What is the relationship between owin and oAuth2.0?
I study external login strategies and the terminology confuses me. What's the relation between the following.
- Owin
- OauthWebSecurity
- OAuth 2.0
- Owin Katana
- ASP.NET Identity
Owin
Owin is no more than a specification. It stands for Open Web Interface for .Net. In very simplistic terms it is based in the idea that using a few language constructs (delegates and a dictionary) you can create a framework for handling web requests that is independent of where it is hosted (you can even run an "owin application" from a console app).
The implementation of Owin's specification is called Katana.
OAuth
OAuth 2.0 is an Authorization protocol. The idea behind OAuth is that you (the resource owner) can delegate access privileges to a third-party. An example is a Web app being able to post on your Facebook wall for you. Again, in very simplistic terms, this materializes by sending a 302 redirect to the user when she accesses a protected resource. That 302 redirects the user, for example to Facebook's oauth login page (https://www.facebook.com/dialog/oauth?client_id=...&redirect_url=[yourwebapp]&scope=[permissionsrequiredfromuser]). After you login to facebook, accept the permission request, facebook will send a 302 redirect to the redirect_url you provided with an access_token that you can then use to send requests on behalf of the user that provided the credentials. For example, to get information about the user you'd perform a request to https://graph.facebook.com/me?access_token=[access_token]. There are variations for this workflow. They are all explained in the links at the end of the answer.
ASP.NET Identity
ASP.NET Identity has nothing to do with ASP.NET. Talk about poor naming... It provides functionality to save and retrieve user's data from a data source. It also provides you with the ability to associate claims and roles to the users, other "login providers" (that would be the case when you "login with facebook" and your user_id from facebook gets associated with your local user id, this information is stored in the AspNetUserLogins table).
The way you see it being used in the MVC project template is in the Account controller and the CookieAuthenticationMiddleware.
References
Owin/Katana:
http://odetocode.com/blogs/scott/archive/2013/07/09/getting-started-with-owin-katana-and-vs2013.aspx http://odetocode.com/blogs/scott/archive/2013/11/11/writing-owin-middleware.aspx http://odetocode.com/blogs/scott/archive/2013/11/12/simple-logging-middleware-katana-part-4.aspx http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana http://www.asp.net/aspnet/overview/owin-and-katana/owin-startup-class-detection
OAuth
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1 http://blogs.msdn.com/b/webdev/archive/2013/07/03/understanding-owin-forms-authentication-in-mvc-5.aspx http://www.asp.net/web-api/overview/security/external-authentication-services
ASP.NET identity
http://brockallen.com/2013/10/20/the-good-the-bad-and-the-ugly-of-asp-net-identity/ http://curah.microsoft.com/55636/aspnet-identity http://typecastexception.com/post/2014/04/20/ASPNET-MVC-and-Identity-20-Understanding-the-Basics.aspx