Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Delegated Access with OAuth
Search
devNetNoord
April 04, 2024
Technology
0
34
Delegated Access with OAuth
Presentatie gegeven tijdens devCampNoord '24 in Kinepolis Groningen.
devNetNoord
April 04, 2024
Tweet
Share
More Decks by devNetNoord
See All by devNetNoord
Gebruik je broncode als documentatie voor je stakeholders
devnetnoord
0
27
Efficient and Secure Software Delivery with Azure Deployment Environments and Dev Box
devnetnoord
0
31
Toepassing van AI in de zorg; hype, hoop en haalbaarheid
devnetnoord
0
62
What's new with Azure Bicep?
devnetnoord
0
36
Copilot Beyond the Basics
devnetnoord
0
99
The Blazor Multiverse
devnetnoord
0
85
De Architectuur Odyssee
devnetnoord
0
43
Azure Kubernetes Service Quickstart
devnetnoord
0
53
The Office Copilot
devnetnoord
0
32
Other Decks in Technology
See All in Technology
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
kworkdev
PRO
1
430
変化するコーディングエージェントとの現実的な付き合い方 〜Cursor安定択説と、ツールに依存しない「資産」〜
empitsu
4
1.4k
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
13k
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
aeonpeople
1
220
データ民主化のための LLM 活用状況と課題紹介(IVRy の場合)
wxyzzz
2
700
ClickHouseはどのように大規模データを活用したAIエージェントを全社展開しているのか
mikimatsumoto
0
230
Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する
khmoryz
0
180
Bedrock PolicyでAmazon Bedrock Guardrails利用を強制してみた
yuu551
0
210
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
890
Digitization部 紹介資料
sansan33
PRO
1
6.8k
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
6
68k
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
genda
4
1.2k
Featured
See All Featured
A Soul's Torment
seathinner
5
2.2k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
270
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
62
49k
Writing Fast Ruby
sferik
630
62k
Claude Code のすすめ
schroneko
67
210k
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
3.9k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
9.5k
SEO for Brand Visibility & Recognition
aleyda
0
4.2k
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
730
4 Signs Your Business is Dying
shpigford
187
22k
Are puppies a ranking factor?
jonoalderson
1
2.7k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.3k
Transcript
Delegated Access with OAuth Why Developers Should Care Annejan Barelds
Software Architect DevCampNoord April 4th, 2024
Annejan Barelds Software Architect - 4Dotnet Azure – .NET –
Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds
Delegated Access OAuth 2.0 On-Behalf-Of
2008 Alice Bob Charlie Alice Bob Charlie App ID
2016
2024
App ID Alice Bob Charlie
App ID Alice Bob Charlie App ID App ID ?
?
None
Office 365 The Need for Zero Trust
User Role Group Device Config Location Last Sign-in Conditional access
risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
User Role Group Device Config Location Last Sign-in Conditional access
risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication
OK, so we need delegated access. How does it work?
Resource Server Client IdP Resource Owner Data Scopes: - Read
- Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent?
AT AT ? Resource Server Client IdP Resource Owner Data
Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read
https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training
Demo time
So it’s all rainbows and unicorns?
OAuth On-Behalf-Of is about user context You need user context
for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part
Thanks!
devnetnoord
kworkdev
empitsu
sansan33
aeonpeople
wxyzzz
mikimatsumoto
khmoryz
yuu551
0gm
genda
seathinner
akashhashmi
soudai
sferik
schroneko
ipullrank
aleyda
shpigford
jonoalderson
palkan
