|
|
|
|
|
|
by laserbeam
1174 days ago
|
|
|
I always loved the AAD documentation whenever I had to work with these things. Whenever I have to implement a service the things I care about are of this nature: -how do I validate a token to confirm that a call has permissions to do a thing.
-what secrets do I need to safeguard in order to be able to validate said tokens
-does the caller need to store any secrets
-when do I need to call external services in order to validate tokens. Instead, AAD hides all thrse behind abstract terms like: service principal, app registration, enterprise application... No wonder people fuck up. I can't even comprehend what "creating their own instance of an app" means! This is way more abstract than it needs to be. Does the code get served from somewhere else? Do they get db copies? Probably not... But it hurts to think in these terms when all we want is to make sure calls are authorized. And yes, I have successfully implemented this kind of stuff before. I used to keep sections of the RFCs on speed dial. I've never had to deal with cloning app registrations. |
|
|