Most of the Web APIs available out there in the web nowadays use some kind of authentication for identifying client applications. Although they implement authentication in different ways, they can be typically categorized in three main groups, services that use Keys, OAuth or HMAC.

Keys is the first scenario and probably the simplest one. Every client application is identified with a simple and fixed application key. This authentication mechanism is perhaps a bit weak, but the data that the service has to offer is not sensitive at all. The data is available for everyone with a key, and it’s pretty much used for public services such as Google maps or a search for public pictures in Instagram for example. The only purpose of the key is to identify clients and apply different SLA (service level agreements) such as api quotas, availability, etc.

HMAC is typically used for consuming sensitive data that is only consumed by his owner and not shared with anyone else. This kind of authentication is typically used in multitenant applications, where a tenant is the owner of the data. This model fits real well with cloud computing where a vendor such as AWS or Windows Azure use a key for identifying the tenant and provide the right services and private data. No matter which client application is used to consume the services and data, the main purpose of the key is to identify the tenant. Hawk is new specification born in this area to standardize how HMAC authentication.  

OAuth is last one and probably the most complicated one. It was born with the idea of delegating authorization in the web 2.0. The service who owns the data can use OAuth to share that data with other services or applications without compromising the owner credentials.

The analogy given by Eran Hammer Lahav in this post "Explaining OAuth" is very close to what the specification tries to address,

"Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using another key to unlock everything else."

This kind of authentication makes a lot of sense in social media services like Twitter, Facebook, Windows Live or Google to name a few, where the service owns some private data like contacts or pictures that can shared with other applications without putting the user credentials into risk.

OAuth assigns a key to every different client application allowed to consume the data, so the access can easily be revoked by disabling the key associated that client application.

I published some time ago a plugin for Sublime that makes my life easier when working in node.js. It allows me to introduce require calls by searching for the files in the current folder.

I press ⌘⇧m, then I search the file/module I want to require and it automatically calculates the relative path. Also I can use it to introduce require to native modules, or the modules I've installed on my node_modules folder.

Here is a short video:

You can install it with the Sublime Package Control, source code is here.

Today getting started to play a bit with Workflow Manager ran into an issue attempting to use  WorkflowManagementClient to connect to the service.

The error was

Authentication Failed. Valid credentials must be provided for one of the following protocols: Negotiate. HTTP headers received from the server

In my case, to fix this issue, installing Windows Authentication feature worked for me

Hope this helps

During the last year I worked almost exclusively on this. Kidozen, the world’s best cloud-based platform for building mobile applications with enterprise capabilities.

Now, after a very successful private beta period we are announcing public availability. I’ll go deeper on what kidozen is and why is the world’s best cloud-based enterprise mobility platform, but I’d like to start talking about the experience of building this amazing product.

First of all I have to say that this is the kind of product in which I always wanted to work on. Why? Well, first because Kidozen is a platform for developers: APIs, SDKs, services and tools that developers will use, and second because is cloud-based and cloud computing is one of my favorite topics. Also, as you can imagine, build a whole cloud-based platform requires a lot of engineering work which was very interesting and enriching to do.

Kidozen’s core was built using Node.js and a bunch of cloud services, so you can imagine how “cloud” is it’s spirit. We built the whole platform from scratch, it took a lot of effort and it could only have been done by a talented team like the Tellago Studios team. At this point I want to thank to the whole team: Gustavo, Silvio, Christian, Soledad, Jose (that is not here anymore but devoted a lot of effort to the project and put in place many of the cornerstones of it) and Jesus (the man with the vision) for the tremendous talent, the passion, the work over nights and basically for let me share with them this amazing experience that was building Kidozen.

What is Kidozen?

Imagine that you are a company that needs to build mobile applications for your employees or your customers. You will need to resolve things like data storage, logging, notifications, configuration etc. You also will need to resolve how to secure your data, maybe using your company directory credentials, Active Directory for example,  outside of the boundaries of your company or your Google Apps account. And what about distribute those apps? and manage them?. Well, Kidozen is here to solve all those problems for you.

Now, I’ve said that Kidozen is the world’s best cloud-based platform for doing enterprise mobility, why? because Kidozen not only provides data storage, push notifications, messaging, sms, email, configuration, logging, queues and many other backend services in a simple and secure way, it also provides an standard way of build, manage and distribute you company mobile applications.

