web api authentication and authorization
TRANSCRIPT
CHALERMPON AREEPONG
Microsoft MVP ASP.NET
MVCRocks.NET Community and https://fb.com/groups/mvcthaidev Founder
DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015
CHALERMPON AREEPONG
Microsoft MVP – ASP.NET 9 Years
DevRock #01 Hello New Year 2015
ASP.NET Web APIs
The ways to secure your Web APIs.
Web Security Scenarios
Explain each scenarios
demo
How to
Summaries
Basic Understanding ASP.NET WEB APIs
DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015
Support HTTP Content-Types
json, xml, plain text, …, custom
Client can use HTTP to access the APIs
HTTP Verbs to access resources
GET, POST, PUT, DELETE, etc….
Response HTTP Status Code
20x, 30x, 40x, 50x
Multiple Host Types
IIS, WAS, Windows Service, Console, ..
Extensible and Customizable
DevRock #01 Hello New Year 2015
DEMO
DevRock #01 Hello New Year 2015
Web
Mobile
Device
Application
Any Client send HTTP Request
Basic Understanding Web Security
DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015
Transport Layer Security
HTTPs Protocol Encryption
Untrusted (Anonymous)
Trusted
DevRock #01 Hello New Year 2015
Application Layer Security (1)
Authentication
Token-Based
Two-Factors
Intranet (IIS Windows)
LDAP (Active Directory, OpenLDAP)
OAuth, OpenID
Identity Services ( Azure AD Service)
DevRock #01 Hello New Year 2015
Application Layer Security (2)
Authorization
Role Based
Claims Based
…..
DevRock #01 Hello New Year 2015
Application Layer Security (3)
Data Encryption
Encryption Algorithms
ASP.NET Web APIs architecture
DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015
HOST
OWIN
Web API
MessageHandler
global/per-route
Authentication
Filter
Authorization
Filter
Host/Framework
Independent concerns,
e.g. authentication
Web API cross-cutting
concerns, e.g. CORS
Web API specific
Authentication
internal app level
Authorization
DevRock #01 Hello New Year 2015
Web APIwith OWIN Adpater
OWIN
ASP.NETwith OWIN Bridge
IIS
DevRock #01 Hello New Year 2015
Web APIwith OWIN Adpater
OWIN
Process/Host+OWIN Bridge
DevRock #01 Hello New Year 2015
Scalability of servers: Stateless
Centralize user info
Loosely couplingNo dependency Service
Mobile FriendlyJust keep token for reuse in Native Mobile app.
DevRock #01 Hello New Year 2015
Username / Password
Get token
DevRock #01 Hello New Year 2015
ASP.NET WEB API 2.0Self Provider
External Provider