SCIMReferenceCode icon indicating copy to clipboard operation
SCIMReferenceCode copied to clipboard
verified publisher icon AzureAD

Missing documentation/comments about AAD long-lived bearer token

Open cadi3s opened this issue 4 years ago • 2 comments

The comments in ConfigureService for production say that you should not "rely on a token generated by Azure AD". Is that comment correct?

The tutorial says that the only valid option for non-gallery apps is to use a long-lived bearer token. I can create a JWT access_token to my SCIM API with 3 year expire date, and paste that in the Secret Token field. But that is just a glorified 'shared secret' - how is that safer than using the /scim/token development endpoint?

If I leave 'secret token' blank, at least I can verify the issuer in the AAD generated token and know that I am called from the correct Tenant, instead of having a fixed token that could be compromised.

NB my question is similar to issues #35 and #37 and Rickards post on SO. However the fact remains that ConfigureService in SCIMReferenceCode only contains code on how not to do things..

cadi3s avatar May 21 '21 16:05 cadi3s

Yes, been struggling with trying to understand how to turn this into a multi-tenant enabled solution. Creating a fixed token per AD tenant doesnt make sense.

Would not checking the issued Azure AD token be better than a long lived secret?

rfolkes avatar Jun 22 '21 13:06 rfolkes

Duplicate for #35

marcusca10 avatar Jan 19 '22 10:01 marcusca10