Implement user authentication and authorization Flashcards
Microsoft identity platform supports two types of permissions
Delegated access are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.
App-only access permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons. Only an administrator can consent to app-only access permissions.
components that make up the Microsoft identity platform
OAuth 2.0 and OpenID Connect standard-compliant authentication service
Open-source libraries
Microsoft identity platform endpoint
Application management portal
Application configuration API and PowerShell
three consent types
static user consent,
incremental and dynamic user consent, and
admin consent.
Public client
Public client applications run on devices, such as desktop, browserless APIs, mobile or client-side browser apps. They can’t be trusted to safely keep application secrets, so they can only access web APIs on behalf of the user. Anytime the source, or compiled bytecode of a given app, is transmitted anywhere it can be read, disassembled, or otherwise inspected by untrusted parties. As they also only support public client flows and can’t hold configuration-time secrets, they can’t have client secrets.
confidential client applications
Confidential client applications run on servers, such as web apps, web API apps, or service/daemon apps. They’re considered difficult to access by users or attackers, and therefore can adequately hold configuration-time secrets to assert proof of its identity. The client ID is exposed through the web browser, but the secret is passed only in the back channel and never directly exposed.
What is the purpose of using PublicClientApplicationBuilder class in MSAL.NET?
Enables the automation and validation of the creation and teardown of environments to help deliver secure and stable application hosting platforms
User delegation SAS
A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only
Service SAS
A service SAS is secured with the storage account key. A service SAS delegates access to a resource in the following Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.
Account SAS
An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.