Those of you who have been building ASP.NET applications for a while now are no doubt familiar with the provider model, which includes provider abstractions for membership (authentication), roles (authorization), profiles (user data), and session state. These providers make it incredibly easy to provide a secure framework for your application. In fact, with an ASP.NET application template right out of the box, you can have a fully functioning authenticated, secure website in minutes.
What a lot of people have less familiarity with is the notion of provider services. You can actually create a WCF service head that sits on top of the ASP.NET membership system. This allows client applications (WP7) to authenticate against your ASP.NET website using exactly the same authentication scheme that your users use. This means that a user who has access to your website should also be able to have access to the client application seamlessly.
If you already have an ASP.NET application that is using the membership provider, role provider, and profile provider you can quickly, easily, and securely expose services to a mobile (WP7) client that allow that client to have secured, remote access to services exposed by that site. In short, any user of your existing web application can use their existing credentials to log in from their WP7 device and access any services you decide to make available.
ASP.NET provider services, coupled with WP7 and the fact that Silverlight has access to WCF client proxy generation, means you can very easily prep your site for a rich WP7 experience.
To read more…
2 parts OpenID Silverlight Integration series – by Mark Monster
What is OAuth?
While OpenID and WS-Federation focus on delegating user identity (or a collection of identity claims), OAuth was designed to address a different and complementary scenario, the delegation of user authorization. In few words, OAuth allows a client application to obtain user consent (i.e. Authorization for consuming a private resource as access tokens) for executing operations over private resources on his behalf.
If you want to know more about how OAuth works, you should read the following posts
OAuth .NET Library
Alex Henderson (Aka Bittercoder) has written a pretty good OAuth library in .NET for implementing an OAuth consumer and service provider. The library is available here under a MIT license (do wherever you want with it), and it is very easy to use. Alex has definitively made a very good work.
OAuth WCF Channel using REST Starter Kit’s RequestInterceptor
WCF channel implementation for OAuth mounts on top of his library and it basically transforms a OAuth token into a .NET security principal that can be used later within the service implementation. The channel is implemented as a RequestInterceptor, one of new features introduced in the REST WCF Starter Kit. This interceptor basically captures the request at channel level and performs all the validations required by OAuth. The following sample illustrates how the interceptors can be plugged into an existing service host (service.svc),
- A little terminology
- Getting started
- OAuth Playground Tool
Recently, all of the Google Data APIs adopted support for OAuth, an open protocol that aims to standardize the way desktop and web applications access a user’s private data. OAuth provides a means of performing API authentication in a standard and secure fashion. If you’re starting out, or just curious about OAuth, look no further. This article will give you a basic foundation of the concepts. I’ll also discuss the details of Google’s OAuth implementation. This document is also meant for developers that are familiar with using AuthSub, especially in registered with enhanced security mode. As we go along, I’ll try to highlight the similarities and differences between the two protocols.
Some users have suggested that OAuth has a high learning curve. Compared to Google’s other authentication APIs, I would agree. The advantage of OAuth will be apparent when you expand your app to use other (non-Google) services. Writing a single piece of authentication code that works across different service providers, and their APIs, sounds pretty good to me. You’ll thank yourself later on for learning the protocol now.
The OAuth Playground is a tool that I created to help developers cure their OAuth woes. You can use the Playground to help debug problems, check your own implementation, or experiment with the Google Data APIs.
Also see the Google Authentication API – OAuth Authentication for Web Applications
This C# OpenID library adds OpenID 2.0 Provider and Relying Party support to your web site both programmatically and through convenient drop-in ASP.NET controls.
- Add support for your site visitors to login with their OpenIDs by just dropping an ASP.NET control onto your page. It’s that easy.
- Give your site members their own OpenIDs with the provider support included in this library.
- Sample relying party and provider web sites show you just how to do it.
- Works in partial trusted shared hosting environments.
- Support for web farms where state persistence, front-facing web servers and ASP.NET may not be standard or even available.
- 170+ unit tests to verify correctness.
Again…Excellent Tutorial from Scott Mitchell
- Creating the Membership Schema in SQL Server [VB | C#] – explores the Membership framework and its goals. Looks at configuring and setting up the SqlMembershipProvider, which stores user account information in a Microsoft SQL Server database.
- Creating User Accounts [VB | C#] – examines creating user accounts using the CreateUserWizard control as well as using the Membership class’s CreateUser method.
- Validating User Credentials Against the Membership User Store [VB | C#] – shows how to validate a user’s supplied credentials and log them on (and off) the site. Looks at using both the Login Web control and the Membership.ValidateUser method.
- User-Based Authorization [VB | C#] – examines how to restrict access to pages or functionality within a page based on the logged in user.
- Storing Additional User Information [VB | C#] – the Membership framework only stores a handful of user attributes, but oftentimes additional, application-specific user information needs to be tracked. This tutorial looks at how to accomplish this.
Via Scott on Writing
OAuth — An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.
An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.
What is it For?
Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.
Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out.
This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts).