token's oauth security mechanisms

Question

What security mechanisms does the oauth authentication token currently have in the azure AD authentication service that mitigates the risk of exposure of the information supplied in the token.

Answer 1

Hi @Alejandro Castaño Jimenez ,

Thanks for reaching out.

Azure AD is the authorization server, also known as the Identity Provider (IdP). It securely handles anything to do with the user's information, their access,
and the trust relationship. It's responsible for issuing the tokens that grant and revoke access to resources.

The token is signed by the authorization server with a private key. The authorization server publishes the corresponding public key. To validate a token, the app verifies the signature by using the authorization server public key to validate that the signature was created using the private key.

However, all cloud providers do have internal protections and are configured with appropriate security. One of the founding principles of Zero Trust is assumes breach and verifies each request as though it originated from an uncontrolled network.

It is also the responsibility developer to not only maximize the security of the application, but also minimize the damage the application by following best practices:

1. Use of MSAL (Microsoft Authentication Libraires) - MSAL uses modern protocols (OpenID Connect and OAuth 2.0) that remove the need for applications to ever handle a user's credentials directly.
2. Use correct authentication flow to get the token as confidential clients are more secure than public clients.

Hope this will help.

Thanks,
Shweta

---------------------------------------------

Please remember to "Accept Answer" if answer helped you.