Marc MercuriUlrich Homann

Building Secure, Composable Services with OAuth and OData

ARC303

Presented in 2013

Session Objective(s): Provide an understanding of why interoperable services are importantDeliver information on and demos showing OData in actionDeliver information on and demos showing OAuth in action

Session Objectives And Takeaways

Ok, so suppose we go ‘all in’ on cloud… We buy SaaS by default and build only what we need… what are you doing to make sure these services can talk to one another?

- Big Customer

This is the future

Wanted to extend functionalityInsertion of TripIt travel itineraries into online calendarsDetection of new travel itineraries directly from the user’s email inboxAutomated publishing of travel details to social networksIntegration of travel dates and trip segments into corporate expense reporting

IntegrationTripIt acts as a web services client to some of the APIsTripit makes itinerary available to other services via it’s APIsUsers need control over accessUsers don’t want to provide user credential for 3rd party services to TripIt

Types of services you might compose

Types of devices you’ll consume them from

Identity store

Systems

Architectures need to understand and incorporate the need to flow identity and data across a diversity of devices and services

Composition with Open Standards••

•

•••

OData in 1 slideURL conventionsCollections, keys, filtering, sorting, paging, etc.

Representation for structured dataJSON and Atom/XML formats, pointers to unstructured data

OperationsGET, POST, PUT/PATCH, DELETE have well-established semantics

DescriptionService description in terms of structure, interaction and metadata in general

• Types• Defines structure of resources, “entity type” and “complex type” in EDM• Entity types can inherit structure from a base type• Can include pointers to other items and to unstructured content

• Collections• A resource that contains a set of other resources, “entity set” in EDM

• Actions• Expose behavior other than CRUD• Top-level, or attached to collections or individual resources

Core Modeling Tools

Libraries for serving and consuming ODataMOBILE DEV

WP7 Android iOS

APP DEV

Silverlight .NET JavaScript

Java PHP Ruby

WEB CMS

Joomla Drupal

CUSTOM SERVERS

.NET servers Java PHP

node.js

CLOUD APPLICATIONS

App Engine Azure

DATABASES

SQL Server MySQL Azure Data

Implementation optionsWCF data servicesWorks best for thin layers over databases/LINQ providersCovers most of the OData protocol

ASP.NET web APIWorks best if you don’t have an IQueryable and/or if you have lots of business logicEasier to separate service interface from domain model/storage modelCovers only parts of OData. Core functionality in place, more to come soon

ODatalibLowest-level library, lots of control but lots of workCovers most of the OData protocol, metadata drivenUse only if WCF DS/Web API doesn’t meet your needs

CustomPlease try not to go there :)

public HttpResponseMessage Post(Account a){ \\ Your code here}

ASP.NET web API

• Have your service expose metadata• Used for tooling, discovery, code-gen• Think about scope, change rate• You can add your own annotations to

• Naming convention• Types in PascalCase, members in camelCase• Must start with a letter, may contain only letters and numbers

• WCF Data Services• It just works

• Web API• It just works

Metadata

• OData describes a broad set of query capabilities

• No need to support it all, pick up what you need

• WCF Data Services• Translates everything into a LINQ expression tree, up to providers to handle• Built-in Entity Framework/Reflection providers support all options

• Web API• Translate to LINQ or directly process high-level query expression tree• Good coverage. More added in Dec release (e.g. $select, $expand)

Query Capabilities

OData – query options

OData – query options

• Large collections• Return partial results and use “next links”

• WCF Data Services• Setup server driven paging for automatic support• Implement IDataServicePagingProvider for more control

• Web API• Automatic support via attributes, e.g. “[Queryable(ResultLimit=100)]”• Use ODataQueryOptions + ODataResult<T> for more control

Interaction - Retrieval

Demo

OData, Netflix, and Excel

• Create, update, delete operations• POST, DELETE add/delete stuff from collections• Include a location header for POST responses if you create a resource• PUT is a full replace, PATCH a partial update and it versions better• Support “prefer” header to let clients opt-in/-out of response bodies• Use ETags for concurrency control

• WCF Data Services• Just works with Entity Framework• Implement IDataServiceUpdateProvider2 for others• Add business logic via interceptors

• Web API• Helper base controller makes it easy• Easy to add business logic directly in controllers

Interaction - CUD

Prefer HeaderPOST /svc/Contacts{ ‘FirstName’: ‘Pablo’, ‘LastName: ‘Castro’}

201 CreatedLocation: http://.../svc/Contacts(123){ ‘ID’: 123 , ‘FirstName’: ‘Pablo’ , ‘LastName’: ‘Castro’}

POST /svc/ContactsPrefer: return-no-content{ ‘FirstName’: ‘Pablo’, ‘LastName: ‘Castro’}

204 No ContentLocation: http://.../svc/Contacts(123)Preference-Applied: return-no-content

Support in SharePoint 2013

SharePoint 2013 Remote API Architecture

api vti_bin/client.svc

JavaScript Library

Silverlight Library .Net CLR Library

REST URLs in SharePoint 2013REST URLS can go through _api folderSimplifies URLs constructionRemoves client.svc file name from URL

You can replace this URLhttp://wingtipserver/_vti_bin/client.svc/web

With this URLhttp://wingtipserver/_api/web

Mapping objects to resourcesExample REST URLs targeting SharePoint sites_api/web/lists_api/web/lists/getByTitle('Announcements')_api/web/getAvailableWebTemplates(lcid=1033)

REST query from managed codeTips for making REST calls from managed codeUse the HttpWebRequest and HttpWebResponse objectsQuery XML using XDocument.DescendantsOr use JSON & JavascriptSeralizer object

REST query using JavaScript & jQuery

Testing REST Calls Through the Browser

Azure AD Directory Graph APIRESTful programmatic access to directory

Objects such as users, groups, roles, licensesRelationships such as member, memberOf, manager, directReport

Requests use standard HTTP methodsPOST, GET, PATCH, DELETE to create, read, update, and deleteResponse in XML or JSON; standard HTTP status codesCompatible with OData 3.0

OAuth 2.0 for authenticationRole-based assignment for application and user authorization

Example Directory Graph CallRequest: https://directory.windows.net/contoso.com/Users('Ed@contoso.com')

{ “d”: { "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "Ed@contoso.com", "Mail": "Ed@contoso.com", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007"} }

FAQsScopeOData seems to cover quite a bit, do I need to implement the whole thing?

StandardsI need to support a known or industry standard protocol. Isn’t that in conflict with the guidelines, which require OData support?

AdvertisingHow do I advertise API versions?

URL DifferencesThere seem to be some differences in URLs with other OData services, is that the case?

What is it?An open protocol to allow secure authorization in a simple and standard method from web, mobile, and desktop applicationsFor service providers, OAuth gives users access to their data while protecting their account credentialsFor service consumers, Oauth is a simple way to publish and interact with protected data.

What we’ll look at todayTerminologyClient ProfilesOAuthFlow TypesConsuming OAuth Secured ServicesDemos

TerminologyResource OwnerClientResource ServerAuthorization ServerAccess TokenRefresh Token

Client profilesServer side web applicationClient-side application running in a web browserNative application

Authorization flowsAuthorization codeImplicit grant for browser-based client-side applicationsResource owner password-based grantClient credentials

Outside the core spec (but important)Device ProfileSAML bearer assertion profile

Authorization code flowWhen to useLong-lived access is requiredOauth client is a web application serverAccountability for API calls is very important

Authorization code flow

B

A

BC

A ED

D

Implicit grant flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth client is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will leak

Implicit grant flow

B

A

BC

AD

Resource owner password flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth client is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will leak

Resource owner password flow

A

BC

Client credentials flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth client is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will leaklkj

Client credentials flow

AB

Device profile flowWhen to useTemporary access to data is requiredUser is regularly logged in to the API providerOAuth cliet is running in the browser (JavaScript, Silverlight, Flash, etc.)Browser is strongly trusted w/ limited concern that access token will link

D

A

C

B

E

F

Associating Users and Apps with Devices

OAuth Protocol Flow in Office 365

SharePoint 2013 content server

End user•••

Client app

Authentication server

1

2

3

4

5

6

7

8

9

10

demo

link

Oauth in Action

Recap - composite clients and services •

•

•

•••

•

•

•

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Updates and the form digestUpdates using REST require Form DigestSpecial value created using cryptographyUsed to protect against replay attackSharePoint pages include control that contains the Form DigestWeb service clients must acquire Form Digest separatelyForm Digest can be acquired through http://<site_url>/_api/contextinfo

Adding an item

Deleting an item

Updating an item

Changes in SharePoint 2013client.svc extended with REST capabilitiesclient.svc now supports direct access from REST clientsclient.svc accepts HTTP GET, PUT, POST requestsImplemented in accordance with OData protocol

CSOM extended with new APIsNew APIs for SharePoint Server functionalityNew API for Windows Phone Applications

SharePoint 2013 Remote API Architecture

api vti_bin/client.svc

JavaScript Library

Silverlight Library .Net CLR Library

REST URLs in SharePoint 2013REST URLS can go through _api folderSimplifies URLs constructionRemoves client.svc file name from URL

You can replace this URLhttp://wingtipserver/_vti_bin/client.svc/web

With this URLhttp://wingtipserver/_api/web

Mapping objects to resourcesExample REST URLs targeting SharePoint sites_api/web/lists_api/web/lists/getByTitle('Announcements')_api/web/getAvailableWebTemplates(lcid=1033)

Security problems in SharePoint 2010Code in farm solutions considered fully-trustedBy default, code runs with permissions of current userDeveloper can call SPSecurity.RunWithElevatedPrivledges

Code runs as all-powerful SHAREPOINT\SYSTEM accountCode reverts to Windows identity of host application pool

Sandbox solution code runs as current userCode always runs with permissions of current userActivation code runs as site administratorNo ability to elevate permissions if user is visitor

Authentication in SharePoint 2013Authentication Flow in SharePoint 2013User authentication stays the same with standard sitesIn calls to app web, app authentication occurs internallyInternal authentication occurs in calls to add webExternal authentication used for calls from remote webCall context can contain both user and app identity

Requirements for establishing app identity Host web application must be a claims-basedIncoming calls must target CSOM/REST endpoints

Supported CSOM/REST endpoints not extensible

App permissionsApp are granted permissionsApp permissions are different from user permissionsApp permissions are granted as all or nothingApp permissions have no permissions hierarchy

This is different than user permissions which have a hierarchy inside a site collection

An app has default permissionsApp has full control over app web but no other default permissionsApp can include permission request in application manifestInstalling user grants/denies permissions during installationIf permission request denied, SharePoint does not install app

OAuth Protocol Flow in Office 365

SharePoint 2013 content server

End user•••

Client app

Authentication server

1

2

3

4

5

6

7

8

9

10

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.