The basics of modern authentication - Microsoft identity platform
Рет қаралды 42,576
Күн бұрын
@mateuscoelho3576 11 ай бұрын
Excellent introductory material
@zakiit9594 4 жыл бұрын
Thanks & I wonder if there is a video that has more details about the different workflows that exists
@salvadorgarcia7612 3 жыл бұрын
I would've liked if there was a transcript that would read what was said. it was a little hard to keep up with the conversation, but still very informative.
@aditheppruekpitakpong3847 3 жыл бұрын
You can turn on subtitles (CC icon closed to the Gear icon at the right bottom of KZbin video).
@MichealColhoun Жыл бұрын
Agreed. for me I play at 0.75 speed and turn on captions :-)
@raulands Ай бұрын
When developing, how do we work with ID and Auth tokens?
@Nethanel773 Жыл бұрын
Thank you for putting this up.
@nolimitsREAL 2 жыл бұрын
The one thing that I am probably missing, is how the access token is confirmed with the or in the API, that is the correct one ?
@luckbeforeleap 2 жыл бұрын
Token is signed by the IdP (AzureAD) and that signature can be verified by the SaaS application
@nolimitsREAL 2 жыл бұрын
@@luckbeforeleap Thank you for the answer. These includes my own developed API ?
@percelldeberry8397 2 жыл бұрын
Great Job!! Thanks
@kevin179887 3 жыл бұрын
Around 5:40, Kyle mentions the audience of the token and instructs us to check it to ensure that its our application, but doesn't that mean we have access to other applications tokens?
@Semidicht 3 жыл бұрын
It could be part of an attack, where an attacker somehow managed to steal a token when the user logged into some other application. Then the attacker can call your redirect URL with the stolen token. By checking the audience claim, you ensure that the user actually did mean to give this token to your application.
@kevin179887 3 жыл бұрын
@@Semidicht This would be the same problem as Oauth implicit flow and the reason they say recommend Authorization code flow. Implicit flow is still safe since it's ran over SSL. The argument is the application is not being validated.
@Semidicht 3 жыл бұрын
I think it has nothing to do with SSL. Someone could just look over your shoulder while you look at the id_token in you browser and memorize it. Or user could make a careless screenshot with the token and post it on the internet. Validating the audience eliminates some problems with that.
@kylemarsh4038 2 жыл бұрын
Your app gets an ID token. Your app must validate that the aud claim of that token is your app. Your app should never look at the access tokens your app acquires to call APIs. It is the responsibility of the API to ensure that the aud claim on the tokens provided to call the API are for the API. You don't necessarily have access to other app's tokens, but you want to guard against an attempt for someone to replay a token stolen from another app to your app.
@ushasingh2414 2 жыл бұрын
Thank u
@ushasingh2414 2 жыл бұрын
I love to hear the speaker. He also teaches me the language & graphics
@richiero0o0 2 жыл бұрын
8:42 "And then the API needs to validate the JWT signature..." - but you just said that you're sending the Access Token...which, as you said 1 minute before, is not a JWT! It's little things like this that make this stuff harder than it needs to be.
@kylemarsh4038 2 жыл бұрын
Good point. The API has to validate the token. The token may, or may not, be a JWT. Azure AD does use JWT tokens when you register your APIs to get tokens issued by Azure AD.
@clashclan4739 2 жыл бұрын
Great
@photoartbergmann2394 3 жыл бұрын
What is the difference between API permissions and expose API in Azure AD?
@DataJuggler 3 жыл бұрын
7:19 So funny you say 'Shouldn't use this as a key', yet the Microsoft Store uses email addresses as a key. .When I got a refund, my account was deleted, and then I signed up again I had to use an alternate email, when I have had one email for 10 years at the time, now 15. Now I can't remember my email, and no one from Microsoft can help me find my account. Too big a company, and do as a I say, not as I do.
@kevin179887 3 жыл бұрын
Azure has the same problem
@ssssssssssss885 3 жыл бұрын
I wish, additionally to videos, you guys would write articles for the same information. Many people are readers and hate to hear voices when studying, in particular when the speakers are poor and a distraction. The alternating speakers in this video are particularly annoying, the video editing is less than mediocre.
@KenDiriwan 3 жыл бұрын
As useful as this be i really dislike the throat-dominate kind of voice especially for technical explanation. Just difficult to digest what was being said. Maybe just my hearing problem. Meanwhile Kyle's voice is really easy for me to listen
@bluejanis5317 3 жыл бұрын
Both sound like low quality audio recordings.
@GregWoodsLancs 2 жыл бұрын
I thought Nik's was excellent. Kyle's was pretty poor. I'm very surprised that the Microsoft Surface headphones are not mandatory for their employees making videos!
@coyotebones1131 2 жыл бұрын
“Throat-dominate kind of voice”
@levgtz8158 Жыл бұрын
Awfuly complicating things
Microsoft Security
Рет қаралды 34 М.
Microsoft Azure
Рет қаралды 17 М.
Microsoft Azure
Рет қаралды 37 М.
Andy Malone MVP
Рет қаралды 1,2 М.