Skip to main content

azure-and-aad-articles

Azure Cloud learning resources​

Labs​

========== Azure Active Directory ==============​

Good Reads Azure Active Directory​

  • 2022-02-03 Azure AD Outage Analysis: December 15, 2021

    ThousandEyes detected a widespread Azure Active Directory (AD) outage lasting ~1.5 hours from ~00:50 UTC – 2:25 UTC, which may have impacted users around the globe from signing in to Microsoft services like O365. During the outage, authentication requests were returning HTTP 503 service unavailable errors.

  • 2022-03-05 New Azure Active Directory password brute-forcing flaw has no fix Ars Technica
  • 2022-03-16 Architecture overview - Azure Active Directory Microsoft Docs

    Azure Active Directory (Azure AD) enables you to securely manage access to Azure services and resources for your users. Included with Azure AD is a full suite of identity management capabilities. For information about Azure AD features, see What is Azure Active Directory? Service architecture design Primary replica Secondary replicas Scalability Continuous availability Fault tolerance Data durability Data consistency Service-level backup

Good Reads about Authentication Protocols​

  • 2022-03-01 Why you probably don't need OAuth2 / OpenID Connect!

    You probably do not need OAuth2, nor OpenID Connect. This is a controversial opinion, even more so because my biggest professional achievements are two of the most successful open source projects in the OAuth2 and OpenID Connect world

CSharp Authentication​

Tutorials​

Azure Active Directory - Random Articles

Microsoft Graph Reference Documentation

Azure Active Directory Authentication Protocols

OAuth2.0, OpenID Connect, SAML, JWT

JWT​

JSON Web Token

  • 2022-03-01 Anatomy of a JWT - FusionAuth

    Here’s a JSON Web Token, freshly minted. Newlines have been added for clarity, but they are typically not present. And overview of JSON Web Token structure

2023-02-05 Handling JWTs: Understanding Common Pitfalls - Bruce MacDonald, InfraHQ - YouTube

Ensure that the JWT is:

  • signed with a strong algorithm (e.g. RS256)
  • not expired
  • typ claim is not set to None it is difficult to revoke a JWT, not until it expires. some teams use a block-list of revoked JWTs, but this is not a good solution.

2023-05-18 OAuth 2.0 basics - Playground | MSS Architecture

image-20230924231741442

Philippe De Ryck:

In the context of authentication and authorization, these acronyms refer to specific standards and protocols. Here's an overview:

  1. JAR (JWT-Secured Authorization Request):

    • Description: JAR is a method to secure OAuth 2.0 authorization requests using JWT (JSON Web Tokens). This allows the client to send requests in a way that ensures integrity and possibly confidentiality of the authorization request parameters.
    • Use: It's used to protect the content of the authorization request, thus increasing the security of the OAuth 2.0 flow.

  2. PAR (Pushed Authorization Request):

    • Description: PAR enables the client to request authorization from the authorization server without exposing the parameters to the end-user's user-agent. It essentially allows the parameters to be sent directly to the authorization server, returning a URL that the user-agent can be redirected to.
    • Use: This enhances the security of the OAuth 2.0 authorization process by reducing exposure of sensitive parameters to possibly malicious user-agents or intermediaries.

  3. RAR (Rich Authorization Requests):

    • Description: RAR is an extension to OAuth 2.0 that provides a way for clients to convey a fine-grained authorization request, using a structured format, both for scope and other authorization parameters.
    • Use: This allows for a more detailed and flexible authorization request, suitable for various complex use cases that require more than the basic scopes.

  4. FAPI2 (Financial-grade API Part 2 - Advanced Financial-grade API):

    • Description: FAPI2 is a set of security profiles for OAuth 2.0 and OpenID Connect, designed for high-risk scenarios like financial services and payments. It specifies various security requirements and recommendations to ensure that the authorization process is highly secure.
    • Use: It's used to provide robust security measures specifically for financial APIs, where high levels of security are needed.

In summary, these terms are all related to enhancing and extending the security and functionality of the OAuth 2.0 protocol, particularly in scenarios that require high levels of security, such as in financial services.

2023-08-06 OAuth and the long way to Proof of Possession - Dominick Baier & Steinar Noem - NDC Security 2023 - YouTube

OAuth 2.0 / OpenID Connect​

Good video by Graeme Foster about how AAD OAuth works with demos. Video starts from 16:50

  • 2022-03-10 The Modern Guide to OAuth - FusionAuth

    I know what you are thinking, is this really another guide to OAuth 2.0? Well, yes and no. This guide is different than most of the others out there because it covers all of the ways that we actually use OAuth. It also covers all of the details you need to be an OAuth expert without reading all the specifications or writing your own OAuth server. This document is based on hundreds of conversations and client implementations as well as our experience building FusionAuth, an OAuth server which has been downloaded over a million times.

  • 2022-03-13 An introduction to OpenID Connect in ASP.NET Core

    Explains how OpenID Connect works and how it differs from OAuth2.

AAD SAML

  • 2022-02-22 AD FS 2.0 RelayState Microsoft Docs

    Hi guys, Joji Oshima here again with some great news! AD FS 2.0 Rollup 2 adds the capability to send RelayState when using IDP initiated sign on. I imagine some people are ecstatic to hear this while others are asking β€œWhat is this and why should I care?”

AAD SAML Support - General Articles

Azure Active Directory Service Principals and Managed Identity