Vlad's blog

In programming veritas

Archive for November 2015

OAuth2 flows: Authorization flow

leave a comment »

Authorization flow is usually used when Resourse Owner communicates with Web server which accesses another RESTful web service on behalf of the Resource Owner.
Authorization Flow-1
Client redirects Resource Owner to Authorization Server. In the url Client specifies client_id which is how Authorization Server identifies the Client. Assumed that Client was previously registered on the Authorization server. Also Client specifies redirect_uri which Authorization Server will use when Resource Owner authorization is complete.
Authorization Flow-2
Then Authorization Server asks user to authorize. Depending on particular implementation (Google, Twitter, Facebook) the login screen might look different.
Google Login Screen
The next step is Consent screen where Resource Owner will be prompted to allow application to perform certain actions.
Google consent screen
When authorization is complete the Authorization Server redirects Resource Owner back to the Client.
Authorization Flow-3
It passes code parameter but this is not a token yet. This code will be used by Client which will send a request to Authorization Server.
Authorization Flow-4
Authorization Server responds with access token, refresh token and expiration time in seconds.
Authorization Flow-5
So now Client can access Resource Server by using access token.
Authorization Flow-6
As you can see access token time life is very short. So when it is expired there are two options. Client can start this procedure over or use refresh token to request new access token.
So Authorization flow has the following features.

  • Used for server side applications
  • Resource owner never gets access token so it can not leak
  • If access token is expired it can be requested again using refresh token
Advertisements

Written by vsukhachev

November 15, 2015 at 3:28 am

Posted in Development

Tagged with

OAuth 2 flows: introduction

leave a comment »

This post starts series of posts dedicated to OAuth2 flows. But before we begin I would like to provide some background. First I want to say some words why we need OAuth2 and which problems it is supposed to solve.
OAuth 2.0 is open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
Let’s start from the traditional example of using web forms authentication. In form authentication there are two roles: Browser and Server. Browser starts conversation by sending user name and password entered by user. Server authorizes this request and responds with authentication ticket representing user credentials. Browser saves the ticket in the users cookie collection and then sends this cookie in every request.
This approach works fine for browser based application but what about mobile application? Usually mobile applications don’t maintain collections of cookies. And described approach assumes that application is responsible for authentication and authorization. The scenario when user needs to create new password for every mobile application is not realistic. Today users prefer to use their Facebook or Google credentials to identify them-self. But this approach raises a question. Will user trust newly downloaded application to let it use his Facebook user name and password? The answer is obvious, no. So we came to the conclusion that authentication and authorization should be separated from application. And that is where federated security comes into play.

OAuth 2 roles

OAuth2 defines the following roles.

  • Resource Owner is a human that owns a resource on the Resource Server
  • Resource Server is the server hosting the protected resource
  • Client is an application making protected resource requests on the behalf of the resource owner
  • Authorization Server is the server that issues access tokens to the Client

The term Client does not refer to any particular implementation characteristics. For example Client can be mobile application or desktop application or server side application making requests to Web API.

OAuth roles

OAuth 2 flows

Written by vsukhachev

November 15, 2015 at 3:28 am

Posted in Development

Tagged with

Web API data shaping

leave a comment »

Data shaping is a simple technic for minimizing traffic travelling from Client of Web API to Server and vice versa. Client can send many requests to the Server for data retrieval and update. Depending on a scenario Client might not be interested in receiving all fields that comprise data object. For instance Client might want to receive only id and description and ignore other ten fields. When we deal with hundreds of objects travelling from Server to Client that can significantly affect application performance.

Optimizing data retrieval (HTTP GET)

Imagine we are developing simple application for managing tasks. Below is task class definition.

public class Task
{
 public int Id { get; set; }
 public string Summary { get; set; }
 public string Description { get; set; }
 public DateTime LastModified { get; set; }
 public DateTime Created { get; set; }
 public string UserCreated { get; set; }
 public string Assignee { get; set; }
 public TaskState State { get; set; }

 public enum TaskState
 {
   NotStarted,
   InProgress,
   Closed
 }
}

API should expose a method for retrieving task by id. So Url should look like this:

http://taskmanager.com/tasks/1

When this request is processed the Server returns the following result.

