Using OAuth to Secure Your ASP.NET API

Learn how to use ASP.NET and OAuth together to build a world-class, secure, and high-quality API. You'll cover bad examples of ASP.NET API, approaches with third-party applications, different OAuth flows, Identity Server, and more.
Course info
Rating
(166)
Level
Intermediate
Updated
Apr 7, 2016
Duration
3h 52m
Table of contents
Overview
Working with OAuth
Securing the API
Using the Implicit and Authorization Code Flow
Using the Resource Owner Password Flow
Customizing IdentityServer
Description
Course info
Rating
(166)
Level
Intermediate
Updated
Apr 7, 2016
Duration
3h 52m
Description

How do you build a powerful and secure API using ASP.NET? In this course, Using OAuth to Secure Your ASP.NET API, you'll learn how to use ASP.NET and OAuth together to create an API that is highly secure and well-built. You'll start off by looking at an insecure and badly-designed ASP.NET API, talking about how to approach this API from third party applications, and also how to consume this API internally. You will then examine the benefits of choosing different OAuth flows for different scenarios. Finally, you'll see how you can use IdentityServer to protect your API. At the end of this course, you'll have the skills you need to be able to build APIs that are a lot more secure.

About the author
About the author

Filip is an enthusiastic developer that strives to learn something new every day. His greatest passion is programming and ever since Filip was a little boy he has always strived to master it. All his community contributions has made Filip a Microsoft Visual C# MVP and a DZone Most-Valuable Blogger.

More from the author
Play by Play: Xamarin Mobile Development
Intermediate
1h 17m
Mar 17, 2017
More courses by Filip Ekberg
Section Introduction Transcripts
Section Introduction Transcripts

Overview
Are you puzzled by how to build secure APIs and how to make it easier for third parties or people within your business to work with your APIs? Don't worry. In this course, we'll talk about how to pretty much make anyone capable of working with your API in a secure manner. My name is Filip Ekberg, and I want to welcome you to this course on Using OAuth to Secure Your ASP. NET API. In this first module, we'll get an overview of what we are going to learn in this course. We'll cover some of the basics that we need to know before going forward securing our APIs. We're also going to take a look at the API that we are going to use throughout the course. This API is something that we're going to apply better security practices to to make it easier for both internal and external people to work with.

Working with OAuth
Hi! This is Filip Ekberg, and you're watching Using OAuth to Secure Your ASP. NET API. After completing this module, you'll have a very good understanding of everything that you need to know in order for us to start working with OAuth. We'll discuss everything that we need to know in order for us to understand the basic principles of applying OAuth to a normal website or an API. We'll discuss how adding OAuth also commonly known as the authorization server compares to our bad API security that we saw in the previous module. And we'll talk about how the API is going to change and how the consumers of the API will have to change as well. Adding an authorization server to the mix means that we have a lot of capabilities for the future, and this is certainly something that we'll discuss throughout this module and throughout the rest of the course. We'll also discuss how we can inspect and validate the access tokens. And we'll talk about how the access tokens make it a lot better for the end user to work with your website or invoke your API. We'll also discuss where external login such as using Google, Twitter, Facebook, and others out there fit into the bigger picture of us introducing an authorization server. We'll discuss the benefits of using Twitter, Facebook, Google and others as the only thing that's protecting our API versus just having that as an addition. And, of course, we'll also talk about how this changes for the third parties that are working with our APIs. Because even if it makes it easier for our own developers and our own teams to work with our APIs, it's a fact that it's also making it a lot easier for third parties to consume our APIs.

Securing the API
Hi! This is Filip Ekberg, and you're watching Using OAuth to Secure Your ASP. NET API. In this module, we're finally going to look at how we can secure our API. So far we've spent time understanding what OAuth and OpenID Connect are, and now it's finally time to put that into practice. The first thing that we'll have to do is to introduce the authorization server. We have the resources, also known as our APIs. And now we want these APIs to leverage an authorization server that is using OAuth 2. 0, as well as OpenID Connect. So our job now is to introduce this authorization server and then look at how we can leverage this from the APIs.

Using the Implicit and Authorization Code Flow
Hi! This is Filip Ekberg. You're watching Using OAuth to Secure your ASP. NET API. In this module, we'll be looking at using the implicit and authorization code flows in order for us to consume our now-protected API. We'll be using these two different flows in order for us to retrieve an access token from our authorization server so that we can consume our now-private resources.

Using the Resource Owner Password Flow
Hi! This is Filip Ekberg, and you're watching Using OAuth to Secure Your ASP. NET API. In this module, we'll be talking about using the resource owner password flow. We've seen how we can set up the authorization server, as well as securing our API and consuming the API from different types of web applications using the implicit, as well as the authorization code flows. Now let's take a look at applications that are leveraging the username and password directly to consume our authorization server, as well as our API.

Customizing IdentityServer
Hi! This is Filip Ekberg, and you're watching Using OAuth to Secure Your ASP. NET API. In this module, we'll be talking about customizing IdentityServer. We'll be looking at moving away from the in-memory stores to get our things into persistent storage, as well as getting our own nice-looking field to our different screens throughout the authorization server.