At NDC, Jon, K Scott and Rob Conery talked to Dominick Baier about HTTP API security: CORS, token based authentication and more.
Download: Herding Code 175: Dominick Baier on Securing ASP.NET Web APIs and HTTP Services
Show Notes:
- Overview of CORS and Token Based Authentication
- (00:17) K Scott asks Dominick about the subject of his talk at NDC. Dominick runs through the upcoming changes in Web API authentication, including an overview of CORS and token based authentication.
- (03:49) Dominick explains the ability to support a separate token server in Web API and announces Authentication Server, his new open source project which provides
- (05:13) Rob describes how he’s seen people breaking their sites and services across multiple domains and subdomains. He explains a problem he’s currently running into with older releases of Internet Explorer. Dominick explains more about how CORS works and talks about options for working with older browsers – either sticking with JSONP or putting services in the same domain.
- OAuth
- (08:15) Jon asks how security token service relates to more well-known terms like OpenID and OAuth. Dominick explains some of the history and challenges OAuth has encountered. As a result, the OAuth spec is really just a collection of patterns rather than a strict specification.
- (11:19) Jon asks Dominick how he implemented the OAuth spec in his Authentication Server implementation. Dominick gives examples of how the spec is very open – for instance, there are 69 occurrences of the word MAY in the spec. He says he’s been advocating for a minimum profile.
- (12:56) K Scott asks what sort of authentication should be used with Dominick’s security token server, since OAuth isn’t an authentication mechanism. Dominick explains the interaction with security tokens.
- Token based security and JWT
- (14:49) Jon comments on the difference in security implications between a compromised token vs. a compromised account password. Dominick says that a token binds five things together: the client, a human, an application, permissions and time. He mentions that with token based authentication you can outsource the security mechanism – passwords, certificates, etc. – and talks about the newly released JSON Web Token (JWT) handler.
- (15:50) K Scott asks for some specifics about the JWT handler.
- (16:27) K Scott asks for more information about Dominick’s talk.
- Roles vs. Claims
- (17:14) Jon asks about the difference between roles and claims. Dominick explains that a role is just a very simple claim: are you in a role or not? Claims move from a simple boolean to more of a name / value pair
- (18:31) Jon asks what the average developer needs to know about Windows Identity Foundation.
- Photography and wrap-up
- (19:02) K Scott asks Dominick about the photos section on his site and comments on how they’re just about all black and white. Dominick
- (20:52) K Scott asks Dominick what he’s got coming up. Dominick says he’s been heads down on the Authentication Server release.
Show Links:
- Dominick Baier (http://leastprivilege.com/, @leastprivilege)
- NDC Session video: Securing ASP.NET Web APIs and HTTP Services
- Thinktecture IdentityServer
- Eran Hammer: OAuth 2.0 and the Road to Hell
- Dominick’s photo blog: http://photos.leastprivilege.com/