Web API v2 Security

Implementing Authentication and Authorization in ASP.NET Web API v2.
Course info
Rating
(918)
Level
Intermediate
Updated
Apr 12, 2014
Duration
6h 12m
Table of contents
Overview
HTTP Security Primer
ASP.NET Web API Security Architecture
Classic Authentication and Katana Authentication Middleware
JavaScript and Browser-based Clients
Token-based Authentication - Part 1
Token-based Authentication - Part 2
Authorization
Description
Course info
Rating
(918)
Level
Intermediate
Updated
Apr 12, 2014
Duration
6h 12m
Description

The main feature focus of ASP.NET Web API v2 was security. There's a brand new authentication system and support for popular authentication methods, like OAuth2 tokens, that is already built-in. Additionally, it is now much easier to use Web APIs from JavaScript clients and the new security extensibility gives you powerful features to integrate your APIs in arbitrary security systems.

About the author
About the author

Dominick works as an associate consultant for the Germany-based company thinktecture. His main area of focus is security in general and identity & access control in particular.

More from the author
Identity and Access Control in WCF 4.5
Intermediate
3h 12m
Dec 14, 2012
More courses by Dominick Baier
Section Introduction Transcripts
Section Introduction Transcripts

Overview
Hi, and welcome to Securing ASP. NET Web API v2. In this course, I want to give you all the information you need to successfully implement authentication and authorization in your Web APIs. Now in Web API v2 there are a lot of new things to discover. Many things have changed from version 1 where in version security was mainly based on hosting specific features, in version 2 there's a completely new hosting infrastructure, completely new authentication infrastructure, and a lot of options around authorization. Now there are two paths you can take through this course. First, there's module #2, which deals with all the basics around HTTP, transport security, SSL, the HTTP authentication framework, how to set up your development environment to use transport security from day 1 in all these things. So that is recommended to have a look because SSL, or transport security in general, is really, really important when building HTTP-based applications. And then, when you're, like, on a greenfield scenario, the fast track is basically module #3, 6, and 7 where we basically talk through the main design goals and changes in Web API v2, which is about the new security architecture, token-based authentication and dual authorization based on claims. If you want to know more on how the inner workings of this new security architecture works, then there are two additional modules. One is module #4 where we talk about the thing called the Katana Authentication middleware and we build two middlewares to implement features that are not part of the standard Web API v2 box. And module #5 talks about specific things that you need to know if your clients that talk to your Web APIs are browser-based or JavaScript-based clients and many of the conclusions of the problems you have in that browser-based world, again, lead to module #6 where token-based authentication fixes many of the problems. Also in module #5, you'll learn about CORS, which is a new feature in the Web API v2, that allows to do cross-domain communication from JavaScript.

HTTP Security Primer
In this very first module, I want to give you an overview of the essential things you have to know to secure your HTTP-based applications. This is basically divided in two parts. The first part is about transport securities or how do you secure the bits and bytes going over the wire, and the second part is about the, so called, HTTP authentication framework that's how you transmit user credentials. And as an appendix I have a list of APIs and tools and resources like further reading resources that you might be interested when you want to, you know, learn more about the topic.

ASP.NET Web API Security Architecture
Web API version 1 didn't have any real security features. It mostly relied on security provided by the host, mostly IIS. Now the big theme in version 2 of Web API and also this thing called project Katana, which goes along with Web API version 2, was security. So in version 2 we can really talk about something like a security architecture in Web API. And my intention for this module is to give you an overview of the architecture and show you all the various extensibility points that you can use to do security-related things. So I want to go over them one by one starting with the hosting layout, all the way down to pipeline to authorization filters. What has also changed in Web API version 2 is how you access the client identity. There were various ways to do that in version 1 and now there's a new unified and recommended way in version 2 and so we're going to have a look at all these things.

JavaScript and Browser-based Clients
In this module, I want to talk about the things you need to know when you want to connect browser-based clients to your Web APIs. They are typically written in JavaScript and they adhere to certain rules which are imposed by the browser. One of them is called the Same Origin Policy, which is basically a sandboxing mechanism that affects how the browser does things, for example, communication or script execution. The next thing we need to talk about is a common pattern that people use to mix web UI with Web APIs often used in, you know, in this type of AJAX or SPA applications called implicit Browser Authentication. And there are some advantages here, but also some disadvantages that you need to be aware of. There's a certain type of attack that is a result of using the Implicit Browser Authentication features, which is called Cross Site Request Forgery. We'll have a look at that and how to mitigate that. And we want to conclude with a new W3C standard that allows to do cross origin across the main communication in the browser, which wasn't easily possible before.

Authorization
Now we've spent quite some time talking about how a user can authenticate, and how a client can authenticate, and how to request access tokens or request access in general to a Web API. Now, frankly, the hardest part is still to tackle and that's what happens after we get access to the API and now we want to do authorization based on the user's identity or the client's identity. Now this is hard because I can't give you any good guidance here because that is so specific to the application you are building. You know, sometimes you're doing something based on roles, sometimes, you know, you have something like permissions, others use role-level security in databases or have a multi-tenancy model, and depending on all of these details you would take different approaches to authorization. Nevertheless, there are some mechanisms and some good practices in Web API that help you build your authorization infrastructure. So I first want to look at client vs user authorization, what's the point here. Then I want to look at this thing called authorization filters and their corresponding attributes. And then spend a little bit more time on basically custom authorization logic, which is probably the thing that you'll, you know, invest the most code.