Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.
Ten years after the release of .NET 1.0 Microsoft decided to revamp the built-in infrastructure for authentication & authorization. All identities in .NET are now modeled using the claims-based paradigm, and token based authentication (which is also the basis for federation) is now a first class citizen in the framework. This has been achieved by tightly integrating the Windows Identity Foundation (WIF) into the core class library. Since these changes have been made in the base classes, all application level frameworks like ASP.NET, WCF and WPF inherit these new features. Learn what these new mechanisms have to offer, what that means to existing applications and how you migrate either from stock .NET or WIF enabled applications.
When building modern applications, you have many security options. How do you authenticate, how do you authorize? How do you manage access to resources on behalf of your users? Do you have to integrate with corporate security systems, or do you want to support web identities like a Google ID? Which protocols do your customers support? How do you provision new users and grant access? You can build such systems on your own and take the risk of getting sucked into a complexity vortex while doing so. Or you use a third party service to encapsulate the technical details into a service that you simply use from your applications. Such a service is the Windows Azure Access Control Service. It provides security services to applications - in the cloud, on-premise or wherever you want. This talk explains what ACS is all about and how it works.