DPS907 notes – Tue Nov 11

Add security to an app.


Authorization Server project

Your professor has posted an app (on the GitHub code example repository, and on the My.Seneca/Blackboard ‘assignments’ area).

The app combines an Identity Server with an Authorization Server. For our purposes, we will call it an Authorization Server (AS).

In its current state, it should be ready-to-use, without needing any changes. The idea is that you will deploy it to a web site (on Microsoft Azure). As a result, you can use this AS from many different projects.

The app will have UI to enable a human user (resource owner) to create an account, and perform typical account-management tasks.

The app will also have web service endpoints for authentication, and token generation.

Note: This is ‘version 1’ of the AS. It does NOT implement claims. It should be used only for Assignment 1.


Adding security to your Assignment 1 project

During class, you will learn how to add security components to your Assignment 1 web service. Then, you will be able to add the Authorize attribute for controllers and/or methods that need protection.

The following content is also embedded in the Assignment 1 specifications document.


Testing the Authorization Server, and your app’s security components

Both the AS and your app can be tested locally on your own (or on a College) computer. After you’re happy with their operation, you can deploy them to Azure.


Authorization Server (AS)

Get the app from GitHub or My.Seneca/Blackboard.

As noted above, it should be ready-to-use, without needing any changes. Use it locally while testing. Later, you will learn how to deploy it to Microsoft Azure.


Add components to your Assignment 1 project

Open the Package Manager Console. Run these commands, in sequence:

install-package microsoft.aspnet.webapi -version 5.2.2

If (when) it asks to overwrite file conflicts in ‘Areas\HelpPage\Views\…’, yes, you can choose ‘a’ for ‘Yes to All’.

install-package microsoft.aspnet.webapi.owin -version 5.2.2

install-package microsoft.owin.host.systemweb -version 3.0.0

install-package microsoft.owin.cors -version 3.0.0

install-package microsoft.owin.security.oauth -version 2.1.0

Some of the content in this section was based on this post by Taiseer Joudeh.


Next, add a source code file named “Startup.cs” to your project; it can be in the project’s root. It will hold the ‘Startup’ class:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
// more...
using Owin;
using System.Web.Http;
using Microsoft.Owin;
using Microsoft.Owin.Security.OAuth;

// Change the namespace to match the name of your project
[assembly: OwinStartup(typeof(Associations.Startup))]

// Change the namespace to match the name of your project
namespace Associations
    public class Startup
        public void Configuration(IAppBuilder app)
            HttpConfiguration config = new HttpConfiguration();
        private void ConfigureOAuth(IAppBuilder app)
            //Token Consumption
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions


At this point in time, your project will be able to use the security components.



Testing your work

Use Fiddler.

Start/run the Authorization Server (AS), and it will appear in a browser. If you are loading the AS for the first time, you will have to ‘register’ a new user. Then, you can test login and logout.

From Fiddler, access the AS. Then, follow the instructions on the AS home page to authenticate and get an access token. In summary, the request will look like this:

  • HTTP method is
  • URI is
  • Content-Type header value is
  • Message body is

An ‘access token’ will be returned. Save its value somewhere (maybe in a plain text editor window).

Next, in your other app, protect one or more controllers/methods with the [Authorize] attribute.

Then, start/run your other app, and it will appear in a browser.

From Fiddler, attempt to access a protected resource. Notice the HTTP 401 response.

Add an authorization header to the request, formatted as follows:

Authorization: Bearer gZNPJjEbPwyPB7ePGdLml9Ev-1IT…
(the access token’s value, which is a very long string)

Then attempt to access the resource again; the HTTP response should be ‘success’.

Wait until the token expires (check the value in the AS ‘Startup.Auth.cs’ source code file). Attempt to access the resource again; the HTTP response should be 401.


Deploy to Microsoft Azure

Please visit the September 11 notes page for instructions.

For example, the web service will be deployed to “wsa500pmcintyr.azurewebsites.net” (assuming that your My.Seneca ID is ‘pmcintyr’).


New web site, and database, for the Authorization Server 

In the Microsoft Azure management portal, create a new web site and database. For example, assume that your My.Seneca ID is ‘pmcintyr’:

The new web site name will be something like:

Create the web site with a database. A suggested database name is:

It is important that the Authorization Server is configured as a new and separate app.
















  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: