Building Secure Microservices in Azure - Jimmy Bogard - NDC London 2023

Discover how to build secure microservices in Azure, covering role-based authentication, permissions, and authorization flows with Azure AD, Auth0, and other identity providers.

Key takeaways

Role-based authentication is not just about labels, it’s about specific permissions and permissions scopes.
The speaker uses Azure AD as an example, but Auth0 and other identity providers work similarly.
Microsoft.identity.web package makes it easy to authenticate a server API with Azure AD.
Application registrations in Azure AD define the scope of what the application can do.
Different scenarios and clients require different authorization flows.
OAuth flows, such as client credentials flow and authorization code flow, are used for different scenarios.
Role-based authorization should not be coarse-grained, but rather specific and fine-grained.
Use Azure roles to control access to resources.
Use Azure App Service and managed identities to simplify security.
Use token authentication to secure APIs.
Use Azure AD B2B and B2C for external clients.
Use internal clients, such as server-app registrations, to manage access to resources.
Use permissions scopes to control what resources can be accessed.
Token acquisition should be based on the client ID and client secret.
Service principles are like roots of identity, and roles are like permissions assigned to them.
Azure AD provides pre-defined roles, such as reader and contributor, for convenience.
Azure App Service Environments (ASEs) provide a secure container for web apps.
Azure App Service Plan (ASP) provides a container for multiple apps.
Azure Active Directory (AAD) provides identity and access management for users and applications.
Permissions can be assigned to Azure roles, and Azure roles can be assigned to users and groups.
Claims-based authentication and authorization provide fine-grained control over access.

Building Secure Microservices in Azure - Jimmy Bogard - NDC London 2023

More talks