Building APIs with MVC 6 and OAuth
Download as PPTX, PDF3 likes2,719 views
Filip Ekberg is a software engineer, author, blogger, and speaker. He discusses ASP.NET 5 and OAuth, highlighting that it is cross-platform, open source, and has a modular design. He provides tips for using OAuth with ASP.NET 5, including consuming APIs, securing APIs, and choosing an OAuth flow. He emphasizes best practices like validating tokens, securing tokens like passwords, and leveraging claims-based authentication.
![• Powershell, powershell and more powershell…
$out = (Get-Item -Path "." -Verbose).FullName
$(dnu restore --no-cache --lock --unlock --parallel)
get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object {
!$_.Directory.FullName.Contains("artifacts")
} | ForEach-Object {
$res = $(cd $_.Directory;$?) -and $(dnu build | Out-Host;$?)
-and $(dnu pack --configuration release --out $outBuildPackages)
if (!$res) {
Write-Error "Build failed!"
Exit 1
}
}
$out = (Get-Item -Path "." -Verbose).FullName
get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object {
$_.Directory.FullName.Contains("Tests")
} | ForEach-Object {
$(cd $_.Directory;$?)
$testOutput = $(dnx . test | Write-Host)
if ($testOutput -contains "*[FAIL]*") {
Write-Error "Tests failed!"
Exit 1
}
}](https://image.slidesharecdn.com/filipekberg-dddbrisbane2015-151206222556-lva1-app6891/85/Building-APIs-with-MVC-6-and-OAuth-7-320.jpg)
![[HttpDelete]
[Authorize("write")]
[Route("/accounts/{accountId}/documents/{documentId}")]
public async Task<JsonResult> DeleteAsync(string accountId,
long documentId)](https://image.slidesharecdn.com/filipekberg-dddbrisbane2015-151206222556-lva1-app6891/85/Building-APIs-with-MVC-6-and-OAuth-40-320.jpg)
Building APIs with MVC 6 and OAuth
- 2. @fekberg I’m Filip Ekberg Author. Blogger. Speaker. MS MVP. Xamarin MVP. Geek. Senior Software Engineer @
- 3. ASP.NET 5 OAuth Consuming APIs
- 5. • Everything! • Cross-platform • Open Source • Modular design (split into NuGet packages) • And much more..
- 6. • Ctrl + H (Find and Replace) Upgrades • Until RTM - anything can be renamed - anything can be removed • Side-by-side versions makes it easy (dnvm upgrade)
- 7. • Powershell, powershell and more powershell… $out = (Get-Item -Path "." -Verbose).FullName $(dnu restore --no-cache --lock --unlock --parallel) get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object { !$_.Directory.FullName.Contains("artifacts") } | ForEach-Object { $res = $(cd $_.Directory;$?) -and $(dnu build | Out-Host;$?) -and $(dnu pack --configuration release --out $outBuildPackages) if (!$res) { Write-Error "Build failed!" Exit 1 } } $out = (Get-Item -Path "." -Verbose).FullName get-childitem -recurse -filter 'project.json' -exclude '*artifacts*', '*Build*', '*Publish*' | Where-Object { $_.Directory.FullName.Contains("Tests") } | ForEach-Object { $(cd $_.Directory;$?) $testOutput = $(dnx . test | Write-Host) if ($testOutput -contains "*[FAIL]*") { Write-Error "Tests failed!" Exit 1 } }
- 8. • Use your own APIs • Find pain-points before your customers • Invite other teams to build something
- 9. • Allows you to introduce new tech early • Up-scale and prepare team for the future • Mitigating risk
- 12. Disclaimer
- 13. • Don’t rely on a third party for a critical system • Less headaches for your integrators • Could be added as an option
- 15. • Built by industry experts • Open Source • Allows you to use OAuth 2.0 and OpenId Connect • Lots and lots of examples and help available https://github.com/IdentityServer/IdentityServer3
- 16. Tokens
- 17. Authorization Code Trade code for an Access Token Access Token Lets you access a given resource Refresh Token Lets you keep your Access Token fresh
- 18. Treat your Tokens like passwords! Remember, they give you access to a potential private resource
- 19. • JSON Web Token • Payload (Claims) include Scopes, User info, etc • Signed
- 20. What happens when you don’t validate a token?
- 21. Build your software to assume tokens are invalid and expired
- 23. Securing the API
- 24. Choosing an OAuth Flow
- 28. What if we already have authentication? Identify this in pre-authentication and skip OAuth login screen Authenticate against current system
- 29. Authentication is the process of ascertaining that somebody really is who they claims to be Authorization refers to rules that determine who is allowed to do what. E.g. Filip may be authorized to create and delete databases, while Josh is only authorized to read. http://stackoverflow.com/a/6556548/39106
- 30. Authentication login + password (who you are) Authorization permissions (what you are allowed to do) http://stackoverflow.com/a/20638421/39106
- 31. • More than just “OK you access this resource” (OAuth) • Authorization (Permissions) + Authentication (Login) • IdentityServer provides OAuth 2.0 + OpenId Connect
- 35. • Client Id • Secret • Scope(s) • Return URL • Grant type • Credentials / Authorization Code (Flow dependent)
- 36. { "access_token": "eyJ0eXAiO.....", "expires_in": 3600, "token_type": "Bearer", "refresh_token": "cfba7b409dcbb662216bfc5bba80afbc" }
- 37. GET /api/products HTTP/1.1 Host: localhost:1337 Authorization: Bearer eyJ0eXAiOiJK...
- 40. [HttpDelete] [Authorize("write")] [Route("/accounts/{accountId}/documents/{documentId}")] public async Task<JsonResult> DeleteAsync(string accountId, long documentId)
- 43. Open Source Go-Live! Cross-Platform
- 44. Don’t roll your own security framework Read the OAuth 2.0 Specification
- 45. Know your flows Authentication vs Authorization Leverage Claims
- 46. Build on-top of existing infrastructure Start with non-mission critical parts of the business
- 48. Please support our sponsors
- 49. To go into the draw for prizes, please remember to complete your feedback at: http://www.dddbrisbane.com/feedback No feedback = No Prizes!
- 50. @fekberg Thank you, I’m Filip Ekberg! Author. Blogger. Speaker. MS MVP. Xamarin MVP. Geek. Senior Software Engineer @
Editor's Notes
- #4: In this talk we’ll go through a lot of content that will help you build a powerful and hopefully more secure API. We’ll start off by talking about ASP.NET 5 for those of you that need to freshen your knowledge, and then we are going to discuss how we can secure this API by introducing OAuth. Of course, we will also talk about how we can consume the API in different scenarios. If you got any questions, or objections during the talk, please feel free to interrupt me!
- #5: ASP.NET 5, the hot-topic of 2015! It’s fair to say that over the past 12 months, we’ve seen so many good changes coming from Microsoft in terms of open source, hardware, frameworks and software releases that it’s really hard to keep up. ASP.NET 5 is one of these amazing things Microsoft have been working on, and they’ve done this in the open. Everything is open source and freely available on github – you can even help out if you are so inclined! If you’re coming from an earlier version of ASP.NET, a lot of it will look similar, if not the same, don’t let that fool you though, it’s completely re-written and it’s now leveraging a modular architecture that allows you to really pick and choose what parts you want to include in your software.
- #11: Show how to build an API with ASP.NET 5, include some of the fundamentals -- 15 minutes to this slide --
- #12: Now that we have an API, it lets us retrieve the data we want – how do we lock this down and make it secure? We want to avoid introducing something custom built that no one will know about, it’s much better if we can adhere to a specification, such as OAuth 2.0. While I introduced Oauth, I found myself becoming best friends with the specification, at least we had a love-hate relationship. More than once I got home from work with a bit of a headache – it’s a lot of interesting concepts and processes to keep in your head at all times! So, we now want to lock down our API by introducing a bit of security. The idea here is that we’ll use something that people consuming our API will be comfortable using. This is where OAuth comes into the picture.
- #13: Before we start talking about OAuth, security and all those really fun topics – I just want to say that I am by no means a security expert. I’m leveraging as much as possible from what industry experts have already created, and I limit the amount of customization to avoid introducing security holes. If you are working on a critical piece of software that is core to your business, it’s always worth consulting a security expert before going live and doing so on a regular basis. It’s been proven over and over again that even the largest companies with some of the smartest people in the world keep doing small mistakes that can trash their entire reputation. With that out of the way, let’s talk about how we can tighten the security of our API!
- #23: Show JWT.io
- #33: Show how to enable IdentityServer on the API that we built in the first demo. Start off with the In-Memory examples and elaborate into a customized solution