We give you an app-centric model in which you have all those services isolated and ready to use with a single line of code, in a secure way using your company credentials (Active Directory) or web providers like Google, Yahoo, Facebook, etc…

We also provide a marketplace for your company that allows you to centralize the distribution of your applications, a management portal where you can create, manage, configure and publish your applications and SDKs for all the popular mobile platforms: Windows 8, iOS, Android and we also have a JavaScript SDK and hosting for HTML5 applications.

Why is the best one for developers? let me say it in this way, this is all the code you need to authenticate your Android users against your company AD, outside of your LAN:

kido.Authenticate("John Smith", "P@ssw0rd!", authCallback);

And this is all the code you need, to authenticate against your partner AD in the same application:

kido.Authenticate("Partner AD", "John Smith", "P@ssw0rd!", authCallback);

Or this is all the code you need to send push notifications trough all your iPhones or iPads:

id notification = [kido pushNotifications]; [notification pushNotification:@"Kidozen Rocks!" InChannel:@"kidoChannel"];

Did you get that? It is really simple but at the same time powerful.

Why is the best one for architects? Because it provides a simple, unified and standard way of building all you company applications, the final result is more maintainable and standardized applications.

Why is the best one for managers? Because now, with Kidozen, you can apply all your workforce in to build feature-rich business applications without having to spend time in to solve technical problems.

So that is Kidozen, our way of democratize enterprise mobile applications development. Give it a try!

Next steps

We are already working on the next version of Kidozen, expanding one of our key features “Line of Business APIs”, with this feature you will be able of integrate your on-premise services with your mobile applications in a secure way, with a single line of code.

If you want more information about kidozen don’t hesitate in to contact us!

 

WebMatrix is one of my favorite development tools because it really allows me to focus on what I love to do most, build modern web clients. It is a free Web IDE available from Microsoft and today they released version 3 for general availability . There...(read more)

What the heck was I thinking? Why did I do it? What did I learn? How did I do it? These are all things I have asked myself and others have asked me over the past year. It sounds like an odd labor to undertake and such an odd number. But yes I did 17,000...(read more)

Back in February I released deeptissuejs , a HTML5, JavaScript touch gesture library. In January I release panoramajs a HTML5, JavaScript library to implement the basic Windows Phone panorama control experience. This month I am excited to release another...(read more)

Originally posted on: http://geekswithblogs.net/BizTalkUnleashed/archive/2013/04/23/exception-from-hresult-0x8100031endashteam-foundation-server.aspx

If you get the above error while connecting to Team Explorer from either Visual Studio 2008, the reason “might be” Microsoft Communicator or Live Messenger installed on the machine and on top of it if you also have Team Foundation Server Power Tools installed. I have seen this error so far only with VS 2008 with TFS 2010.

Somehow the Power Tools –> Team Members feature is trying to collaborate with the Microsoft Communicator members and throws below error as it might be failing to connect.

Quick Fix:

Go to Visual Studio 2008 –> Tools –> Options –> Team Foundation Server Power Tools and set Team Members flag as False. Restart Visual Studio and you should not get that error.

Thanks,

Vishal Mody

 

It was 5 maybe 6 years ago when I first started learning jQuery. One of the first things I did was order the jQuery In Action book . If you have read that book you should remember one of the first examples given, zebra striping a table. To me this example...(read more)

A few weeks ago I got to sit down and chat with the DotNetRocks guys about a variety of topics. The initial premise for the interview was to talk about the Surface and why I love it so much. I think we got into some great tangents right from the start!...(read more)

Our new Tellago Technology Update webinar will take place next Tuesday and the topic couldn't be more exciting. Building cloud integration solutions using integration iPaaS technologies. Here are the details: Title: A New Way to do Integration: Introducing...(read more)

I owe so much to John Resig and the jQuery team for creating such a wonderful framework. I have staked most of my recent career on jQuery the way I staked my career on ASP.NET back in 2001. I have built many applications using jQuery over the past five...(read more)

BitCoin seems to be latest rage with wild value fluctuations. The past few days have seen a very wild roller coaster for the online currency. Most of the world's BitCoins are exchanged at MtGox.com , which has had some issues either with a denial of service...(read more)

Much has been said and 'debated' in recent years about the viability of HTML5. It should be obvious where I stand if you read my Blog or talk to me in person. HTML5, CSS3 and JavaScript are certainly ready and have been for a while. The big problem, as...(read more)

Guided user input is almost always a good idea when architecting a data entry experience. You want to help the user avoid potential mistakes. With on screen, mobile keyboards you want to reduce the keystrokes required to enter data and at the same time...(read more)

We are excited to announce that next Tuesday we will be presenting a webinar about one of the hottest enterprise software trends in the industry and one that is just starting to be more widely accepted within Microsoft enterprise customers: big data....(read more)

The slides from my big data session at Microsoft TechDays can be found below. During the session, we discussed a lot of the fundamental technologies of the most popular Hadopp distributions including HDFS, Map-Reduce, HBase, Hive, Pig, Sqoop and others...(read more)

One of the features supported by Hawk, an HTTP authentication protocol based on HMAC, is to provide read-only access to a Web API for a short period time.  That’s performed through a token called “bewit” that a Web API can provide to a client. That token is only valid for Http GET calls and it can be used for a limited period of time.

I already implemented this feature in my Hawk port for .NET. A bewit token can be generated as it is shown below,

var credential = new HawkCredential { Id = "dh37fgj492je", Key = "werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn", Algorithm = "hmacsha256", User = "steve" }; var bewit = Hawk.GetBewit("localhost", new Uri("http://localhost:8091/Api/HelloWorld"), credential, 60000);

The GetBewit method expects the following arguments, .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

• The host name
• The complete request URI
• The Hawk credentials with information about the key and algorithm to use
• A time-to-live setting in seconds for the token

That token is an string representation that you can add as a additional query string in the Web API call.

new HttpRequestMessage(HttpMethod.Get, "http://localhost:8091/Api/HelloWorld?bewit=" + bewit);

In that way, you can share a link to your Web API with a limited access for a period of time to someone without having to share any security credentials.

On the service side is as simple as configuring the HawkMessageHandler as part of the Web API configuration,

var handler = new HawkMessageHandler((id) => { return new HawkCredential { Id = id, Key = "werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn", Algorithm = "hmacsha256", User = "steve" }; }); config.MessageHandlers.Add(handler); .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

The handler will automatically detect a bewit token in the query string, and it will performed all the required validations. .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

One of the topics discussed recently on Windows Weekly was Barnes and Noble's financial issues . During the discussion Mary Jo Foley mentioned the idea of Microsoft buying the retail chain. She mentioned it would give them, a sizable retail presence....(read more)

ASP.NET ships with two built-in mechanisms for doing logging and troubleshooting.  Chasing errors without knowing these two mechanisms might be a daunting task, specially if they happen in the runtime pipeline much before a message gets to a handler or a controller.

The first mechanism is the error policy. You can configure the error policy preferences as part of the configuration object (HttpConfiguration) in the IncludeErrorDetailPolicy property. This is just an enum that instructs Web API about how to deal with exceptions.

The possible values for this enum are,

• Default: It’s uses the customErrors configuration settings if you are using ASP.NET as host or LocalOnly for self-host.
• LocalOnly: Only includes error details for local requests
• Always: Always includes error details
• Never: Never includes error details

When an exception happens, Web API will check the value on this setting for including details about the exception in the response message or not. For example, if Always is enabled, Web API will serialize the exception details as part of the message that you get as response.

The second mechanism is Tracing. Tracing is a service that you can inject as part of the configuration object as well. The default implementation does do anything.

public static void Register(HttpConfiguration config) { config.Services.Replace(typeof(ITraceWriter), new MyTracer()); } .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

MyTracer is a custom implementation of the ITraceWriter service, which Web API uses for tracing purposes. This is a general tracing mechanism, so Web API will call it for logging everything and not just errors.

public class MyTracer : ITraceWriter { public void Trace(HttpRequestMessage request, string category, TraceLevel level, Action<TraceRecord> traceAction) { TraceRecord rec = new TraceRecord(request, category, level); traceAction(rec); WriteTrace(rec); } protected void WriteTrace(TraceRecord rec) { var message = string.Format("{0};{1};{2}", rec.Operator, rec.Operation, rec.Message); System.Diagnostics.Trace.WriteLine(message, rec.Category); } }

If any of these two work for you, you can still use an Error Filter.  Tugberk has written a blog post about how to integrate ELMAH with an Error Filter in Web API here. .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }