Web Camps TV

Securing ASP.NET Web APIs

Download this episode

Download Video


Join your guides Cory Fowler and Jaffe Worley as they talk to the product teams in Redmond as well as the web community.

This week is a long awaited show for many ASP.NET Web API Developer out there, Daniel Roth joins us for the feature show on how to secure your ASP.NET Web API. There is a lot of amazing information and this is a "must watch" episode. We also re-introduced the Web Site Window, in which we had Petr Podhorsky form the Web Sites team introduce us to remote debugging with Visual Studio 2013 and Windows Azure Web Sites.

Show Notes

      Previous Show Links (in chronological order)

Follow Daniel Roth
Follow Cory Fowler
Follow Jaffe Worley



Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • Roland Denson

      The content was good, however the presenter doing the demo was incredibly dry and I had to take a Rebbull to keep from nodding off. I guess I am used to more engaging, interactice presenters. He seemed as if he was almost catatonic.

    • ronnel

      nice one guys. loved it. do u have some kind of walk thru page on how to basically take advantage of 'all' that u just showcase. more shows like this one pls..

    • Roland Denson

      Before I receive a ton of responses, I fat-fingered interactive. It was an accident.

    • James Robinson

      Great content, but sadly it skipped the part I was most interested in...and that was the Google authentication from a Windows Store client.

      From a Windows Store client would I need to call ExternalLogins to get the URLs, display a browser and direct it to the selected URL? If so, once the user has been authenticated what is the flow to for authorising with the Web API? Do I call the Token endpoint passing the Google access token and does that endpoint know how to validate the Google access token or would I need to handle the request to make sure that the access token being passed belongs to a registered user?

      One final question...could you make the Windows Store app sample available please? Thanks.

    • SyntaxC4

      @Roland - I'm sorry you feel that way. We had a lot of cover in a short amount of time. Maybe next time we'll take the approach of breaking the episode into multiple segments split across weeks?

    • SyntaxC4

      @James - I'll follow up with Daniel and make sure we can get a sample of the Windows Store Client code. I'll reply with a link to a file once I get a hold of it.

    • CalvinCraig

      Is the Attach Debugger functionality not yet available?

      I deployed a web role debug configuration to a staging area.  The Attach Debugger context menu item is not listed in the Server Explorer node for my site.  I'm using VS 2013 with the latest tools.

    • SyntaxC4

      Attach debugger is available for Cloud Services currently as described in Scott Guthrie's blog post http://weblogs.asp.net/scottgu/archive/2013/10/22/windows-azure-announcing-release-of-windows-azure-sdk-2-2-with-lots-of-goodies.aspx

      The Attach debugger for Windows Azure Web Sites is coming in a future release, we were giving an early preview as part of the Web Sites Window.

    • James Robinson

      @SyntaxC4 - Thanks for sorting that for me.

    • Sam Atkins

      if you were storing user credentials in your system how would you authenticate the user and get back the Bearer key?

    • ronnel

      v2 of katana is out.. can we have an in depth episode for that?

    • Steve

      Is it this site or the silverlight player on my PC but why does it not fetch more video when I have it paused aka Youtube. I am constantly getting buffering... aka Youtube. However on Youtube I pause it get coffee come back and play and all good on this site I pause and it just stops. hmm perhaps it should be a stop button not a pause button if this is the behaviour for everyone.

      I have reverted to a download know but just thought after all these months I would mention it today.
      Anyone else ?

    • brendan

      What I don't get is why at minute 46 or so when talking about AppStore (native) client's authenticating against azure AD, they are referencing an out out of date library. Isn't ADAL the new standard? Not only that but it's an older beta at that. ADAL doesn't work with AppStore development yet as far as I can tell.

    • Duncanma

      @Steve: click on format under the player and pick progressive, html 5 or Flash and it will buffer the way YouTube does

    • IceX

      Is there some documentation on how to move solutions from VS2012 to VS2013 to take advantages of these new OAuth features?

    • scyonx

      What's the difference between Organizational Accounts vs Windows Authentication? Seems pretty similar.. is there an overlap?

    • stevea30

      @Duncanma: thanks

    • manishthouri

      This is really cool stuff. I was waiting for this. I am ready to roll now. Thanks again, keep posting this kind awesome stuff.

    • starforce

      I like the video and it was very helpful but Daniel Roth was like on speed dial or using the force. Was this his first presentation?

    • David

      Thanks for the show. It was very informative, but I really would love to see some guidance on customizing the new security mechanism to work with existing user repositories. We have our own custom user repository and i have been struggling with how to use individual accounts with my own user repository. I don't really care about connecting with facebooks, google or azure. That's great for public facing apps, but when you have a private intranet application that requires a separate login mechanism besides Windows or AD, how can you hook that up? What interfaces do you need to implement or handler do you need to create? Some guidance in that direction would be truly beneficial.

    • starforce

      So if I was using WebApi as my service layer and I wanted to allow smartphones and tablet apps  and web browsers to access these endpoints in a secure manner, Would  I perform this  task by following the single page example demonstrated in the video? I know you guys are mainly focused on Windows products but be nice to see an Android or iOs device demo showing how to connect to an application server that is hosting the WegApi modules ( Windows Azure, OWIN on Windows Server )  to access data in a secure manner..



    • Jason Ren

      What about a scenario for handling multi-organization authentications?
      For instance, some Web client apps use Microsoft corp AD accounts, and some apps use their on-premise AD accounts. Do we support that?



    • guillemsola

      I'm with @David question too. In my organization we have a complex authentication & authorization system so I'm thinking how to use all that goodness in a corporate environment.

      . Net has more to do with corporate applications rather than Facebook, Twitter.. so I would really appreciate more guidance showing how to extend and customize this. 

    • SyntaxC4
    • danroth27

      For organizational or corporate account scenarios I recommend looking at leveraging Azure Active Directory. You can find out more about how to do this on Vittorio Bertocci's blog:


    • Angie Menegay

      Thank you @SyntaxC4 for the link to the samples, and @James for asking the same question I was looking for :). These samples are great!

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.