ASP.NET Web API OAuth2 delegation with Windows Azure Access Control Service - Init

<body> <h1>ASP.NET Web API OAuth2 delegation with Windows Azure Access Control Service</h1> <p><img style="background-image: none; border-bottom: 0px; border-left: 0px; margin: 5px 0px 5px 5px; padding-left: 0px; padding-right: 0px; display: inline; float: right; border-top: 0px; border-right: 0px; padding-top: 0px" title="OAuth 2 Windows Azure" border="0" alt="OAuth 2 Windows Azure" align="right" src="http://blog.maartenballiauw.be/image.axd?picture=image_216.png" width="136" height="136" />If you are familiar with OAuth2’s protocol flow, you know there’s a lot of things you should implement if you want to protect your ASP.NET Web API using OAuth2. To refresh your mind, here’s what’s required (at least):</p> <ul> <li>OAuth authorization server</li> <li>Keep track of consuming applications</li> <li>Keep track of user consent (yes, I allow application X to act on my behalf)</li> <li>OAuth token expiration & refresh token handling</li> <li>Oh, and your API</li> </ul> <p>That’s a lot to build there. Wouldn’t it be great to outsource part of that list to a third party? A little-known feature of the Windows Azure Access Control Service is that you can use it to keep track of applications, user consent and token expiration & refresh token handling. That leaves you with implementing:</p> <ul> <li>OAuth authorization server</li> <li>Your API</li> </ul> <p>Let’s do it!</p> <ul></ul> <p><em>On a side note: I’m aware of the </em><a href="http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/" target="_blank"><em>road-to-hell post released last week</em></a><em> on OAuth2. I still think that whoever offers OAuth2 should be responsible enough to implement the protocol in a secure fashion. The protocol gives you the options to do so, and, as with regular web page logins, you as the implementer should think about security.</em></p> <h2>Building a simple API</h2> <p>I’ve been doing some demos lately using <a href="http://www.brewbuddy.net">www.brewbuddy.net</a>, a sample application (sources <a href="https://github.com/maartenba/BrewBuddy" target="_blank">here</a>) which enables hobby beer brewers to keep track of their recipes and current brews. There are a lot of applications out there that may benefit from being able to consume my recipes. I love the smell of a fresh API in the morning!</p> <p>Here’s an API which would enable access to my BrewBuddy recipes:</p> <div style="padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px" id="scid:9D7513F9-C04C-4721-824A-2B34F0212519:f9482a72-208f-4f41-b0c9-7773262b83c4" class="wlWriterEditableSmartContent"><pre style="width: 723px; height: 287px;background-color:White;overflow: auto;"><div><span style="color: #008080;"> 1</span> <span style="color: #000000;">[Authorize] </span><span style="color: #008080;"> 2</span> <span style="color: #000000;"></span><span style="color: #0000FF;">public</span><span style="color: #000000;"> </span><span style="color: #0000FF;">class</span><span style="color: #000000;"> RecipesController </span><span style="color: #008080;"> 3</span> <span style="color: #000000;"> : ApiController </span><span style="color: #008080;"> 4</span> <span style="color: #000000;">{ </span><span style="color: #008080;"> 5</span> <span style="color: #000000;"> </span><span style="color: #0000FF;">protected</span><span style="color: #000000;"> IRecipeService RecipeService { </span><span style="color: #0000FF;">get</span><span style="color: #000000;">; </span><span style="color: #0000FF;">private</span><span style="color: #000000;"> </span><span style="color: #0000FF;">set</span><span style="color: #000000;">; } </span><span style="color: #008080;"> 6</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 7</span> <span style="color: #000000;"> </span><span style="color: #0000FF;">public</span><span style="color: #000000;"> </span></div></pre></div></body>