{
 "id": 1,
 "summary": "Test task summary",
 "description": "Test task description",
 "lastModified": "2015-11-04T08:29:17.5464689-05:00",
 "created": "2015-11-04T08:29:17.5464689-05:00",
 "userCreated": "UserCreated",
 "assignee": "Assignee",
 "state": 1
}

Consider scenario when Client wishes to receive only id plus summary. Ideally Url for achieving this goal should look like below.

http://taskmanager.com/api/tasks/1?fields=id,summary

Server side code is shown below. Optional argument fields is used to specify comma separated list of fields.

[RoutePrefix("api")]
 public class TaskController : ApiController
 {
   private ITaskRepository taskRepository = new TaskRepository();

   [Route("tasks/{taskId}")]
   public IHttpActionResult Get(int taskId, string fields = null)
   {
     try
     {
       var fieldsList = new List<string>();

       if (fields != null)
       {
         fieldsList = fields.ToLower().Split(',').ToList();
       }

       Task task = taskRepository.Find(taskId);

       if (task == null)
       {
         return NotFound();
       }

       object result = GetShapedObject(task, fieldsList);

       return Ok(result);
     }
     catch (Exception)
     {
       return InternalServerError();
     }
   }

Actual filtering is implemented in GetShapedObject method which uses a bit of reflection to create output data object that contains only fields requested by Client.

private static object GetShapedObject(Task task, List<string> fieldsList)
{
   if (fieldsList.Count == 0)
   {
     return task;
   }

   ExpandoObject result = new ExpandoObject();

   foreach (var field in fieldsList)
   {
     var fieldValue = task.GetType()
     .GetProperty(field, 
        BindingFlags.IgnoreCase | 
        BindingFlags.Public | 
        BindingFlags.Instance)
     .GetValue(task, null);

     ((IDictionary<String, Object>)result).Add(field, fieldValue);
   }

   return result;
}

So the following Url will return only id and summary.

http://taskmanager.com/api/tasks/1?fields=id,summary

{
 "id": 1,
 "summary": "Test task summary"
}

Optimizing data update (HTTP PATCH)

In HTTP world PUT is used for updating a resource. By definition Client should specify all fields of data object, otherwise they will be reset to defaults. I.e. if you want to change only summary you should send entire Task object in a body of PUT request.

{
 "id": 1,
 "summary": "New task summary",
 "description": "Test task description",
 "lastModified": "2015-11-04T08:29:17.5464689-05:00",
 "created": "2015-11-04T08:29:17.5464689-05:00",
 "userCreated": "UserCreated",
 "assignee": "Assignee",
 "state": 1
}

Sometimes this is not desirable due to performance considerations or because Client literally does not have all fields available. In order to update only subset of fields you should use HTTP PATCH. PATCH stands for partial resource modification. The standard does not specify exactly how changes must be represented in the request body. If you don’t want to invent a wheel you can use JsonPatchDocument that describes sequences of operations to apply to a JSON document. For instance, if we want to change task summary we need to send the following request.

PATCH http://taskmanager.com/api/tasks/1 HTTP/1.1
Content-Type: application/json-patch+json

[
  {"op":"replace","path":"/summary","value":"New task summary"}
]

In order to add a support of JsonPathDocument in ASP.Net Web API project you can use library Marvin.JsonPatch which is available on NuGet. Server side implementation is below.

[Route("tasks/{taskId}")]
[HttpPatch]
public IHttpActionResult Patch(int taskId, 
[FromBody]JsonPatchDocument<Task> taskPatchDocument)
{
   try
   {
     if (taskPatchDocument == null)
     {
       return BadRequest();
     }

     var task = taskRepository.Find(taskId);
 
     if (task == null)
     {
       return NotFound();
     }

     taskPatchDocument.ApplyTo(task);

     taskRepository.Update(task);

     return Ok(task);
   }
   catch (Exception)
   {
     return InternalServerError();
   }
}

The following line is required in WebApiConfig.Register()

public static void Register(HttpConfiguration config)
{
   config.Formatters.JsonFormatter.SupportedMediaTypes.Add(
     new MediaTypeHeaderValue("application/json-patch+json"));
}

So after we sent PATCH request that changes summary field the response looks like below.

{
 "summary": "New task summary",
 "id": 1,
 "description": "Test task description",
 "lastModified": "2015-11-04T23:42:57.6376424-05:00",
 "created": "2015-11-04T23:42:57.6376424-05:00",
 "userCreated": "UserCreated",
 "assignee": "Assignee",
 "state": 1
}

 

Written by vsukhachev

November 5, 2015 at 5:10 am

Posted in Development

Tagged with ,