Delegated Access with OAuth Why Developers Should Care Annejan Barelds Software Architect DevCampNoord April 4th, 2024 

Annejan Barelds Software Architect - 4Dotnet Azure – .NET – Architecture – Consultancy https://www.linkedin.com/in/barelds/ https://github.com/AnnejanBarelds 

Delegated Access OAuth 2.0 On-Behalf-Of 

2008 Alice Bob Charlie Alice Bob Charlie App ID 

2016 

2024 

App ID Alice Bob Charlie 

App ID Alice Bob Charlie App ID App ID ? ? 

No content

Office 365 The Need for Zero Trust 

User Role Group Device Config Location Last Sign-in Conditional access risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device 

User Role Group Device Config Location Last Sign-in Conditional access risk High Medium Low Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Health/Integrity Client Config Last seen Device Identity Permissions App Identity Permissions API Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication 

OK, so we need delegated access. How does it work? 

Resource Server Client IdP Resource Owner Data Scopes: - Read - Write - … Roles: - Owner - Reader App App Required access: - RS/Read AT IT AT SP SP RS/Read openid Consent? 

AT AT ? Resource Server Client IdP Resource Owner Data Scopes: - Read - Write - … Roles: - Owner - Reader App Required access: - RS/Read IT AT SP SP RS/Read openid IdP App AT API Scopes: - Read Required access: - API/Read Required access: - RS/Read App SP AT AT AT API/Read RS/Read 

https://www.youtube.com/watch?v=WVNvoiA_ktw John Savill's Technical Training 

Demo time 

So it’s all rainbows and unicorns? 

OAuth On-Behalf-Of is about user context You need user context for - Autonomy - Auditing - Access checks Microsoft Entra ID takes some getting-used-to MSAL solves the coding part 

Thanks!