Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Delegated Access with OAuth
Search
devNetNoord
April 04, 2024
Technology
0
25
Delegated Access with OAuth
Presentatie gegeven tijdens devCampNoord '24 in Kinepolis Groningen.
devNetNoord
April 04, 2024
Tweet
Share
More Decks by devNetNoord
See All by devNetNoord
Gebruik je broncode als documentatie voor je stakeholders
devnetnoord
0
13
Efficient and Secure Software Delivery with Azure Deployment Environments and Dev Box
devnetnoord
0
19
Toepassing van AI in de zorg; hype, hoop en haalbaarheid
devnetnoord
0
29
What's new with Azure Bicep?
devnetnoord
0
16
Copilot Beyond the Basics
devnetnoord
0
67
The Blazor Multiverse
devnetnoord
0
59
De Architectuur Odyssee
devnetnoord
0
29
Azure Kubernetes Service Quickstart
devnetnoord
0
40
The Office Copilot
devnetnoord
0
19
Other Decks in Technology
See All in Technology
JSX - 歴史を振り返り、⾯⽩がって、エモくなろう
pal4de
4
1.1k
rubygem開発で鍛える設計力
joker1007
1
140
20250625 Snowflake Summit 2025活用事例 レポート / Nowcast Snowflake Summit 2025 Case Study Report
kkuv
1
250
AWS Summit Japan 2025 Community Stage - App workflow automation by AWS Step Functions
matsuihidetoshi
1
160
あなたの声を届けよう! 女性エンジニア登壇の意義とアウトプット実践ガイド #wttjp / Call for Your Voice
kondoyuko
2
260
BrainPadプログラミングコンテスト記念LT会2025_社内イベント&問題解説
brainpadpr
0
160
ハノーバーメッセ2025座談会.pdf
iotcomjpadmin
0
150
初めてのAzure FunctionsをClaude Codeで作ってみた / My first Azure Functions using Claude Code
hideakiaoyagi
1
200
Uniadex__公開版_20250617-AIxIoTビジネス共創ラボ_ツナガルチカラ_.pdf
iotcomjpadmin
0
150
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
mizunori
0
160
成立するElixirの再束縛(再代入)可という選択
kubell_hr
0
970
第9回情シス転職ミートアップ_テックタッチ株式会社
forester3003
0
170
Featured
See All Featured
Building Adaptive Systems
keathley
43
2.6k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
The Cult of Friendly URLs
andyhume
79
6.4k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.6k
Building a Modern Day E-commerce SEO Strategy
aleyda
41
7.3k
A designer walks into a library…
pauljervisheath
206
24k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
GraphQLとの向き合い方2022年版
quramy
46
14k
Become a Pro
speakerdeck
PRO
28
5.4k
The World Runs on Bad Software
bkeepers
PRO
69
11k
Documentation Writing (for coders)
carmenintech
71
4.9k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.4k
Transcript
Delegated Access with OAuth Why Developers Should Care Annejan Barelds
Software Architect DevCampNoord April 4th, 2024
Annejan Barelds Software Architect - 4Dotnet Azure – .NET –
Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds
Delegated Access OAuth 2.0 On-Behalf-Of
2008 Alice Bob Charlie Alice Bob Charlie App ID
2016
2024
App ID Alice Bob Charlie
App ID Alice Bob Charlie App ID App ID ?
?
None
Office 365 The Need for Zero Trust
User Role Group Device Config Location Last Sign-in Conditional access
risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
User Role Group Device Config Location Last Sign-in Conditional access
risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication
OK, so we need delegated access. How does it work?
Resource Server Client IdP Resource Owner Data Scopes: - Read
- Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent?
AT AT ? Resource Server Client IdP Resource Owner Data
Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read
https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training
Demo time
So it’s all rainbows and unicorns?
OAuth On-Behalf-Of is about user context You need user context
for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part
Thanks!
devnetnoord
pal4de
joker1007
kkuv
matsuihidetoshi
kondoyuko
brainpadpr
iotcomjpadmin
hideakiaoyagi
mizunori
kubell_hr
forester3003
keathley
tanoku
andyhume
mraible
aleyda
pauljervisheath
keithpitt
quramy
speakerdeck
bkeepers
carmenintech
eileencodes
