1. ASP.NET Web API 2
Token Based
Authentication
Jeremy Brown
jeremy@jeremysbrown.com
@JeremySBrown
ht tps : / /gi thub.com/ JeremySBrown/AuthTokenPresentat ion
2. What this talk is about…
• Basic Concepts of Token Based Authentication
• Benefits of Token Authentication
• Quick Overview of OAuth 2.0 (really quick)
• How to use it in an ASP.NET Web API 2 Project
3. What is Token Authentication?
I t is the process when a Resource Owner or
Cl ient i s granted a token by providing thei r
credent ials to an Author izat ion Server.
The obtained access token can then be
presented to a Resource Server to access a
protected resource.
4. Benefits of Token Authentication
• Allows access between applications without sharing credentials
• Supports Cross-Domain / CORS
• Stateless
• Decoupling
• Mobile Ready
• CSRF/XSRF is not an issue
5. Access Tokens: The Heart of OAuth
Quick Guide to OAuth 2.0
• Roles
• Client Types
• Client Profiles
• Authorization Grant Types
6. OAuth 2.0 Roles
• Resource Owner: End User
• Resource Server: Host that accepts access tokens
• Client: An application that needs access to a protected Resource
• Authorization Server: Issues token to authenticated owner
Note:
Typically ASP.NET Web API projects functions as both the Authorization Server and
Resource Server
7. OAuth 2.0 Client Types & Profiles
• Confidential Clients
• Web Applications (Server Side Only)
• Public Clients
• User Agent Based Applications (JQuery, SPAs, Silverlight, Flash)
• Native Applications (Mobile, Desktop Applications)
9. Development Options
• OWIN – Open Web Interface for .NET
• Middleware components for OAuth and CORS
• http://owin.org
• DotNetOpenAuth
• C# implementation of the OpenID, OAuth and InfoCard protocols
• http://dotnetopenauth.net
10. Contact Information
• jeremy@jeremysbrown.com
• https://github.com/JeremySBrown/AuthTokenPresentation
• @JeremySBrown
OAuth 2.0 is a specification that defines how a client:
Request access tokens from authorization servers
Present tokens to resource servers to access protected resources
The first four are the primary. OAuth built in extensibility to define other grant types.
OWIN defines a standard interface between .NET web servers and web applications.
The goal of the OWIN interface is to decouple server and application, encourage the development of simple modules for .NET web development, and, by being an open standard, stimulate the open source ecosystem of .NET web development tools.