Most web applications today use browser cookies to keep a user logged in while she is using the application. Cookies are a decades-old device and they do not stand up well to security threats that have emerged on the modern web. In particular, cookies are vulnerable to cross-site request forgery. Web applications can by made more secure by using OAuth for session authentication.
I wish these two words didn’t share the same root because it surely confuses a lot of people. My most frequently-discussed example is OAuth. Every time I start talking about implementing a centralized/unified authentication system, someone jumps in and suggests that we use OAuth. The challenge is that OAuth is an authorization system, not an authentication system.
It’s tricky, because you might actually be “authenticating” yourself to website X using OAuth. What you are really doing is allowing website X to use your information stored by the OAuth provider. It is true that OAuth offers a pseudo-authentication approach via its provider but that is not the main goal of OAuth: the Auth in OAuth stands for Authorization, not Authentication.
Here is how we could briefly describe each role:
- Authentication: recognizes who you are.
- Authorization: know what you are allowed to do, or what you allow others to do.
Application developers are the customers of a Web API. Success is measured by how quickly app developers enjoy success using your API in their applications. And rapid adoption of a Web API is all about design. This e-book will help you make design choices from the application developer’s point of view so that the benefits of proven design principles and best practices will make your initiative a success.
This is brilliant eBook. Well worth the read. Well done Apigee!
Here are some useful resources that I have been compiling with regards to the new ASP.NET MVC4 (RC) Web API, which provides us with a rapid, testable web API built around MVC and REST. No more WCF for web HTTP APIs!
To quote Microsoft on Web API:
ASP.NET Web API is a framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. ASP.NET Web API is an ideal platform for building RESTful applications on the .NET Framework.
So, a list of resources, in no particular order:
- ASP.NET WebAPI: Getting Started with MVC4 and WebAPI
- ASP.NET MVC 4 – Web API
- Dependency Injection in ASP.NET MVC 4 and WebAPI using Unity
- Your First ASP.NET Web API (C#)
- Routing in ASP.NET Web API
These resources are related to Windows Azure Access Control Service and security in general with Web API.
- ASP.NET MVC 4 WebAPI authorization
- Basic Authentication with Asp.Net WebAPI
- Using Azure ACS (Access Control Service) with ASP.NET Web API
- Is there a JSON Web Token (JWT) example in C#?
- JsonWebToken (WCF)
- Thinktecture.IdentityModel and ASP.NET Web API
- Thinktecture.IdentityModel.45 source code
- ASP.NET-WebApi-Security source code
- Thinktecture.IdentityModel.Http source code
- Windows Azure Access Control Service 2.0
- Windows Azure Access Control Service-Understanding the Security Buzzwords
- How to Authenticate Web Users with Windows Azure Access Control Service
Finally, there is a iOS toolkit designed to help iOS developers work with ACS: