The One With

I often receive questions about OData and authentication. Specifically, about OData + OAuth. The scenarios are very simple, you have a site/service and you want to provide developer API so that third-parties can integrate. The API must of course be secure, callers must properly be authenticated and only authorized resources/data must be available.

Before we start going into details,  let’s build a sample site just so we have some context.

Our site we’ll be a front-end for the Hobbit's Bank Of The Shire and we’ll use:

• ASP.NET MVC 3 + DevExpress MVC Extensions for Web UI
• XPO for ORM
• MySQL Community Edition for DB
• OData for data api
• OAuth to secure out data.

The Site

The site would let members sing-in by presenting a list of all members, and a member would than click on himself to sign-in.

Members will be stored in the Principals table and represented by the XPO object Principal:

[Persistent("Principals")]
public class Principal : XPLiteObject {
    public Principal() { }
    public Principal(Session session) : base(session) { }

    [Key(AutoGenerate = true)]
    public Guid ID { get; set; }

    [Size(128)]
    public string FullName { get; set; }

    public byte[] Picture { get; set; }
    
    [Size(128)]
    [Indexed(Unique=true)]
    public string Email { get; set; }
    
    public DateTime Created { get; set; }
    public DateTime Modified { get; set; }
}

Once signed-in, a member would be able to see all the valuables in his safety-deposit box:

Valuables will be stored in the Valuables table and represented by XPO object Valuable:

[Persistent("Valuables")]
public class Valuable : XPLiteObject {
    public Valuable() { }
    public Valuable(Session session) : base(session) { }
    
    [Key(AutoGenerate = true)]
    public Guid ID { get; set; }

    [Size(128)]
    public string Name { get; set; }

    [Indexed(Unique=false)]
    public Guid Owner { get; set; }
}

The API

Our data will be exposed using WCF Data Services using the XPO Data Service Provider:

[ConnectionString("BankOfShire")]
public class OData : XpoDataService {
    public static void InitializeService(DataServiceConfiguration config) {
        config.SetEntitySetAccessRule("*", EntitySetRights.AllRead);
        config.SetServiceOperationAccessRule("*", ServiceOperationRights.All);
        config.DataServiceBehavior.MaxProtocolVersion = DataServiceProtocolVersion.V2;
    }
}

Web.config

  <connectionStrings>
    <add name="BankOfShire" 
         connectionString="XpoProvider=MySql;Server=localhost;Database=BankOfShire;Uid=root;Pwd=password;" />
  </connectionStrings>

XPO Data Service Provider lives in DevExpress.Xpo.v10.2.Data.Services so we’ll to reference that. And because we are using MySQL we’ll need:

• DevExpress.Xpo.v10.2.Providers
• MySql.Data (MySql Connector for .NET)

We can now make some OData calls from the browser:

Now that the foundation is laid in here is what to expect from this series:

• Part 1: Introduction
• Part 2: FormsAuthenticationTicket & MixedAuthentication
• Part 3: Understanding OAuth 1.0 and OAuth 2.0, Federated logins using Twitter, Google and Facebook
• Part 4: Managing Identities
• Part 5: Implementing OAuth 1.0 Service Providers (storing and caching tokens, distributed caches)
• Part 6: Securing OData feeds without query interceptors
• Part 7: Client Apps

Download the source code for Part 1

Cheers
Azret