SlideShare a Scribd company logo

Web API 2 Token Based Authentication

Download as PPTX, PDF
J
jeremysbrown

This document discusses token based authentication in ASP.NET Web API 2 projects. It covers the basic concepts of token authentication including the roles in OAuth 2.0 of resource owners, clients, authorization servers and resource servers. It also summarizes the different OAuth 2.0 client types, authorization grant types, and development options for implementing token authentication using OWIN middleware or DotNetOpenAuth.

1 of 10
ASP.NET Web API 2 Token Based Authentication Jeremy Brown jeremy@jeremysbrown.com @JeremySBrown ht tps : / /gi thub.com/ JeremySBrown/AuthTokenPresentat ion
What this talk is about… • Basic Concepts of Token Based Authentication • Benefits of Token Authentication • Quick Overview of OAuth 2.0 (really quick) • How to use it in an ASP.NET Web API 2 Project
What is Token Authentication? I t is the process when a Resource Owner or Cl ient i s granted a token by providing thei r credent ials to an Author izat ion Server. The obtained access token can then be presented to a Resource Server to access a protected resource.
Benefits of Token Authentication • Allows access between applications without sharing credentials • Supports Cross-Domain / CORS • Stateless • Decoupling • Mobile Ready • CSRF/XSRF is not an issue
Access Tokens: The Heart of OAuth Quick Guide to OAuth 2.0 • Roles • Client Types • Client Profiles • Authorization Grant Types
OAuth 2.0 Roles • Resource Owner: End User • Resource Server: Host that accepts access tokens • Client: An application that needs access to a protected Resource • Authorization Server: Issues token to authenticated owner Note: Typically ASP.NET Web API projects functions as both the Authorization Server and Resource Server
OAuth 2.0 Client Types & Profiles • Confidential Clients • Web Applications (Server Side Only) • Public Clients • User Agent Based Applications (JQuery, SPAs, Silverlight, Flash) • Native Applications (Mobile, Desktop Applications)
OAuth 2.0 Authorization Grant Types • Resource Owner Password • Client Credentials • Authorization Code • Implicit • Refresh Token
Development Options • OWIN – Open Web Interface for .NET • Middleware components for OAuth and CORS • http://owin.org • DotNetOpenAuth • C# implementation of the OpenID, OAuth and InfoCard protocols • http://dotnetopenauth.net
Contact Information • jeremy@jeremysbrown.com • https://github.com/JeremySBrown/AuthTokenPresentation • @JeremySBrown

More Related Content

Web API 2 Token Based Authentication

  • 1. ASP.NET Web API 2 Token Based Authentication Jeremy Brown jeremy@jeremysbrown.com @JeremySBrown ht tps : / /gi thub.com/ JeremySBrown/AuthTokenPresentat ion
  • 2. What this talk is about… • Basic Concepts of Token Based Authentication • Benefits of Token Authentication • Quick Overview of OAuth 2.0 (really quick) • How to use it in an ASP.NET Web API 2 Project
  • 3. What is Token Authentication? I t is the process when a Resource Owner or Cl ient i s granted a token by providing thei r credent ials to an Author izat ion Server. The obtained access token can then be presented to a Resource Server to access a protected resource.
  • 4. Benefits of Token Authentication • Allows access between applications without sharing credentials • Supports Cross-Domain / CORS • Stateless • Decoupling • Mobile Ready • CSRF/XSRF is not an issue
  • 5. Access Tokens: The Heart of OAuth Quick Guide to OAuth 2.0 • Roles • Client Types • Client Profiles • Authorization Grant Types
  • 6. OAuth 2.0 Roles • Resource Owner: End User • Resource Server: Host that accepts access tokens • Client: An application that needs access to a protected Resource • Authorization Server: Issues token to authenticated owner Note: Typically ASP.NET Web API projects functions as both the Authorization Server and Resource Server
  • 7. OAuth 2.0 Client Types & Profiles • Confidential Clients • Web Applications (Server Side Only) • Public Clients • User Agent Based Applications (JQuery, SPAs, Silverlight, Flash) • Native Applications (Mobile, Desktop Applications)
  • 8. OAuth 2.0 Authorization Grant Types • Resource Owner Password • Client Credentials • Authorization Code • Implicit • Refresh Token
  • 9. Development Options • OWIN – Open Web Interface for .NET • Middleware components for OAuth and CORS • http://owin.org • DotNetOpenAuth • C# implementation of the OpenID, OAuth and InfoCard protocols • http://dotnetopenauth.net
  • 10. Contact Information • jeremy@jeremysbrown.com • https://github.com/JeremySBrown/AuthTokenPresentation • @JeremySBrown

Editor's Notes

  1. Not about Identity Management
  2. CORS: Cross Origin Resource Sharing Limited browser: http://caniuse.com/cors
  3. OAuth 2.0 is a specification that defines how a client: Request access tokens from authorization servers Present tokens to resource servers to access protected resources
  4. The first four are the primary. OAuth built in extensibility to define other grant types.
  5. OWIN defines a standard interface between .NET web servers and web applications. The goal of the OWIN interface is to decouple server and application, encourage the development of simple modules for .NET web development, and, by being an open standard, stimulate the open source ecosystem of .NET web development tools.