A naukri.com initiative
Damienbod
1M
153
Image Credit: Damienbod
Microsoft Entra ID App-to-App security architecture
- This article explains the different setups when using App-to-App security with Microsoft Entra ID (OAuth client credentials).
- A single Microsoft Entra ID App registration can be used for both the client and the resource specification.
- The claims in the access token are validated as much as possible to prevent unauthorized clients from using the resource.
- This can be considered a bad architecture because the ME-ID App registration is used for two separate intentions, the client requesting the access token and the resource providing the service.
- This architecture allows for separation of clients and is required if more than one client can use the resource.
- The different clients can be identified in the application using the azp claim or the oid claim.
- Audit logs can also be per client and the application can implement separate business logic or authorization based on the client_id, object ID (azp or oid).
- In more complex architectures, the solution might have multiple services. A single client can used multiple resources.
- The resource implementation, i.e. the API access token validation, the App roles can be used to authorize the request.
- The default scope is used to access the resource and all roles from the App registration are included in the access token.
Read Full Article
9 Likes
For uninterrupted reading, download the app