Loading...
Page 1 of 8
How do we authenticate to services?
1. Using Keys
flowchart LR
A[Service A] -->|Config Key| B[Service B]
B -->|Result| A
B -->|Key Verification| A
Challenges:
- Managing Keys:
- Creating
- Rotating
- Storing
- High Security Key
2. Using Azure AD
sequenceDiagram
participant ID as Id Credentials
participant A as Service A
participant AD as Azure AD
participant B as Service B
ID ->> A: Token Request (1)
A ->> AD: Token Request (2)
AD ->> A: Token (3)
A ->> B: Token (4)
B ->> A: Result (5)
B ->> AD: Token Validation (6)
Challenges:
- Where to store ID credentials?
Page 2 of 8
Azure AD Managed Identity
Key Features:
- Credentials are moved out of app code.
- Identity created and tied with resource lifecycle.
- Easy to set up.
sequenceDiagram
participant Client as Client Credentials
participant App as App
participant VM as VM
participant MI as Managed ID Endpoint
participant AD as Azure AD
participant KV as Key Vault
Client ->> MI: Token Request (1)
MI ->> AD: Token Request (2)
AD ->> MI: Token (3)
MI ->> App: Token (4)
App ->> KV: Request Secret (5)
KV ->> App: Secret (6)
App ->> VM: Use Secret (7)
Note:
- Managed ID endpoint is internal; no credentials are saved in the source code.
How to do local development then?
flowchart LR
A[Azure CLI] --> B[App]
B --> C[Local Machine]
- Use Windows Authentication to simulate Azure session login.
Page 3 of 8
When Managed Identity Cannot Be Used:
-
Reason: Not all apps can be hosted on Azure.
- Apps on Azure without identity assigned cannot use Managed Identity.
-
Alternative: App credentials such as:
- Certificates (can be called Public Key)
- Secrets (App password)
Certificates:
- Advantages:
- More secure (similar to SSH).
- Thumbprints act as certificate identifiers.
- Private keys can authenticate Azure AD.
App Types for Microsoft Identity Platform:
- Requirements:
- App registration and specs:
- App (Client) ID
- Redirect URI
- Other scenarios.
- App registration and specs:
Page 4 of 8
I. SPA (Single Page Application)
sequenceDiagram
participant SPA as SPA
participant API as Web API
SPA ->> API: /oauth2/authorize
API --> SPA: Returns Auth Code (1)
SPA ->> API: Request OAuth Token
API --> SPA: Returns Access Token & Refresh Token (2)
SPA ->> API: Call Web API with Authorization Token
API --> SPA: Returns Data (3)
SPA ->> API: Request New Refresh Token & Access Token
API --> SPA: Returns Tokens (4)
II. Web Apps
sequenceDiagram
participant Browser as Browser
participant App as Web App
participant AD as Azure AD
Browser ->> App: /oauth2/v2.0/authorize
App ->> AD: Redirect User to Azure AD
AD --> Browser: User Enters Credentials (1)
Browser ->> AD: Consent to Permissions
AD --> App: Returns ID Token (2)
App ->> Browser: Redirects ID Token to Redirect URI
Browser ->> App: Returns Secure Page to User (3)
III. Daemons & Web Services
- Provides app credentials (Step 2).
- In Step 1, instead of navigating, app is granted permissions beforehand.
Page 5 of 8
Azure AD (Active Directory)
Azure Active Directory (Azure AD) is not equivalent to traditional Active Directory. It operates as an identity-as-a-service platform.
Characteristics:
- Multi-tenant
- Cloud-based identity management system
- Highly scalable and distributed
Key Features:
- Acts as a centralized identity provider.
- Enables scenarios such as:
- Conditional Access Policies
- Multi-factor authentication
- Single Sign-On (SSO)
Token Flow:
Below is the process flow for token generation and usage in Azure AD:
flowchart TD
A[User Application] -->|1. Need ID token & access token| B[Azure AD]
B -->|2. Authenticate| C[Graph API]
C -->|3. Here you go| D[ID Token + Access Token]
D -->|4. JWT Token| E[Token Type: "JWT"]
Page 6 of 8
Steps:
- API requests tokens from Microsoft Identity.
- Authentication happens over browser-based web surfaces to provide SSO.
- App passes access tokens to APIs.
- API validates access tokens before returning results.
Details About Azure AD:
- Default Directory: Every user has a default directory.
- You can add/remove users in it.
- You can create additional directories in Azure AD and manage users accordingly.
- User Permissions: Can be managed within Azure AD.
App Management:
- Multi-Tenant
- Single Tenant
- Enterprise App
Types of Apps:
- Public Client:
- Examples: Client SPA
- Confidential Client:
- Examples: Web API, Web App
Page 7 of 8
Modern Authentication
WS Federation & SAML:
Both are older identity protocols used for authentication:
- WS Federation:
- Process involves redirection and assertions.
- SAML: Used primarily for SSO.
Process:
sequenceDiagram
participant Service Provider
participant User Agent
participant ID Provider
Service Provider->>User Agent: Request target resource
User Agent->>Service Provider: Discover ID provider
Service Provider->>ID Provider: Request SSO service
ID Provider->>User Agent: Identity assertion
User Agent->>Service Provider: Request assertion
Service Provider->>User Agent: Redirect to target resource
User Agent->>Service Provider: Request target resource
Service Provider->>User Agent: Respond with requested resource
OAuth 2.0:
OAuth is an open standard for authorization that allows:
- "A" to perform operations on behalf of "B".
- Pseudo-authentication flow.
Issues:
- Standards are not common.
- Vulnerabilities:
- Phishing
- Over-sharing (Permissions)
OpenID Connect:
Authentication protocol built on OAuth 2.0.
Page 8 of 8
OAuth 2.0 Flow:
flowchart TD
A[Client] -->|AuthZ Request| B[Authorization Server]
B -->|AuthZ Grant| C[Resource Owner]
C -->|Access Token| D[Protected Resource]
D -->|Resource Access| A
OpenID:
- Issues access tokens and ID tokens.
- ID tokens are JWT containing user details.
OpenID Connect Flow:
sequenceDiagram
participant RP as Client App
participant End User
participant OP as OpenID Provider
RP->>End User: AuthN Request
End User->>OP: AuthN & AuthZ
OP->>RP: AuthN Response
RP->>OP: User Info Request
OP->>RP: User Info Response
References:
- Azure Active Directory Documentation
- Microsoft Identity Platform APIs
Related Topics:
- OAuth 2.0 Protocol
- Azure Key Vault Integration
- Local Development with Azure CLI