Implementing a REST-ful service using OpenRasta and OAuth WRAP with Windows Azure AppFabric ACS.

I’ve been building prototypes again and I wanted to build a service that exposed a fairly simple, resource-based data API with granular security, i.e. some of my users would be allowed to access one resource but not another or they might be allowed to read a resource but not create or update them.

To do this I’ve used OpenRasta and created an security model based on OAuth/WRAP claims issued by the Windows Azure AppFabric Access Control Service (ACS).

The client can now make a rest call to the ACS passing an identity and secret key. In return they will be issued with a set of claims. A typical claim encompasses a resource in my REST service and the action(s) the user is allowed to perform, so their claim set might show that they were allowed to execute GET against resource foo but not POST or PUT.

In my handler in OpenRasta I add method attributes that indicate what claims are required to invoke that method, for instance in my handler for resources of type foo I might have the following method  :

[RequiresClaims("com.somedomain.api.resourceaction", "GetFoo")]
public OperationResult GetFooByID(int id)
{
	//elided
}

In my solution I have created an OpenRasta interceptor which examines inbound requests, validates the claim set and then compares the claims required by the method attribute to the claims in the claim set. Only if there is a match can the request be processed.

After a few tweets with @serialseb I refactored the above into an IAuthenticationScheme that validates the claims, leaving the original OperationInterceptor to check the claims required by the method to be invoked. I also added an extension method so that the whole thing can be fluently configured like so :

ResourceSpace.Uses.AzureClaimsAuthenticationScheme();

I was going to write a long blog post about how to build this from scratch with diagrams and screen shots and code samples but I found that I couldn’t be arsed. If you’d like more info more on how to do this just drop me a line. In the meantime I’ve dropped the source files as follows :

Advertisements

9 Responses to Implementing a REST-ful service using OpenRasta and OAuth WRAP with Windows Azure AppFabric ACS.

  1. Scott Littlewood says:

    Wow really good example, good to see other uses of the IAuthenticationScheme. I’m sure seb would happily accept a pull request of this feature 🙂

    • Bert Craven says:

      Thanks Scott. I’m happy for my code to be used anywhere, although my samples are rarely production grade. Also, the TokenValidator class is a Microsoft DPE Sample. Not sure what the deal is on reusing that.

  2. Ismu says:

    Is it based on oAuth 2.0? or its based on oAuth 1.0a?

    • Ismu says:

      I’m even not able to find AuthenticationResult and IAuthenticationScheme interface. I’m using https://github.com/SteveDunn/openrasta-stable to get binaries.

      • Bert Craven says:

        They may not be implemented in that branch. I am using this version from GitHub : https://github.com/openrasta/openrasta-stable

    • Bert Craven says:

      I’m using the current Azure ACS which is WRAP v0.9 so it’s OAuth 1.1. However, the current version of ACS also supports WS-Federation, WS-Trust, OAuth 2.0 (Draft 13) so you can use those if you want but you would have to implement your own relying party verification code in place of my WRAP v0.9 verification code.

  3. Ismu says:

    At https://github.com/openrasta/openrasta-stable, which branch to use? master or openwrap? Because I’m unable to compile openwrap branch and that seems to be the latest one.

    • Ismu says:

      I’m trying to compile using make.bat

      • Bert Craven says:

        I used master rather than openwrap. Make.bat runs just fine from that branch.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: