Upload
marc-mercuri
View
311
Download
1
Embed Size (px)
Citation preview
Marc MercuriUlrich Homann
Building Secure, Composable Services with OAuth and OData
ARC303
Presented in 2013
Session Objective(s): Provide an understanding of why interoperable services are importantDeliver information on and demos showing OData in actionDeliver information on and demos showing OAuth in action
Session Objectives And Takeaways
Ok, so suppose we go ‘all in’ on cloud… We buy SaaS by default and build only what we need… what are you doing to make sure these services can talk to one another?
- Big Customer
This is the future
Wanted to extend functionalityInsertion of TripIt travel itineraries into online calendarsDetection of new travel itineraries directly from the user’s email inboxAutomated publishing of travel details to social networksIntegration of travel dates and trip segments into corporate expense reporting
IntegrationTripIt acts as a web services client to some of the APIsTripit makes itinerary available to other services via it’s APIsUsers need control over accessUsers don’t want to provide user credential for 3rd party services to TripIt
Types of services you might compose
Types of devices you’ll consume them from
Identity store
Systems
Architectures need to understand and incorporate the need to flow identity and data across a diversity of devices and services
Composition with Open Standards••
•
•••
OData in 1 slideURL conventionsCollections, keys, filtering, sorting, paging, etc.
Representation for structured dataJSON and Atom/XML formats, pointers to unstructured data
OperationsGET, POST, PUT/PATCH, DELETE have well-established semantics
DescriptionService description in terms of structure, interaction and metadata in general
• Types• Defines structure of resources, “entity type” and “complex type” in EDM• Entity types can inherit structure from a base type• Can include pointers to other items and to unstructured content
• Collections• A resource that contains a set of other resources, “entity set” in EDM
• Actions• Expose behavior other than CRUD• Top-level, or attached to collections or individual resources
Core Modeling Tools
Libraries for serving and consuming ODataMOBILE DEV
WP7 Android iOS
APP DEV
Silverlight .NET JavaScript
Java PHP Ruby
WEB CMS
Joomla Drupal
CUSTOM SERVERS
.NET servers Java PHP
node.js
CLOUD APPLICATIONS
App Engine Azure
DATABASES
SQL Server MySQL Azure Data
Implementation optionsWCF data servicesWorks best for thin layers over databases/LINQ providersCovers most of the OData protocol
ASP.NET web APIWorks best if you don’t have an IQueryable and/or if you have lots of business logicEasier to separate service interface from domain model/storage modelCovers only parts of OData. Core functionality in place, more to come soon
ODatalibLowest-level library, lots of control but lots of workCovers most of the OData protocol, metadata drivenUse only if WCF DS/Web API doesn’t meet your needs
CustomPlease try not to go there :)
public HttpResponseMessage Post(Account a){ \\ Your code here}
ASP.NET web API
• Have your service expose metadata• Used for tooling, discovery, code-gen• Think about scope, change rate• You can add your own annotations to
• Naming convention• Types in PascalCase, members in camelCase• Must start with a letter, may contain only letters and numbers
• WCF Data Services• It just works
• Web API• It just works
Metadata
• OData describes a broad set of query capabilities
• No need to support it all, pick up what you need
• WCF Data Services• Translates everything into a LINQ expression tree, up to providers to handle• Built-in Entity Framework/Reflection providers support all options
• Web API• Translate to LINQ or directly process high-level query expression tree• Good coverage. More added in Dec release (e.g. $select, $expand)
Query Capabilities
OData – query options
OData – query options
• Large collections• Return partial results and use “next links”
• WCF Data Services• Setup server driven paging for automatic support• Implement IDataServicePagingProvider for more control
• Web API• Automatic support via attributes, e.g. “[Queryable(ResultLimit=100)]”• Use ODataQueryOptions + ODataResult<T> for more control
Interaction - Retrieval
Demo
OData, Netflix, and Excel
• Create, update, delete operations• POST, DELETE add/delete stuff from collections• Include a location header for POST responses if you create a resource• PUT is a full replace, PATCH a partial update and it versions better• Support “prefer” header to let clients opt-in/-out of response bodies• Use ETags for concurrency control
• WCF Data Services• Just works with Entity Framework• Implement IDataServiceUpdateProvider2 for others• Add business logic via interceptors
• Web API• Helper base controller makes it easy• Easy to add business logic directly in controllers
Interaction - CUD
Prefer HeaderPOST /svc/Contacts{ ‘FirstName’: ‘Pablo’, ‘LastName: ‘Castro’}
201 CreatedLocation: http://.../svc/Contacts(123){ ‘ID’: 123 , ‘FirstName’: ‘Pablo’ , ‘LastName’: ‘Castro’}
POST /svc/ContactsPrefer: return-no-content{ ‘FirstName’: ‘Pablo’, ‘LastName: ‘Castro’}
204 No ContentLocation: http://.../svc/Contacts(123)Preference-Applied: return-no-content
Support in SharePoint 2013
SharePoint 2013 Remote API Architecture
api vti_bin/client.svc
JavaScript Library
Silverlight Library .Net CLR Library
REST URLs in SharePoint 2013REST URLS can go through _api folderSimplifies URLs constructionRemoves client.svc file name from URL
You can replace this URLhttp://wingtipserver/_vti_bin/client.svc/web
With this URLhttp://wingtipserver/_api/web
Mapping objects to resourcesExample REST URLs targeting SharePoint sites_api/web/lists_api/web/lists/getByTitle('Announcements')_api/web/getAvailableWebTemplates(lcid=1033)
REST query from managed codeTips for making REST calls from managed codeUse the HttpWebRequest and HttpWebResponse objectsQuery XML using XDocument.DescendantsOr use JSON & JavascriptSeralizer object
REST query using JavaScript & jQuery
Testing REST Calls Through the Browser
Azure AD Directory Graph APIRESTful programmatic access to directory
Objects such as users, groups, roles, licensesRelationships such as member, memberOf, manager, directReport
Requests use standard HTTP methodsPOST, GET, PATCH, DELETE to create, read, update, and deleteResponse in XML or JSON; standard HTTP status codesCompatible with OData 3.0
OAuth 2.0 for authenticationRole-based assignment for application and user authorization
Example Directory Graph CallRequest: https://directory.windows.net/contoso.com/Users('[email protected]')
{ “d”: { "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "[email protected]", "Mail": "[email protected]", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007"} }
FAQsScopeOData seems to cover quite a bit, do I need to implement the whole thing?
