Search This Blog

Azure Security

 Azure Active Directory
  • We work with users and group in AAD. 
  • Pricing tiers
    • Free
    • Office 365 apps
    • Premium P1
    • Premium P2
  • Role Based Access Control (RBAC)
  • IAM (Identity and access management)- Here we can give permission at resource level and assign that resource to a particular group as well. 
  • We can apply access group at resource group, resource and at subscription level also. 
  • Built in roles
    • Owner lets you manage everything include access to resources
    • Contributor lets you manage everything excepts access to the resources
    • Reader lets you view everything but can not make changes. 
  • OAuth2.0
    • Standard protocol used for authorization incase we are using external identity providers to login to our application. 
    • It provides definition of authorization workflows for different application like web application, mobile application, windows application etc 
    • Workflows 1) OAuth 2.0 Authorization Code flow 2) Oauth 2.0 Implicit Work flow
  • OpenID Connect
    • Just for authentication
    • Lots of people use OAuth2.0 just for authentication instead of authentication and authorization. To avoid misuse of OAuth 2.0 OpenID Connect came into picture. 
  • OAuth Different entities
    • Resource Owner – This is typically the end user.
    • Resource Server – This is the server that is hosting a protected resource.
    • Client – This is the application that is requesting the use of the protected resource on behalf of the user.
    • Authorization Server – This is the entity that authorizes the Resource Owner and issues access tokens.
========================================================================
The Authorization Code Flow
  • Here the application redirects the user to the Authorization Server.
  • The user completes the authorization steps presented by the Authorization Server.
  • The user is then redirected back to the application with an authorization code in the query string.
  • The application then exchanges the authorization code for the access token.
The different query string parameters
  • response_type=code – This tells the authorization server to initiate the authorization code flow.
  • client_id – This is the public identifier of the application.
  • redirect_uri – This tells the authorization server where to send the user back to after the request has been approved.
  • scope – This is one or more space-separated strings that indicate the permissions the application is requesting for.
  • state – This is a random string generated in the request. This should then be checked by the application after the user authorizes the application. This helps to prevent Cross Site Request Forgery attacks.
Next the application makes a POST request to the token endpoint to get the token
  • grant_type=authorization_code– This tells the token endpoint on the authorization server to use the Authorization Code grant type.
  • code – This was the code that was exchanged in the initial redirect request
  • client_id – This is the public identifier of the application.
  • client_secret – The application’s client secret
By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)