Securing a modern Web application with Entra ID

JoonasWestlin 108 views 23 slides Oct 08, 2024
Slide 1
Slide 1 of 23
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23

About This Presentation

Presented at Techorama NL 2024

Size: 9.72 MB
Language: en
Added: Oct 08, 2024
Slides: 23 pages

Slide Content

Securing a modern Web application with Entra ID

Speaker intro Joonas Westlin Developer / Architect @ Zure Worked with Azure for 9 years All time #1 for AAD / Entra ID answers on Stack Overflow joonasw.net

Agenda Entra ID, OpenID Connect, and OAuth 2 Demo : Walkthrough of OpenID Connect and OAuth 2 Recap of first demo Demo : Configuring the app in Entra ID Demo : API back-end and Microsoft.Identity.Web Demo : Front-end and MSAL.js Q&A

Entra ID, OpenID Connect, and OAuth 2

Entra ID Previously Azure Active Directory (AAD) Identity and access management Users Applications Devices Permissions Used by Microsoft 365, Azure, … Entra External ID tenants and Azure AD B2C are a bit different, but use the same protocols

What is a tenant? Organization Collection of users, apps and devices If you “create an Entra ID”, you are creating a tenant Identified by domains something.onmicrosoft.com by default

OpenID Connect and OAuth 2 Standards for authentication (OIDC) and authorization (OAuth) OAuth is about getting access to protected resources OIDC builds on top of OAuth 2 and focuses on identifying the user If you are having difficulties sleeping (or like auth stuff): https://openid.net/specs/openid-connect-core-1_0.html / https://datatracker.ietf.org/doc/html/rfc6749

Token types ID token Identifies the user From OIDC Intended for client application Access token Used to call an API From OAuth Intended for an API (one, not many) Refresh token Used to get new tokens

Demo: Walkthrough of OpenID Connect and OAuth 2

Recap

Front-end authentication

Token validation

On-behalf-of flow

Authentication redirect MSAL uses Authorization Code flow with PKCE MSAL stores nonce, code verifier Redirect with client_id , redirect_uri , state, nonce, response_type , code_challenge , code_challenge_method

Authentication redirect What MSAL saves in the browser Redirect parameters client_id (identifies the app) redirect_uri (where to send the user after login) state (string that will be passed back to app after login) nonce (unique id for the login, prevent replay) response_type : code (app wants an authorization code) code_challenge (hash from randomly generated verifier) code_challenge_method (says that the challenge is hashed) No secrets are ever used here (public client)

Authentication in Entra ID User authenticates with whatever, not app’s concern Also, the password is never shared with the app Parameter validation App with client ID exists Redirect URI matches one of that application’s URIs PKCE parameters are valid Tenant ID in URL or “common” or “organizations” or “consumers”

Redirect back to app Authorization code State reflected back MSAL exchanges code for tokens ID, access, and refresh token PKCE: Randomly generated code verifier also sent, Entra ID can do the same hashing again to verify it is same

Call to API Access token included in Authorization header Token validation, what happens internally Loading OpenID metadata, public keys (only once per API instance per day, rest of steps are offline) Signature validation Expiry, not before Audience (note that token is only valid for one API) Issuer Scopes / roles Now caller is authenticated with the API

On-behalf-of flow Exchanging API access token for Graph API access token Different audience, so Graph API won’t accept our token Client secret or certificate required to authenticate the app Access token received by API also passed

Demo: Configuring the app in Entra ID

Important parts of app configuration Tenant ID (or “common” / “organizations” / “consumers”) Client ID Client secret / certificate (if needed) Platforms and redirect URIs Exposed API permissions Required API permissions

Demo: API back-end and Microsoft.Identity.Web

Important parts of back-end configuration Add Microsoft.Identity.Web Nuget package and add its configuration in Program.cs / Startup.cs Instance, Tenant ID, client ID in app settings Client secret / certificate will need secure storage Require authentication for all requests Some level of additional authorization for all requests (see next slide)
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 108
  • Slides 23
  • Age 418 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category