StandardsI need to support a known or industry standard protocol. Isn’t that in conflict with the guidelines, which require OData support?
AdvertisingHow do I advertise API versions?
URL DifferencesThere seem to be some differences in URLs with other OData services, is that the case?
What is it?An open protocol to allow secure authorization in a simple and standard method from web, mobile, and desktop applicationsFor service providers, OAuth gives users access to their data while protecting their account credentialsFor service consumers, Oauth is a simple way to publish and interact with protected data.
What we’ll look at todayTerminologyClient ProfilesOAuthFlow TypesConsuming OAuth Secured ServicesDemos
TerminologyResource OwnerClientResource ServerAuthorization ServerAccess TokenRefresh Token
Client profilesServer side web applicationClient-side application running in a web browserNative application
Authorization flowsAuthorization codeImplicit grant for browser-based client-side applicationsResource owner password-based grantClient credentials
Outside the core spec (but important)Device ProfileSAML bearer assertion profile
Authorization code flowWhen to useLong-lived access is requiredOauth client is a web application serverAccountability for API calls is very important
Authorization code flow
B
A
BC
A ED
D
Implicit grant flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth client is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will leak
Implicit grant flow
B
A
BC
AD
Resource owner password flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth client is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will leak
Resource owner password flow
A
BC
Client credentials flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth client is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will leaklkj
Client credentials flow
AB
Device profile flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth cliet is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will link
D
A
C
B
E
F
Associating Users and Apps with Devices
OAuth Protocol Flow in Office 365
SharePoint 2013 content server
End user•••
Client app
Authentication server
1
2
3
4
5
6
7
8
9
10
Recap - composite clients and services •
•
•
•••
•
•
•
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Updates and the form digestUpdates using REST require Form DigestSpecial value created using cryptographyUsed to protect against replay attackSharePoint pages include control that contains the Form DigestWeb service clients must acquire Form Digest separatelyForm Digest can be acquired through http://<site_url>/_api/contextinfo
Adding an item
Deleting an item
Updating an item
Changes in SharePoint 2013client.svc extended with REST capabilitiesclient.svc now supports direct access from REST clientsclient.svc accepts HTTP GET, PUT, POST requestsImplemented in accordance with OData protocol
CSOM extended with new APIsNew APIs for SharePoint Server functionalityNew API for Windows Phone Applications
SharePoint 2013 Remote API Architecture
api vti_bin/client.svc
JavaScript Library
Silverlight Library .Net CLR Library
REST URLs in SharePoint 2013REST URLS can go through _api folderSimplifies URLs constructionRemoves client.svc file name from URL
You can replace this URLhttp://wingtipserver/_vti_bin/client.svc/web
With this URLhttp://wingtipserver/_api/web
Mapping objects to resourcesExample REST URLs targeting SharePoint sites_api/web/lists_api/web/lists/getByTitle('Announcements')_api/web/getAvailableWebTemplates(lcid=1033)
Security problems in SharePoint 2010Code in farm solutions considered fully-trustedBy default, code runs with permissions of current userDeveloper can call SPSecurity.RunWithElevatedPrivledges
Code runs as all-powerful SHAREPOINT\SYSTEM accountCode reverts to Windows identity of host application pool
Sandbox solution code runs as current userCode always runs with permissions of current userActivation code runs as site administratorNo ability to elevate permissions if user is visitor
Authentication in SharePoint 2013Authentication Flow in SharePoint 2013User authentication stays the same with standard sitesIn calls to app web, app authentication occurs internallyInternal authentication occurs in calls to add webExternal authentication used for calls from remote webCall context can contain both user and app identity
Requirements for establishing app identity Host web application must be a claims-basedIncoming calls must target CSOM/REST endpoints
Supported CSOM/REST endpoints not extensible
App permissionsApp are granted permissionsApp permissions are different from user permissionsApp permissions are granted as all or nothingApp permissions have no permissions hierarchy
This is different than user permissions which have a hierarchy inside a site collection
An app has default permissionsApp has full control over app web but no other default permissionsApp can include permission request in application manifestInstalling user grants/denies permissions during installationIf permission request denied, SharePoint does not install app
OAuth Protocol Flow in Office 365
SharePoint 2013 content server
End user•••
Client app
Authentication server
1
2
3
4
5
6
7
8
9
10
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.