Application Security (part 1 of 3)



To read part 2 please click here
To read part 3 please click here

Microsoft Identity Platform

Microsoft identity platform is an evolution of Azure Active Directory (AD) developer platform while allowing the developers to build applications that sign in users, and get tokens to call APIs, such as Microsoft Graph, or APIs that developers have built. It supports industry standard protocols like OAuth 2.0 and OpenID connect.

The unified Microsoft Identity Platform (v2.0) helps you to write code once and authenticate any Microsoft identity into your application while for several platforms, the fully supported Open-source Microsoft Authentication Library (MSAL) is recommended for use against the identity platform endpoints. MSAL also supports Azure Active Directory B2C, so your customers can easily use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. 

With Microsoft identity platform, one can expand their reach to these kinds of users:

  • Work and school accounts (Azure AD provisioned accounts)
  • Personal accounts (such as Outlook.com or Hotmail.com)
  • Your customers who bring their own email or social identity (such as Linkedlln, Facebook, Google) via MSAL and Azure AD B2C. 

Microsoft identity platform (v2.0) endpoint is now OIDC certified. It implements human readable scopes, in accordance with industry standards.

Azure AD Application Scenarios

Any application that outsources authentication to Azure AD needs to be registered in a directory. Azure AD represents applications following a specific model that's designed to fulfill two main functions:

  1. Identify the app according to the authentication protocols it supports. This involves enumerating all the identifiers, URLs, secrets, and related information that Azure AD needs during authentication time. Here, Azure AD: 

  • Holds all the data needed to support authentication at run time.
  • Holds all the data for deciding which resources an app might need to access, whether it should fulfill a particular request, and under what circumstances it should fulfill the request.
  • Supplies the infrastructure for implementing app provisioning both within the app developer's tenant and to any other Azure AD tenant. 

     2. Handle user consent during token request time and facilitate the dynamic provisioning of apps                 across tenants. Here, Azure AD:

  • Enables users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
  • Enables administrators to ultimately decide what apps are allowed to do, which users can use specific apps, and how directory resources are accessed.  

At deployment time, Azure AD uses a special application object as a blueprint to create a service principle, which represents a concrete instance of an application within a directory or tenant. Azure AD creates a service principle from an application object through consent. 

App Registration

Register your app with the Microsoft identity platform

Registration integrates your app with the Microsoft identity platform and establishes the information that it uses to get tokens including:
  • Application ID- A unique identifier assigned by the Microsoft identity platform. 
  • Redirect URI/URL- One or more endpoints at which your app will receive responses from the Microsoft identity platform. (For native and mobile apps, this is a URI assigned by the Micrsoft identity platform). 
  • Application Secret- A password or a public/private key pair that your app uses to authenticate with the Microsoft identity platform. (Not needed for native or mobile apps).

Getting an access token

You can manage your token interactions with the Microsoft identity platform, by using the authentication libraries that can abstract many protocol details like validation, cookie handling, token caching, and maintaining secure connections away from the developer and let you focus your development on your app. 

For the Microsoft identity platform endpoint:

  • Microsoft Authentication Library (MSAL) client libraries are available for .NET, JavaScript, Android, and Objective-c. All the platforms are in production-supported preview, and, in the event breaking changes are introduced, and Microsoft guarantees a path to upgrade.
  • Server middleware from Microsoft is available for .NET core and ASP.NET (OWIN OpenID Connect and OAuth) as well as for Node.js (the Microsoft identity platform Passport.js).
  • The Microsoft identity platform is compatible with many third-party authentication libraries. 



To read part 2 please click here
To read part 3 please click here







Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)