Not so far I moved my ASP.NET MVC 3 project to latest&greatest ASP.NET MVC 5. In my previous article I was writing about this process and how to use own datatables for ASP.NET Identity 2.0 model. One of the points for latest version was OAuth 2.0 "out of the box". But now I have to implement authentication in my Web API project part and read a lot about it...and here is tears...
I recommend to see one of the latest courses about Security in Web API 2.0: WebAPI 2.0 Security
You may see this course available on rutracker =). This is express-course but it is very usefull and telling about SSL settings in your web server, main authentication mecanisms and capabilities in ASP.NET, client-side security in JavaScript, and also Token Based Authentication. Also there are good describing of problems in WebAPI 1.0 and how it was solved in WebAPI 2.0.
During this course there are touched OAuth 2.0 a lot and there are gived link to another useful course Introduction to OAuth2, OpenID Connect and JSON Web Tokens (JWT), and this is course you should start from. Because I know a lot of new things about the history of OAuth 2.0 and where is it now.
For some of you it is not a news, but briefly: Eran Hammer who is author of OAuth 1.0 was working on improvements for this protocol, but big companies like Google and Facebook and Microsoft wanted to help in this. These guys from Enterprise development wanted some other features then Consumer-developers did. And they pushed a lot on it. Everyone want his own features. Finally Eran leaved this community and asked to decline his Last Name from the Authors list. Sad final of OAuth 2.0 was even worse, because big companies was not able to agree with it on all the levels and everyone have its own implementation. So, we can't even call OAuth 2.0 as a "protocol", it is like simple set of rules (which is unnecessary to take into account).
You can understand how Eran hates his creation by watching this video, and also he telling about his new creation in that area.
He wrote several good articles about the problems of OAuth 2.0 in deep:
oauth-2-0-without-signatures-is-bad-for-the-web
oauth-2-0-and-the-road-to-hel
Final of this decisions was that "big guys" was forced to implement their own Security features in the protocol which should be secure from the scratch. Facebook, for example, was hacked several times: Hacking-facebook-with-oauth2-and-chrome
How I Hacked Any Facebook Account...Again!
OAuth 2.0 is a way to hell.(C) Eran Hammer
Resume from me: if you want to implement serious web-service with good level of security you should learn how to do this from the best professionals, implement it and ask for review from these guys. Now one will create a good implementation for you, for example, standard templates of Microsoft ASP.NET projects have a not so good functional to handle this (they write in MSDN "this is not for production"). Author of PluralSight courses develops Open-Source framework for security purposes and he have a nice web-site for support it link. Hope this helps.
Комментарии
Отправить комментарий