Azure Authentication for Developers

Azure Authentication via Active Directory

Disadvantage of Active Directory
If a company has use the Active Directory of the authentication and the personals are allowed to do home office, therefore they need to use VPN Connection to authenticate to the company’s Active Directory. This isn’t so secure.

Manage and authentication for mobile and modern devices

Classic active directory cannot manage modern devices with the following features:

  • Group policies
  • Kerberos or NTLM (works poorly)
  • Session based security

What can help us to manage the modern devices:

  • Mobile device management
  • OpenID connect and OAuth
  • Access token and refresh token

Get familier with Azure Active Directory (AAD).

Forms-based Authentication

Protocols

WS-Federation

It’s a redírect-based flow. we go to a site and site says we are anonymous, and it redirects us to a authentication provider.

The user can pick an authentication provider and we provide the credential and then we get SAML post back.

SAML looks like XML and it contains what they call a SAML assertion and that establish your identity.

SAMLp

More flexible and supports more structured way to do SAML, more attributes.

OpenID Connect

OpenID Connect & OAuth are not synonymous.

OAuth is about a delegation protocol. For example I say, I’m allowing you to access my application if you match certain criteria. In this case I don’t know about the identity but if you have brown eyes and brown hairs, you are allowed to work with my software.

OpenID Connect says that you have to have minimum set of protocols that also establish your identity. OpenID is not only for web / mobile application. It can be applied to anything.

The following figure demonstrates the OpenID Connect usage for Web Application.

Insert photo here!

Single Page Application

Single Page Application is typically written in JavaScript (OAuth 2.0 Implicit Flow). Using OAuth 2.0 implicit flow and Single Page Application don’t have a secure way of storing long-lasting refresh token.

In OAuth 2.0 implicit flow, we assume that with closing the browser the user is logged out. Therefore OAuth 2.0 is suitable for Single Page Application.

Native Application

Like the applications running on a Mac OS, Linux OS or Windows OS, we use the Authorization Code Grant Flow. Here we have capability of storing long-lasting refresh tokens in a secure, encrypted manner offline.

Azure AD Authorization features

Azure AD V1 endpointAuthorization Code Grant Flow
It has used authorization code grant flow for mobile apps and desktop applications as well.
Azure AD V2 endpointAuthorization Code Grant Flow
It prefers not to use authorization code grant flow for mobile app but only for desktop applications.
Proof of key exchange (PKCE) flow
It’s for mobile application.

In practice’s Scenarios

Web Browser talks to Web App
It can be developed with WS-Federation, SAMLP, OpenID Connect.
Sigle Page Application talks to Web API
It can be developed with OAuth to implicit flow, so ADAL.JS, MSAL.JS.
Native App talks to Wen API
Web Application talks to Web API
It uses user credential delegated credentials, or using application’s identity.
Daemon
If there’s no authentication opportunity. Daemon can call API registered in Azure AD.

In practice Implementations

Create a .Net core MVC project via the PowerShell.

# Create .NetCore MVC Project
$ProjectName="DotNetCorePipeline"

cd C:\YOUR PATH\AuthenticationForDevelopers

new-item -Name $ProjectName -ItemType directory

cd C:\YOUR PATH\AuthenticationForDevelopers\$ProjectName

dotnet new  mvc --auth SingleOrg  --client-id YOUR CLAINT ID  --tenant-id YOUR TENANT ID  --domain YOUR DOMAIN NAME --no-https

After creating the project go to project folder and open the project file in Visual Studio and run the project. [More Info about ID Tokens]

Business to Consumer (B2C)

for scenarios, in which the external users are the focus.

  • Identities not known ahead time
  • Social login may be required ( can be simple username, password authentication, with/without MFA) -> other identity provider like social accounts
  • Custome user experience and brand promotion is important -> via collecting information from market
  • Keep evrything secure and standard compliance.

In Practice

  • Create a B2C Directory (it has two steps. First create a new one. Second assing to Subscription.)
  • Register and configure an application
  • Create an application that uses Azure AD B2C

Token-based authentication to SQL resources

SQL resources are the following SQL database, SQL warehouse and SQL server. The authentication is possible via AD.

Multi-Factor Authentication

Certificate-based authentication

Resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: