Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Delegated Access with OAuth
Search
devNetNoord
April 04, 2024
Technology
0
14
Delegated Access with OAuth
Presentatie gegeven tijdens devCampNoord '24 in Kinepolis Groningen.
devNetNoord
April 04, 2024
Tweet
Share
More Decks by devNetNoord
See All by devNetNoord
Copilot Beyond the Basics
devnetnoord
0
29
The Blazor Multiverse
devnetnoord
0
15
De Architectuur Odyssee
devnetnoord
0
10
Azure Kubernetes Service Quickstart
devnetnoord
0
14
The Office Copilot
devnetnoord
0
12
Navigating Cloud Sustainability: Insights and Strategies
devnetnoord
0
12
Machine Learning 101
devnetnoord
0
9
Vector search and state-of-the-art retrieval for generative AI apps
devnetnoord
0
34
Reviewing NuGet Packages security easily using OpenSSF Scorecard
devnetnoord
0
19
Other Decks in Technology
See All in Technology
Azure AI ことはじめ
tsubakimoto_s
0
130
大規模ドラレコデータ収集・機械学習基盤を支える AWS CDK 〜導入・運用事例紹介〜
pemugi
0
110
CTOから見た事業開発とプロダクト開発 / My Perspective on Business and Product Development as CTO
keisuke69
4
960
Git 研修 Advanced【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
200
DDDにおける認可の扱いとKotlinにおける実装パターン / authorization-for-ddd-and-kotlin-implement-pattern
urmot
4
390
ゆめみのアクセシビリティの現在地と今後
ryokatsuse
3
290
クラウド利用者の「責任」をどう果たす?AWSセキュリティ対策のススメ #AWSSummit
hiashisan
0
280
コンテナ・K8s研修 - 後半 Kubernetes 基礎&ハンズオン【MIXI 24新卒技術研修】
mixi_engineers
PRO
1
120
スレットハンティングについて知っておきたいこと
hacket
0
130
開発と事業を繋ぐ!SREのオブザーバビリティ戦略 ~ Developers Summit 2024 Summer ~
leveragestech
0
640
Classmethod Odyssey 登壇資料
yamahiro
0
390
データ分析基盤を作ってみよう~設計編~
nrinetcom
PRO
1
110
Featured
See All Featured
How to name files
jennybc
67
96k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
26
1.8k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
34
1.9k
Navigating Team Friction
lara
181
13k
The Illustrated Children's Guide to Kubernetes
chrisshort
39
47k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
16
1.6k
WebSockets: Embracing the real-time Web
robhawkes
59
7.2k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Designing with Data
zakiwarfel
96
5k
Build your cross-platform service in a week with App Engine
jlugia
227
17k
Pencils Down: Stop Designing & Start Developing
hursman
118
11k
Transcript
Delegated Access with OAuth Why Developers Should Care Annejan Barelds
Software Architect DevCampNoord April 4th, 2024
Annejan Barelds Software Architect - 4Dotnet Azure – .NET –
Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds
Delegated Access OAuth 2.0 On-Behalf-Of
2008 Alice Bob Charlie Alice Bob Charlie App ID
2016
2024
App ID Alice Bob Charlie
App ID Alice Bob Charlie App ID App ID ?
?
None
Office 365 The Need for Zero Trust
User Role Group Device Config Location Last Sign-in Conditional access
risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
User Role Group Device Config Location Last Sign-in Conditional access
risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication
OK, so we need delegated access. How does it work?
Resource Server Client IdP Resource Owner Data Scopes: - Read
- Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent?
AT AT ? Resource Server Client IdP Resource Owner Data
Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read
https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training
Demo time
So it’s all rainbows and unicorns?
OAuth On-Behalf-Of is about user context You need user context
for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part
Thanks!