DPS907 notes – Tue Nov 11
Add security to an app.
.
Authorization Server project
Your professor has posted an app (on the GitHub code example repository, and on the My.Seneca/Blackboard ‘assignments’ area).
The app combines an Identity Server with an Authorization Server. For our purposes, we will call it an Authorization Server (AS).
In its current state, it should be ready-to-use, without needing any changes. The idea is that you will deploy it to a web site (on Microsoft Azure). As a result, you can use this AS from many different projects.
The app will have UI to enable a human user (resource owner) to create an account, and perform typical account-management tasks.
The app will also have web service endpoints for authentication, and token generation.
Note: This is ‘version 1’ of the AS. It does NOT implement claims. It should be used only for Assignment 1.
.
Adding security to your Assignment 1 project
During class, you will learn how to add security components to your Assignment 1 web service. Then, you will be able to add the Authorize attribute for controllers and/or methods that need protection.
The following content is also embedded in the Assignment 1 specifications document.
.
Testing the Authorization Server, and your app’s security components
Both the AS and your app can be tested locally on your own (or on a College) computer. After you’re happy with their operation, you can deploy them to Azure.
.
Authorization Server (AS)
Get the app from GitHub or My.Seneca/Blackboard.
As noted above, it should be ready-to-use, without needing any changes. Use it locally while testing. Later, you will learn how to deploy it to Microsoft Azure.
.
Add components to your Assignment 1 project
Open the Package Manager Console. Run these commands, in sequence:
install-package microsoft.aspnet.webapi -version 5.2.2
If (when) it asks to overwrite file conflicts in ‘Areas\HelpPage\Views\…’, yes, you can choose ‘a’ for ‘Yes to All’.
install-package microsoft.aspnet.webapi.owin -version 5.2.2
install-package microsoft.owin.host.systemweb -version 3.0.0
install-package microsoft.owin.cors -version 3.0.0
install-package microsoft.owin.security.oauth -version 2.1.0
Some of the content in this section was based on this post by Taiseer Joudeh.
.
Next, add a source code file named “Startup.cs” to your project; it can be in the project’s root. It will hold the ‘Startup’ class:
using System; using System.Collections.Generic; using System.Linq; using System.Web; // more... using Owin; using System.Web.Http; using Microsoft.Owin; using Microsoft.Owin.Security.OAuth; // Change the namespace to match the name of your project [assembly: OwinStartup(typeof(Associations.Startup))] // Change the namespace to match the name of your project namespace Associations { public class Startup { public void Configuration(IAppBuilder app) { HttpConfiguration config = new HttpConfiguration(); ConfigureOAuth(app); WebApiConfig.Register(config); app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); app.UseWebApi(config); } private void ConfigureOAuth(IAppBuilder app) { //Token Consumption app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions { }); } } }
.
At this point in time, your project will be able to use the security components.
.
.
Testing your work
Use Fiddler.
Start/run the Authorization Server (AS), and it will appear in a browser. If you are loading the AS for the first time, you will have to ‘register’ a new user. Then, you can test login and logout.
From Fiddler, access the AS. Then, follow the instructions on the AS home page to authenticate and get an access token. In summary, the request will look like this:
- HTTP method is
POST - URI is
http://host/token - Content-Type header value is
application/x-www-form-urlencoded - Message body is
grant_type=password&username=uuuuuuuu@example.com&password=pppppppp
An ‘access token’ will be returned. Save its value somewhere (maybe in a plain text editor window).
Next, in your other app, protect one or more controllers/methods with the [Authorize] attribute.
Then, start/run your other app, and it will appear in a browser.
From Fiddler, attempt to access a protected resource. Notice the HTTP 401 response.
Add an authorization header to the request, formatted as follows:
Authorization: Bearer gZNPJjEbPwyPB7ePGdLml9Ev-1IT…
(the access token’s value, which is a very long string)
Then attempt to access the resource again; the HTTP response should be ‘success’.
Wait until the token expires (check the value in the AS ‘Startup.Auth.cs’ source code file). Attempt to access the resource again; the HTTP response should be 401.
.
Deploy to Microsoft Azure
Please visit the September 11 notes page for instructions.
For example, the web service will be deployed to “wsa500pmcintyr.azurewebsites.net” (assuming that your My.Seneca ID is ‘pmcintyr’).
.
New web site, and database, for the Authorization Server
In the Microsoft Azure management portal, create a new web site and database. For example, assume that your My.Seneca ID is ‘pmcintyr’:
The new web site name will be something like:
wsa500pmcintyrsecurity.azurewebsites.net
Create the web site with a database. A suggested database name is:
wsa500pmcintyrsecurity
It is important that the Authorization Server is configured as a new and separate app.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.