I would've liked if there was a transcript that would read what was said. it was a little hard to keep up with the conversation, but still very informative.
Around 5:40, Kyle mentions the audience of the token and instructs us to check it to ensure that its our application, but doesn't that mean we have access to other applications tokens?
It could be part of an attack, where an attacker somehow managed to steal a token when the user logged into some other application. Then the attacker can call your redirect URL with the stolen token. By checking the audience claim, you ensure that the user actually did mean to give this token to your application.
@@Semidicht This would be the same problem as Oauth implicit flow and the reason they say recommend Authorization code flow. Implicit flow is still safe since it's ran over SSL. The argument is the application is not being validated.
I think it has nothing to do with SSL. Someone could just look over your shoulder while you look at the id_token in you browser and memorize it. Or user could make a careless screenshot with the token and post it on the internet. Validating the audience eliminates some problems with that.
Your app gets an ID token. Your app must validate that the aud claim of that token is your app. Your app should never look at the access tokens your app acquires to call APIs. It is the responsibility of the API to ensure that the aud claim on the tokens provided to call the API are for the API. You don't necessarily have access to other app's tokens, but you want to guard against an attempt for someone to replay a token stolen from another app to your app.
8:42 "And then the API needs to validate the JWT signature..." - but you just said that you're sending the Access Token...which, as you said 1 minute before, is not a JWT! It's little things like this that make this stuff harder than it needs to be.
Good point. The API has to validate the token. The token may, or may not, be a JWT. Azure AD does use JWT tokens when you register your APIs to get tokens issued by Azure AD.
7:19 So funny you say 'Shouldn't use this as a key', yet the Microsoft Store uses email addresses as a key. .When I got a refund, my account was deleted, and then I signed up again I had to use an alternate email, when I have had one email for 10 years at the time, now 15. Now I can't remember my email, and no one from Microsoft can help me find my account. Too big a company, and do as a I say, not as I do.
I wish, additionally to videos, you guys would write articles for the same information. Many people are readers and hate to hear voices when studying, in particular when the speakers are poor and a distraction. The alternating speakers in this video are particularly annoying, the video editing is less than mediocre.
As useful as this be i really dislike the throat-dominate kind of voice especially for technical explanation. Just difficult to digest what was being said. Maybe just my hearing problem. Meanwhile Kyle's voice is really easy for me to listen
I thought Nik's was excellent. Kyle's was pretty poor. I'm very surprised that the Microsoft Surface headphones are not mandatory for their employees making videos!
Excellent introductory material
Thanks & I wonder if there is a video that has more details about the different workflows that exists
I would've liked if there was a transcript that would read what was said. it was a little hard to keep up with the conversation, but still very informative.
You can turn on subtitles (CC icon closed to the Gear icon at the right bottom of RUclips video).
Agreed. for me I play at 0.75 speed and turn on captions :-)
Thank you for putting this up.
Great Job!! Thanks
The one thing that I am probably missing, is how the access token is confirmed with the or in the API, that is the correct one ?
Token is signed by the IdP (AzureAD) and that signature can be verified by the SaaS application
@@luckbeforeleap Thank you for the answer. These includes my own developed API ?
Around 5:40, Kyle mentions the audience of the token and instructs us to check it to ensure that its our application, but doesn't that mean we have access to other applications tokens?
It could be part of an attack, where an attacker somehow managed to steal a token when the user logged into some other application. Then the attacker can call your redirect URL with the stolen token. By checking the audience claim, you ensure that the user actually did mean to give this token to your application.
@@Semidicht This would be the same problem as Oauth implicit flow and the reason they say recommend Authorization code flow. Implicit flow is still safe since it's ran over SSL. The argument is the application is not being validated.
I think it has nothing to do with SSL. Someone could just look over your shoulder while you look at the id_token in you browser and memorize it. Or user could make a careless screenshot with the token and post it on the internet. Validating the audience eliminates some problems with that.
Your app gets an ID token. Your app must validate that the aud claim of that token is your app. Your app should never look at the access tokens your app acquires to call APIs. It is the responsibility of the API to ensure that the aud claim on the tokens provided to call the API are for the API. You don't necessarily have access to other app's tokens, but you want to guard against an attempt for someone to replay a token stolen from another app to your app.
Thank u
I love to hear the speaker. He also teaches me the language & graphics
What is the difference between API permissions and expose API in Azure AD?
Great
8:42 "And then the API needs to validate the JWT signature..." - but you just said that you're sending the Access Token...which, as you said 1 minute before, is not a JWT!
It's little things like this that make this stuff harder than it needs to be.
Good point. The API has to validate the token. The token may, or may not, be a JWT. Azure AD does use JWT tokens when you register your APIs to get tokens issued by Azure AD.
7:19 So funny you say 'Shouldn't use this as a key', yet the Microsoft Store uses email addresses as a key. .When I got a refund, my account was deleted, and then I signed up again I had to use an alternate email, when I have had one email for 10 years at the time, now 15. Now I can't remember my email, and no one from Microsoft can help me find my account. Too big a company, and do as a I say, not as I do.
Azure has the same problem
I wish, additionally to videos, you guys would write articles for the same information.
Many people are readers and hate to hear voices when studying, in particular when the speakers are poor and a distraction. The alternating speakers in this video are particularly annoying, the video editing is less than mediocre.
As useful as this be i really dislike the throat-dominate kind of voice especially for technical explanation.
Just difficult to digest what was being said.
Maybe just my hearing problem.
Meanwhile Kyle's voice is really easy for me to listen
Both sound like low quality audio recordings.
I thought Nik's was excellent. Kyle's was pretty poor. I'm very surprised that the Microsoft Surface headphones are not mandatory for their employees making videos!
“Throat-dominate kind of voice”
Awfuly complicating things