Page 9: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Transport Layer Security

HTTPs Protocol Encryption

Untrusted (Anonymous)

Trusted

Page 10: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Application Layer Security (1)

Authentication

Token-Based

Two-Factors

Intranet (IIS Windows)

LDAP (Active Directory, OpenLDAP)

OAuth, OpenID

Identity Services ( Azure AD Service)

Page 11: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Application Layer Security (2)

Authorization

Role Based

Claims Based

…..

Page 12: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Application Layer Security (3)

Data Encryption

Encryption Algorithms

Page 13: Web API authentication and authorization

ASP.NET Web APIs architecture

DevRock #01 Hello New Year 2015

Page 14: Web API authentication and authorization

DevRock #01 Hello New Year 2015

HOST

OWIN

Web API

MessageHandler

global/per-route

Authentication

Filter

Authorization

Filter

Host/Framework

Independent concerns,

e.g. authentication

Web API cross-cutting

concerns, e.g. CORS

Web API specific

Authentication

internal app level

Authorization

Page 15: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Web APIwith OWIN Adpater

OWIN

ASP.NETwith OWIN Bridge

IIS

Page 16: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Web APIwith OWIN Adpater

OWIN

Process/Host+OWIN Bridge

Page 17: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Scalability of servers: Stateless

Centralize user info

Loosely couplingNo dependency Service

Mobile FriendlyJust keep token for reuse in Native Mobile app.

Page 18: Web API authentication and authorization

DevRock #01 Hello New Year 2015

Username / Password

Get token

Page 19: Web API authentication and authorization

DevRock #01 Hello New Year 2015

ASP.NET WEB API 2.0Self Provider

External Provider

Page 20: Web API authentication and authorization

Interface Control Document (ICD) Template...The EVV Service will leverage API Keys for authentication and authorization to enforce identity verification and service authorization

Authorization and Authentication Infrastructure

Opensource Authentication and Authorization

Configuring Local Authentication and Authorization...Configuring Local Authentication and Authorization • FindingFeatureInformation,page1 • HowtoConfigureLocalAuthenticationandAuthorization,page1

WSO2Con USA 2017: 0-60 with WSO2: API Management and User Authentication & Authorization Automation

Best Practices: Authentication & Authorization Infrastructure€¢Tokens: in modern security standards are all about them. •Decoupling authentication / authorization (OIDC authentication

Authentication and Authorization in gLite

12. ASP.net Authentication and Authorization

Authentication and Authorization in Asp.Net

Grid Security : Authentication and Authorization

API Authentication

Authentication - University of Southern Californiacsci530l/slides/lab-authentication-color.pdf · authentication != authorization – authorization establishes what user can do once

Authentication and authorization

Authentication / Authorization with Drupal...Authentication / Authorization with Drupal Authorization: Drupal LDAP Good BAD Pros • Uses CornellAD Cons • Only applies application

Authentication and Authorization Infrastructure

Authentication Authorization and Accounting Configuration

ESPC15 - Extending Authentication and Authorization

Extending Authentication and Authorization

Authorization and Authentication in gLite

Authentication, Authorization, and Audit Design Pattern: Internal User Identity ... · Authentication, Authorization, and Audit Design Pattern: Internal User Identity Authentication

Authentication and Authorization in Condor

JavaTM Authentication and Authorization Service

Authentication, authorization

Forms Authentication, Authorization, User Accounts, and Roles :: …€¦ · Forms Authentication, Authorization, User Accounts, and Roles :: User-Based Authorization Introduction

JAAS Java Authentication And Authorization Service API Master Seminar Advanced Software Engineering Topics Matthias Buchs

Client authentication and authorization

SharePoint Authentication and Authorization

Forms Authentication, Authorization, User Accounts, and ... · PDF fileForms Authentication, Authorization, User Accounts, and Roles :: User-Based Authorization ... ASP.NET makes it

Authentication, Authorization, and Accounting

Why an API API strategy? - OCTO · PDF fileStateless decoupled µ-services, ... In a microservices implementation, ... • Authentication, Authorization, Accounting is

Authorization and Authentication - Cisco Cisco WebEx Social API Reference Guide, Release 3.4 OL-30034-01 Chapter 2 Authorization and Authentication Overview OAuth 1.0a OAuth …

Authorization, Authentication, And Security

Authentication, Authorization, and Audit Design Pattern ... · Authentication, Authorization, and Audit Design Pattern: External User Authentication Office of Technology Strategies

Forms Authentication, Authorization, User Accounts, and …download.microsoft.com/.../aspnet_tutorial02_FormsAuth_vb.pdf · Forms Authentication, Authorization, User Accounts, and

Authentication, Authorization, & Identity Management