Thursday, November 28, 2013

Open Authentication (OAuth)

OAuth is a free and open protocol, built on IETF standards and licenses from the Open Web Foundation, and is the right solution for securing open platforms. OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access. An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
OAuth is ‘An API access delegation protocol’
The heart of OAuth is an authorization token with limited rights, which the user can revoke at any time should they become suspicious or dissatisfied. OAuth supports "delegated authentication" between web apps using a security token called an "access token". Delegated authorization is grating access to another person or application to perform actions on your behalf. An OAuth token gives one app access to one API on behalf of one user.
Below is the pictorial representation of OAuth Authorization Flow:
Microsoft provides the "Microsoft.Web.WebPages.OAuth.dll" for OAuth implementation via .Net applications. The Microsoft.Web.WebPages.OAuth namespace contains core classes that are used to work with OAuth and OpenID authentication. The classes in this namespace interact with the classes from the open-source DotNetOpenAuth library.
OAuthWebSecurity Class
This class manages security that uses OAuth authentication providers like Facebook, Twitter, LinkedIn, Windows Live and OpenID authentication providers like Google and Yahoo. Below are the main API that commonly used for implementation.
  1. Register...Client (... : Microsoft, Facebook, etc) : These various register methods allows user to register specific identity provider.
  2. RegisteredClientData : This API provides the list of the registered identity providers. This is necessary for the ProviderName property when requesting authentication.
  3. RequestAuthentication : This is the API to invoke to trigger a login with one of the identity providers. The parameters are the identity provider name (so one of the ProviderName values from the RegisteredClientData collection) and the return URL where you will receive the authentication token from the identity provider. Internally it does a Response.Redirect to take the user to the identity provider consent screen.

Reference Links:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.