Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Delegated Access with OAuth
Search
devNetNoord
April 04, 2024
Technology
0
20
Delegated Access with OAuth
Presentatie gegeven tijdens devCampNoord '24 in Kinepolis Groningen.
devNetNoord
April 04, 2024
Tweet
Share
More Decks by devNetNoord
See All by devNetNoord
Gebruik je broncode als documentatie voor je stakeholders
devnetnoord
0
3
Efficient and Secure Software Delivery with Azure Deployment Environments and Dev Box
devnetnoord
0
4
Toepassing van AI in de zorg; hype, hoop en haalbaarheid
devnetnoord
0
7
What's new with Azure Bicep?
devnetnoord
0
2
Copilot Beyond the Basics
devnetnoord
0
48
The Blazor Multiverse
devnetnoord
0
35
De Architectuur Odyssee
devnetnoord
0
17
Azure Kubernetes Service Quickstart
devnetnoord
0
21
The Office Copilot
devnetnoord
0
13
Other Decks in Technology
See All in Technology
Fanstaの1年を大解剖! 一人SREはどこまでできるのか!?
syossan27
2
160
5分でわかるDuckDB
chanyou0311
10
3.2k
Postman と API セキュリティ / Postman and API Security
yokawasa
0
200
生成AIのガバナンスの全体像と現実解
fnifni
1
180
社内イベント管理システムを1週間でAKSからACAに移行した話し
shingo_kawahara
0
180
第3回Snowflake女子会_LT登壇資料(合成データ)_Taro_CCCMK
tarotaro0129
0
180
継続的にアウトカムを生み出し ビジネスにつなげる、 戦略と運営に対するタイミーのQUEST(探求)
zigorou
0
500
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
250
成果を出しながら成長する、アウトプット駆動のキャッチアップ術 / Output-driven catch-up techniques to grow while producing results
aiandrox
0
180
.NET 9 のパフォーマンス改善
nenonaninu
0
360
スタートアップで取り組んでいるAzureとMicrosoft 365のセキュリティ対策/How to Improve Azure and Microsoft 365 Security at Startup
yuj1osm
0
210
あの日俺達が夢見たサーバレスアーキテクチャ/the-serverless-architecture-we-dreamed-of
tomoki10
0
420
Featured
See All Featured
We Have a Design System, Now What?
morganepeng
51
7.3k
Designing for humans not robots
tammielis
250
25k
How GitHub (no longer) Works
holman
311
140k
Agile that works and the tools we love
rasmusluckow
328
21k
RailsConf 2023
tenderlove
29
940
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
The Language of Interfaces
destraynor
154
24k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
160
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
132
33k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.5k
Transcript
Delegated Access with OAuth Why Developers Should Care Annejan Barelds
Software Architect DevCampNoord April 4th, 2024
Annejan Barelds Software Architect - 4Dotnet Azure – .NET –
Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds
Delegated Access OAuth 2.0 On-Behalf-Of
2008 Alice Bob Charlie Alice Bob Charlie App ID
2016
2024
App ID Alice Bob Charlie
App ID Alice Bob Charlie App ID App ID ?
?
None
Office 365 The Need for Zero Trust
User Role Group Device Config Location Last Sign-in Conditional access
risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
User Role Group Device Config Location Last Sign-in Conditional access
risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication
OK, so we need delegated access. How does it work?
Resource Server Client IdP Resource Owner Data Scopes: - Read
- Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent?
AT AT ? Resource Server Client IdP Resource Owner Data
Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read
https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training
Demo time
So it’s all rainbows and unicorns?
OAuth On-Behalf-Of is about user context You need user context
for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part
Thanks!
devnetnoord
syossan27
chanyou0311
yokawasa
fnifni
shingo_kawahara
tarotaro0129
zigorou
nagisa53
aiandrox
nenonaninu
yuj1osm
tomoki10
morganepeng
tammielis
holman
rasmusluckow
tenderlove
tanoku
destraynor
samlambert
chriscoyier
addyosmani
eileencodes
bluesmoon
