Document

Download Report

Transcript Document 

Building native client and mobile apps using
Azure Active Directory for sign in
Today’s Applications
Standard based, HTTP based authentication protocols
WS-Fed, SAML 2.0,
OpenID Connect
OAuth
OAuth
OAuth
OAuth
What is Azure Active Directory?
•
•
•
•
•
•
•
•
•
Active Directory - Then vs. now
So what’s cooking
•
•
•
•
How AAD represents resources
Implementing OAuth2
ADAL
Protecting your own API
Azure Active Directory Application Model
OAuth for native apps
Auth Code Request/Response
I’d like a code please
To access this service
GET https://login.windows.net/contoso.com/oauth2/authorize
?response_type=code
&resource=https://skwantoso.com/TodoListService
&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d
&redirect_uri=http://todolistclient/
&prompt=login
This is me
Send the code here
<< Stuff happens here to sign the user in... >>
302 Found http://todolistclient/
Here’s your code!
?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-_cqhsBff…
Token Request/Response
I have a code
POST https://login.windows.net/skwantoso.com/oauth2/token
This is me
grant_type=authorization_code
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…
I asked you to send the code here
&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d
&redirect_uri=http://todolistclient/
I need to use this service
&resource=https://skwantoso.com/TodoListService
200 OK
Here is your bearer token
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…",
"token_type":"Bearer",
"expires_in":"3599",
It’s for this service
When it expires
"expires_on":"1396472189",
The refresh token
"resource":"https://skwantoso.com/TodoListService",
"refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…",
"scope":"user_impersonation",
Your permissions
"id_token":eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiJmY…n0."}
Info about the user
Server-Based Sign-In User Experience
• Native client sign-in UI is web-based
– Same sign-in UI as web app sign-in
– Web UI allows arbitrary interaction
•
•
•
•
Consent to use application
Multi-factor authentication
Account compromise detection
… and more stuff we haven’t dreamed up yet
• Plan to offer non-interactive methods
– Name/password
– Kerberos
– These will return error if user interaction required
Active Directory Authentication Libraries (ADAL)
• Abstracts away most protocol considerations
• Handles tokens persistence & refresh
automatically
var ctx = new AuthenticationContext(
"https://login.windows.net/u2u.onmicrosoft.com");
AuthenticationResult rez = await ctx.AcquireTokenAsync(
"https://outlook.office365.com/",
"5fc4a5a2-78d5-4d94-b890-a6e6b3341081");
Active Directory Authentication Libraries (ADAL)
• Available on multiple platforms
– .NET, Windows Store, iOS, Android, Node.JS, Java
• Open source (or in the process to be)
• Same primitives, native programming models
• Sophisticated features
– Works across Windows Server and Azure Active
Directory
– Cache and automatic refresh
– Multi user support
Protecting Your Own API with AAD
• Big OAuth2 providers issue tokens for their own
resources
– Facebook for the Facebook Graph, AAD for the Graph, Azure management,
Office…
• Azure AD allows you to secure your own API
• Easy as 1-2-3
– Add an entry for your API in your AAD tenant
– Define which permissions your app recognizes
– Add middleware in front of your API to validate AAD access
tokens
Adding an entry for your WebAPI in AAD
• AAD needs to know how to identify your API
• You can add an entry via the portal…
• …or you can use VS2013
The application’s manifest
• AAD needs to know which permissions your API
exposes
• You provide that info by uploading a manifest for
your app
– JSON file holding a description of your app
– Download the default one, edit the AppPermissions node, upload it back
– Still VERY MUCH in preview
• Fun fact: an API can also be a client of some
other API!
– The RequiredResourceAccess node lists the resources & permissions the API
requires
TheIdentityHub
Sensor
Apps
Android
Facebook
www.theidentityhub.com
Twitter
Apple
iOS
Windows
Phone
Windows
8
Active
Directory
Web
Legacy
Legacy
Apps
Office
365
Google
Microsoft
A big thank you to our sponsors
Platinum Partners
Gold Partners
Silver & Track Partners