Herding Code 175: Dominick Baier on Securing ASP.NET Web APIs and HTTP Services

At NDC, Jon, K Scott and Rob Conery talked to Dominick Baier about HTTP API security: CORS, token based authentication and more.

Download: Herding Code 175: Dominick Baier on Securing ASP.NET Web APIs and HTTP Services

Show Notes:

  • Overview of CORS and Token Based Authentication
    • (00:17) K Scott asks Dominick about the subject of his talk at NDC. Dominick runs through the upcoming changes in Web API authentication, including an overview of CORS and token based authentication.
    • (03:49) Dominick explains the ability to support a separate token server in Web API and announces Authentication Server, his new open source project which provides
    • (05:13) Rob describes how he’s seen people breaking their sites and services across multiple domains and subdomains. He explains a problem he’s currently running into with older releases of Internet Explorer. Dominick explains more about how CORS works and talks about options for working with older browsers – either sticking with JSONP or putting services in the same domain.
  • OAuth
    • (08:15) Jon asks how security token service relates to more well-known terms like OpenID and OAuth. Dominick explains some of the history and challenges OAuth has encountered. As a result, the OAuth spec is really just a collection of patterns rather than a strict specification.
    • (11:19) Jon asks Dominick how he implemented the OAuth spec in his Authentication Server implementation. Dominick gives examples of how the spec is very open – for instance, there are 69 occurrences of the word MAY in the spec. He says he’s been advocating for a minimum profile.
    • (12:56) K Scott asks what sort of authentication should be used with Dominick’s security token server, since OAuth isn’t an authentication mechanism. Dominick explains the interaction with security tokens.
  • Token based security and JWT
    • (14:49) Jon comments on the difference in security implications between a compromised token vs. a compromised account password. Dominick says that a token binds five things together: the client, a human, an application, permissions and time. He mentions that with token based authentication you can outsource the security mechanism – passwords, certificates, etc. – and talks about the newly released JSON Web Token (JWT) handler.
    • (15:50) K Scott asks for some specifics about the JWT handler.
    • (16:27) K Scott asks for more information about Dominick’s talk.
  • Roles vs. Claims
    • (17:14) Jon asks about the difference between roles and claims. Dominick explains that a role is just a very simple claim: are you in a role or not? Claims move from a simple boolean to more of a name / value pair
    • (18:31) Jon asks what the average developer needs to know about Windows Identity Foundation.
  • Photography and wrap-up
    • (19:02) K Scott asks Dominick about the photos section on his site and comments on how they’re just about all black and white. Dominick
    • (20:52) K Scott asks Dominick what he’s got coming up. Dominick says he’s been heads down on the Authentication Server release.

Show Links: