10
I am seeing Webapi tutorials with authentication/ authorization and I came across these two concepts, although explained in the tutorials the settings are not clear.
Even searching the web, the explanations in English are confusing (for me) and in Portuguese also did not help.
13
The OWIN (Open Web Interface for . NET) is a solution to generalize application access to the host. Before it existed to run ASP.NET it required IIS or it would have to modify ASP.NET’s own components to use another one host. OSI was a dependency, and worse, the components that communicate with OSI were heavy.
In the new . NET philosophy of having more open solutions it was necessary to create a standard way of communication between the application and the host, thus allowing the use of other hosts, including the application itself take care of it, and the communication can be made in a more flexible, lightweight, customized to each situation.
OWIN is precisely the specification of how this communication works. Some implementations of this specification are: Katana that allows the self-host of the application, the Helios which allows use with IIS.
Has a answer on its use here on the website.
The Oauth is a standard too, a specification of how applications should authorize. It doesn’t matter if the application is for the web, mobile or desktop, as long as it communicates in the standard way specified and through HTTP protocol.
You may use various authorization providers, provided by you in isolation, or, most commonly, through third parties. So you don’t have to worry about the whole process, just need to know if the user is authorized or not.
In this way, data that needs to be safe stays outside the application and probably in the hands of those who know how to keep it safe and have the trust of the owner of the information. The app only receives what is relevant to it.
An implementation of the standard for . Net is the Dotnetopenauth. With it you just need to learn the API and don’t have to worry about the default itself. There are other implementations. OWIN uses the OWIN Oauth 2.0 Authorization Server for this.
As I stood still in time (with webapi relation), my last contact was with Self-Host ASP.NET Web API 1. Now with that alphabet soup OWIN/OAuth the confusion was garnde. OWIN would be an evolution of the Self-Host ASP.NET Web API 1? If yes, I could add this observation to the answer.
In a way it is an evolution yes, but now done the right way, before it was a beautiful of a gambiarra that had many defects and carried unnecessary components. OWIN is so much more than this and he doesn’t even have to be self-host, this is just one of the ways it is used. Katana is an implementation of OWIN that works self-host. Oauth is something completely separate.
@bigown li in his reply mention that the OAUTH is for authenticating applications. I use this protocol and I am aware that it is AUTHORIZATION and not AUTHENTICATION...?
@chambelix is yes, it is quite obvious that this is on his page. It was a mistake of mine, I will fix. Thank you.
Browser other questions tagged .net asp.net asp.net-web-api oauth2 owin
You are not signed in. Login or sign up in order to post.
I’ll comment because I wouldn’t know how to give a complete answer: In short, these are HTTP authentication methods. These are simply different schemes that HTTP provides for authentication.
– Sid
In some examples, I saw that the two are used simultaneously. Can summarize the answer, need not be a detailed answer.
– rubStackOverflow
Given the comment I decided to answer, I do not know if it will be enough but I think you already know that the question borders to be too broad. Besides being asking about two things, asking how to use without context, without a specific problem, gets complicated.
– Maniero