At NDC, Jon, K Scott and Rob Conery talked to Dominick Baier about HTTP API security: CORS, token based authentication and more.
Download: Herding Code 175: Dominick Baier on Securing ASP.NET Web APIs and HTTP Services
Show Notes:
Overview of CORS and Token Based Authentication(00:17) K Scott asks Dominick about the subject of his talk at NDC. Dominick runs through the upcoming changes in Web API authentication, including an overview of CORS and token based authentication.(03:49) Dominick explains the ability to support a separate token server in Web API and announces Authentication Server, his new open source project which provides(05:13) Rob describes how he's seen people breaking their sites and services across multiple domains and subdomains. He explains a problem he's currently running into with older releases of Internet Explorer. Dominick explains more about how CORS works and talks about options for working with older browsers - either sticking with JSONP or putting services in the same domain.OAuth(08:15) Jon asks how security token service relates to more well-known terms like OpenID and OAuth. Dominick explains some of the history and challenges OAuth has encountered. As a result, the OAuth spec is really just a collection of patterns rather than a strict specification.(11:19) Jon asks Dominick how he implemented the OAuth spec in his Authentication Server implementation. Dominick gives examples of how the spec is very open - for instance, there are 69 occurrences of the word MAY in the spec. He says he's been advocating for a minimum profile.(12:56) K Scott asks what sort of authentication should be used with Dominick's security token server, since OAuth isn't an authentication mechanism. Dominick explains the interaction with security tokens.Token based security and JWT(14:49) Jon comments on the difference in security implications between a compromised token vs. a compromised account password. Dominick says that a token binds five things together: the client, a human, an application, permissions and time. He mentions that with token based authentication you can outsource the security mechanism - passwords, certificates, etc. - and talks about the newly released JSON Web Token (JWT) handler.(15:50) K Scott asks for some specifics about the JWT handler.(16:27) K Scott asks for more information about Dominick's talk.Roles vs. Claims(17:14) Jon asks about the difference between roles and claims. Dominick explains that a role is just a very simple claim: are you in a role or not? Claims move from a simple boolean to more of a name / value pair(18:31) Jon asks what the average developer needs to know about Windows Identity Foundation.Photography and wrap-up(19:02) K Scott asks Dominick about the photos section on his site and comments on how they're just about all black and white. Dominick(20:52) K Scott asks Dominick what he's got coming up. Dominick says he's been heads down on the Authentication Server release.Show Links:
Dominick Baier (http://leastprivilege.com/, @leastprivilege)NDC Session video: Securing ASP.NET Web APIs and HTTP ServicesThinktecture IdentityServerEran Hammer: OAuth 2.0 and the Road to HellDominick's photo blog: http://photos.leastprivilege.com/
View all episodes
