Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Delegated Access with OAuth
Search
devNetNoord
April 04, 2024
Technology
0
31
Delegated Access with OAuth
Presentatie gegeven tijdens devCampNoord '24 in Kinepolis Groningen.
devNetNoord
April 04, 2024
Tweet
Share
More Decks by devNetNoord
See All by devNetNoord
Gebruik je broncode als documentatie voor je stakeholders
devnetnoord
0
20
Efficient and Secure Software Delivery with Azure Deployment Environments and Dev Box
devnetnoord
0
25
Toepassing van AI in de zorg; hype, hoop en haalbaarheid
devnetnoord
0
53
What's new with Azure Bicep?
devnetnoord
0
32
Copilot Beyond the Basics
devnetnoord
0
86
The Blazor Multiverse
devnetnoord
0
80
De Architectuur Odyssee
devnetnoord
0
41
Azure Kubernetes Service Quickstart
devnetnoord
0
52
The Office Copilot
devnetnoord
0
26
Other Decks in Technology
See All in Technology
自然言語でAPI作業を片付ける!「Postman Agent Mode」
nagix
0
140
身近なCSVを活用する!AWSのデータ分析基盤アーキテクチャ
koosun
0
4k
学術的根拠から読み解くNotebookLMの音声活用法
shukob
0
410
Dev Containers と Skaffold で実現する クラウドネイティブ開発環境 ローカルのみという制約に挑む / Cloud-Native Development with Dev Containers and Skaffold: Tackling the Local-Only Constraint
bitkey
PRO
0
130
米軍Platform One / Black Pearlに学ぶ 極限環境DevSecOps
jyoshise
2
530
生成AI時代に若手エンジニアが最初に覚えるべき内容と、その学習法
starfish719
2
610
プロダクト負債と歩む持続可能なサービスを育てるための挑戦
sansantech
PRO
1
930
リアーキテクティングのその先へ 〜品質と開発生産性の壁を越えるプラットフォーム戦略〜 / architecture-con2025
visional_engineering_and_design
0
6.7k
不確実性に備える ABEMA の信頼性設計とオブザーバビリティ基盤
nagapad
4
7.4k
雲勉LT_Amazon Bedrock AgentCoreを知りAIエージェントに入門しよう!
ymae
2
210
重厚長大企業で、顧客価値をスケールさせるためのプロダクトづくりとプロダクト開発チームづくりの裏側 / Developers X Summit 2025
mongolyy
0
190
AI エージェントを評価するための温故知新と Spec Driven Evaluation
icoxfog417
PRO
2
710
Featured
See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
273
21k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Optimizing for Happiness
mojombo
379
70k
Product Roadmaps are Hard
iamctodd
PRO
55
12k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
54k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
61k
Fireside Chat
paigeccino
41
3.7k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
Writing Fast Ruby
sferik
630
62k
Why Our Code Smells
bkeepers
PRO
340
57k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
8.1k
Transcript
Delegated Access with OAuth Why Developers Should Care Annejan Barelds
Software Architect DevCampNoord April 4th, 2024
Annejan Barelds Software Architect - 4Dotnet Azure – .NET –
Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds
Delegated Access OAuth 2.0 On-Behalf-Of
2008 Alice Bob Charlie Alice Bob Charlie App ID
2016
2024
App ID Alice Bob Charlie
App ID Alice Bob Charlie App ID App ID ?
?
None
Office 365 The Need for Zero Trust
User Role Group Device Config Location Last Sign-in Conditional access
risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
User Role Group Device Config Location Last Sign-in Conditional access
risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication
OK, so we need delegated access. How does it work?
Resource Server Client IdP Resource Owner Data Scopes: - Read
- Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent?
AT AT ? Resource Server Client IdP Resource Owner Data
Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read
https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training
Demo time
So it’s all rainbows and unicorns?
OAuth On-Behalf-Of is about user context You need user context
for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part
Thanks!
devnetnoord
nagix
koosun
shukob
bitkey
jyoshise
starfish719
sansantech
visional_engineering_and_design
nagapad
ymae
mongolyy
icoxfog417
hatefulcrawdad
afnizarnur
mojombo
iamctodd
aki_iinuma
addyosmani
lemiorhan
paigeccino
wjessup
sferik
bkeepers
aleyda
