Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Delegated Access with OAuth
Search
devNetNoord
April 04, 2024
Technology
0
30
Delegated Access with OAuth
Presentatie gegeven tijdens devCampNoord '24 in Kinepolis Groningen.
devNetNoord
April 04, 2024
Tweet
Share
More Decks by devNetNoord
See All by devNetNoord
Gebruik je broncode als documentatie voor je stakeholders
devnetnoord
0
19
Efficient and Secure Software Delivery with Azure Deployment Environments and Dev Box
devnetnoord
0
21
Toepassing van AI in de zorg; hype, hoop en haalbaarheid
devnetnoord
0
40
What's new with Azure Bicep?
devnetnoord
0
27
Copilot Beyond the Basics
devnetnoord
0
78
The Blazor Multiverse
devnetnoord
0
70
De Architectuur Odyssee
devnetnoord
0
35
Azure Kubernetes Service Quickstart
devnetnoord
0
48
The Office Copilot
devnetnoord
0
24
Other Decks in Technology
See All in Technology
おやつは300円まで!の最適化を模索してみた
techtekt
PRO
0
280
[RSJ25] Feasible RAG: Hierarchical Multimodal Retrieval with Feasibility-Aware Embodied Memory for Mobile Manipulation
keio_smilab
PRO
0
110
なぜテストマネージャの視点が 必要なのか? 〜 一歩先へ進むために 〜
moritamasami
0
140
Grafana MCPサーバーによるAIエージェント経由でのGrafanaダッシュボード動的生成
hamadakoji
1
1.4k
ZOZOマッチのアーキテクチャと技術構成
zozotech
PRO
3
1.3k
生成AI時代のデータ基盤
shibuiwilliam
6
3.7k
なぜSaaSがMCPサーバーをサービス提供するのか?
sansantech
PRO
8
2.5k
AI エージェントとはそもそも何か? - 技術背景から Amazon Bedrock AgentCore での実装まで- / AI Agent Unicorn Day 2025
hariby
4
1.1k
Grafana Meetup Japan Vol. 6
kaedemalu
1
280
機械学習を扱うプラットフォーム開発と運用事例
lycorptech_jp
PRO
0
180
研究開発と製品開発、両利きのロボティクス
youtalk
1
470
開発者を支える Internal Developer Portal のイマとコレカラ / To-day and To-morrow of Internal Developer Portals: Supporting Developers
aoto
PRO
1
360
Featured
See All Featured
Optimising Largest Contentful Paint
csswizardry
37
3.4k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
30
9.6k
RailsConf 2023
tenderlove
30
1.2k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.8k
We Have a Design System, Now What?
morganepeng
53
7.8k
Automating Front-end Workflow
addyosmani
1370
200k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Art, The Web, and Tiny UX
lynnandtonic
302
21k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
910
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Transcript
Delegated Access with OAuth Why Developers Should Care Annejan Barelds
Software Architect DevCampNoord April 4th, 2024
Annejan Barelds Software Architect - 4Dotnet Azure – .NET –
Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds
Delegated Access OAuth 2.0 On-Behalf-Of
2008 Alice Bob Charlie Alice Bob Charlie App ID
2016
2024
App ID Alice Bob Charlie
App ID Alice Bob Charlie App ID App ID ?
?
None
Office 365 The Need for Zero Trust
User Role Group Device Config Location Last Sign-in Conditional access
risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
User Role Group Device Config Location Last Sign-in Conditional access
risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication
OK, so we need delegated access. How does it work?
Resource Server Client IdP Resource Owner Data Scopes: - Read
- Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent?
AT AT ? Resource Server Client IdP Resource Owner Data
Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read
https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training
Demo time
So it’s all rainbows and unicorns?
OAuth On-Behalf-Of is about user context You need user context
for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part
Thanks!