Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Web API authentication and authorization

Download as PPTX, PDF
Chalermpon Areepong
Chalermpon Areepong

This document summarizes a presentation on securing ASP.NET Web APIs. It discusses various security scenarios like transport layer security with HTTPS, authentication using tokens or two-factor authentication, and authorization using roles or claims. It provides an overview of the ASP.NET Web API architecture and how OWIN and middleware can be used. Examples are given of username/password authentication to obtain a token. The presentation aims to explain security concepts, demonstrate examples, and provide summaries.

1 of 20
CHALERMPON AREEPONG Microsoft MVP ASP.NET MVCRocks.NET Community and https://fb.com/groups/mvcthaidev Founder DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015 CHALERMPON AREEPONG Microsoft MVP – ASP.NET 9 Years
DevRock #01 Hello New Year 2015  ASP.NET Web APIs  The ways to secure your Web APIs.  Web Security Scenarios  Explain each scenarios  demo  How to  Summaries
Basic Understanding ASP.NET WEB APIs DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015  Support HTTP Content-Types  json, xml, plain text, …, custom  Client can use HTTP to access the APIs  HTTP Verbs to access resources  GET, POST, PUT, DELETE, etc….  Response HTTP Status Code  20x, 30x, 40x, 50x  Multiple Host Types  IIS, WAS, Windows Service, Console, ..  Extensible and Customizable
DevRock #01 Hello New Year 2015 DEMO
DevRock #01 Hello New Year 2015  Web  Mobile  Device  Application  Any Client send HTTP Request
Basic Understanding Web Security DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015  Transport Layer Security  HTTPs Protocol Encryption  Untrusted (Anonymous)  Trusted
DevRock #01 Hello New Year 2015  Application Layer Security (1)  Authentication  Token-Based  Two-Factors  Intranet (IIS Windows)  LDAP (Active Directory, OpenLDAP)  OAuth, OpenID  Identity Services ( Azure AD Service)
DevRock #01 Hello New Year 2015  Application Layer Security (2)  Authorization  Role Based  Claims Based  …..
DevRock #01 Hello New Year 2015  Application Layer Security (3)  Data Encryption  Encryption Algorithms
ASP.NET Web APIs architecture DevRock #01 Hello New Year 2015
DevRock #01 Hello New Year 2015 HOST OWIN Web API MessageHandler global/per-route Authentication Filter Authorization Filter Host/Framework Independent concerns, e.g. authentication Web API cross-cutting concerns, e.g. CORS Web API specific Authentication internal app level Authorization
DevRock #01 Hello New Year 2015 Web API with OWIN Adpater OWIN ASP.NET with OWIN Bridge IIS
DevRock #01 Hello New Year 2015 Web API with OWIN Adpater OWIN Process/Host +OWIN Bridge
DevRock #01 Hello New Year 2015 Scalability of servers:  Stateless  Centralize user info Loosely coupling  No dependency Service Mobile Friendly  Just keep token for reuse in Native Mobile app.
DevRock #01 Hello New Year 2015 Username / Password Get token
DevRock #01 Hello New Year 2015 ASP.NET WEB API 2.0  Self Provider  External Provider
Web API authentication and authorization

More Related Content

Web API authentication and authorization

  • 1. CHALERMPON AREEPONG Microsoft MVP ASP.NET MVCRocks.NET Community and https://fb.com/groups/mvcthaidev Founder DevRock #01 Hello New Year 2015
  • 2. DevRock #01 Hello New Year 2015 CHALERMPON AREEPONG Microsoft MVP – ASP.NET 9 Years
  • 3. DevRock #01 Hello New Year 2015  ASP.NET Web APIs  The ways to secure your Web APIs.  Web Security Scenarios  Explain each scenarios  demo  How to  Summaries
  • 4. Basic Understanding ASP.NET WEB APIs DevRock #01 Hello New Year 2015
  • 5. DevRock #01 Hello New Year 2015  Support HTTP Content-Types  json, xml, plain text, …, custom  Client can use HTTP to access the APIs  HTTP Verbs to access resources  GET, POST, PUT, DELETE, etc….  Response HTTP Status Code  20x, 30x, 40x, 50x  Multiple Host Types  IIS, WAS, Windows Service, Console, ..  Extensible and Customizable
  • 6. DevRock #01 Hello New Year 2015 DEMO
  • 7. DevRock #01 Hello New Year 2015  Web  Mobile  Device  Application  Any Client send HTTP Request
  • 8. Basic Understanding Web Security DevRock #01 Hello New Year 2015
  • 9. DevRock #01 Hello New Year 2015  Transport Layer Security  HTTPs Protocol Encryption  Untrusted (Anonymous)  Trusted
  • 10. DevRock #01 Hello New Year 2015  Application Layer Security (1)  Authentication  Token-Based  Two-Factors  Intranet (IIS Windows)  LDAP (Active Directory, OpenLDAP)  OAuth, OpenID  Identity Services ( Azure AD Service)
  • 11. DevRock #01 Hello New Year 2015  Application Layer Security (2)  Authorization  Role Based  Claims Based  …..
  • 12. DevRock #01 Hello New Year 2015  Application Layer Security (3)  Data Encryption  Encryption Algorithms
  • 13. ASP.NET Web APIs architecture DevRock #01 Hello New Year 2015
  • 14. DevRock #01 Hello New Year 2015 HOST OWIN Web API MessageHandler global/per-route Authentication Filter Authorization Filter Host/Framework Independent concerns, e.g. authentication Web API cross-cutting concerns, e.g. CORS Web API specific Authentication internal app level Authorization
  • 15. DevRock #01 Hello New Year 2015 Web API with OWIN Adpater OWIN ASP.NET with OWIN Bridge IIS
  • 16. DevRock #01 Hello New Year 2015 Web API with OWIN Adpater OWIN Process/Host +OWIN Bridge
  • 17. DevRock #01 Hello New Year 2015 Scalability of servers:  Stateless  Centralize user info Loosely coupling  No dependency Service Mobile Friendly  Just keep token for reuse in Native Mobile app.
  • 18. DevRock #01 Hello New Year 2015 Username / Password Get token
  • 19. DevRock #01 Hello New Year 2015 ASP.NET WEB API 2.0  Self Provider  External Provider