Secure ASP.NET Web API with Windows Azure AD and Microsoft OWIN Components

摘要

As the role Of the Web API becomes more prominent, so does the need to ensure you can use it confidently in high-value scenarios, where sensitive data and operations might be exposed. The industry is clearly converging on a solution for securing REST APIs that relies on the OAuth 2.0 standard. In practice, though, this doesn't offer detailed guidance on what should be done at the project level. Furthermore, the existing classes and tools in the Microsoft .NET Framework for securing communications were designed to work with particular application types (postback-based Web UX apps). They aren't a good fit for Web APIs and the multi-client scenarios they enable. As a result, securing a Web API has been a fairly artisanal activity. It isn't necessarily insecure, but varies greatly across solutions and requires far too much custom code.