Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Delegated Access with OAuth
Search
devNetNoord
April 04, 2024
Technology
37
0
Share
Delegated Access with OAuth
Presentatie gegeven tijdens devCampNoord '24 in Kinepolis Groningen.
devNetNoord
April 04, 2024
More Decks by devNetNoord
See All by devNetNoord
Gebruik je broncode als documentatie voor je stakeholders
devnetnoord
0
35
Efficient and Secure Software Delivery with Azure Deployment Environments and Dev Box
devnetnoord
0
33
Toepassing van AI in de zorg; hype, hoop en haalbaarheid
devnetnoord
0
71
What's new with Azure Bicep?
devnetnoord
0
42
Copilot Beyond the Basics
devnetnoord
0
110
The Blazor Multiverse
devnetnoord
0
93
De Architectuur Odyssee
devnetnoord
0
49
Azure Kubernetes Service Quickstart
devnetnoord
0
55
The Office Copilot
devnetnoord
0
34
Other Decks in Technology
See All in Technology
ぼくがかんがえたさいきょうのあうとぷっと
yama3133
0
190
MLOps導入のための組織作りの第一歩
akasan
0
320
Azure PortalなどにみるWebアクセシビリティ
tomokusaba
0
410
扱える不確実性を増やしていく - スタートアップEMが考える「任せ方」
kadoppe
0
290
The Journey of Box Building
tagomoris
4
1.9k
明日からドヤれる!超マニアックなAWSセキュリティTips10連発 / 10 Ultra-Niche AWS Security Tips
yuj1osm
0
570
AWS認定資格は本当に意味があるのか?
nrinetcom
PRO
1
270
M5Stack CoreS3とZephyr(RTOS)で Edge AIっぽいことしてみた
iotengineer22
0
110
QGISプラグイン CMChangeDetector
naokimuroki
1
390
Do Ruby::Box dream of Modular Monolith?
joker1007
1
330
目的ファーストのハーネス設計 ~ハーネスの変更容易性を高めるための優先順位~
gotalab555
8
2.1k
え!?初参加で 300冊以上 も頒布!? これは大成功!そのはずなのに わいの財布は 赤字 の件
hellohazime
0
160
Featured
See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
10k
What's in a price? How to price your products and services
michaelherold
247
13k
Git: the NoSQL Database
bkeepers
PRO
432
67k
GraphQLの誤解/rethinking-graphql
sonatard
75
12k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
320
Skip the Path - Find Your Career Trail
mkilby
1
110
A Soul's Torment
seathinner
6
2.7k
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
130
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Transcript
Delegated Access with OAuth Why Developers Should Care Annejan Barelds
Software Architect DevCampNoord April 4th, 2024
Annejan Barelds Software Architect - 4Dotnet Azure – .NET –
Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds
Delegated Access OAuth 2.0 On-Behalf-Of
2008 Alice Bob Charlie Alice Bob Charlie App ID
2016
2024
App ID Alice Bob Charlie
App ID Alice Bob Charlie App ID App ID ?
?
None
Office 365 The Need for Zero Trust
User Role Group Device Config Location Last Sign-in Conditional access
risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
User Role Group Device Config Location Last Sign-in Conditional access
risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication
OK, so we need delegated access. How does it work?
Resource Server Client IdP Resource Owner Data Scopes: - Read
- Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent?
AT AT ? Resource Server Client IdP Resource Owner Data
Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read
https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training
Demo time
So it’s all rainbows and unicorns?
OAuth On-Behalf-Of is about user context You need user context
for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part
Thanks!
devnetnoord
yama3133
akasan
tomokusaba
kadoppe
tagomoris
yuj1osm
nrinetcom
iotengineer22
naokimuroki
joker1007
gotalab555
hellohazime
keithpitt
eileencodes
chrisshort
aleyda
michaelherold
bkeepers
sonatard
tmiket
mkilby
seathinner
kimpetersen
marcelosomers
