What is OIDC in Azure and How to use it in Github Actions and .Net
This blog contains the basics of OIDC with underlying framework and its usage with Microsoft Entra and connectivity establishment with GitHub Actions and .Net Code base.
Agenda:
- Difference between Authentication vs Authorization
- What is Network Protocol
- What is OAuth and OAuth 2.0
- Open ID Connect (OIDC) with Microsoft Entra
- Configuring OIDC
Difference between Authentication vs Authorization:
- Authentication: Prove who you are.
Example: Are you a cook ? cook some dish and prove you are a cook.
- Authorization : Are you Eligible to perform tasks.
Example: If you are a cook, you are eligible only to make pan cakes.
What is Network Protocol?
A Network Protocol is set of rules that defines the format of send and received data to the network endpoints in the computers / servers / routers can communicate with one another despite of their difference in underlying infra. So this protocol should be same and followed by both communication system.
You can fine more Explanation of Network layers : https://medium.com/@devopswithyoge/azure-load-balancing-resources-simplified-use-cases-with-devops-ci-cd-3073cfd744b4
What is OAuth and OAuth 2.0?
OAuth is an open standard authorization protocol that applications with ability to provide secured access.
OAuth doesn’t share your passwords instead it uses authorization tokens to authorize the identity between the user and service providers.
OAuth 2.0 is a framework which is built on top of the OAuth protocol.
Below is a Sample Use case where OAuth 2.0 is used
When to try login to medium website, it provides us options to create an account with variety of options which is given below.
So once you click on sign in with Google it will redirect you to google sign in page then once you provide your Gmail username and passwords post authentication it will redirect you to medium.
Open ID Connect (OIDC) with Microsoft Entra
OIDC — Open Identity Connect is a identity layer built on top of the OAuth 2.0 Framework. it basically allows the third-party applications to verify identity of end user and obtain basic user information to authorize into the application. it uses JSON web tokens (JWTs), which can be obtained using flows conforming OAuth 2.0.
Steps:
- user opens the browser and wants to login to the web app hosted in Azure.
- When user tries to Access the web application it will prompt and ask for the sign in with microsoft account.
- this users Microsoft account should be part of the Azure AD Application users.
- Now once the user enters authentication creds, the application will be redirecting.
- In background, the complete flow happens,
- Azure AD — OIDC — Issues a short lived token
- this token is access token is redirected to the web application
8. Now the web app authenticates the access token and return the home page of the web application / requested page.
Configuring OIDC:
Steps to Configure OIDC with your .Net Code base
https://www.codeproject.com/Articles/5297820/Azure-Active-Directory-Authentication-with-OpenID
Steps to Configure OIDC with your Github actions Pipeline
Authenticate to Azure from GitHub Action workflows | Microsoft Learn
Conclusion:
OIDC is provides the client short lived access token which is used to authorize without providing the real username and password data. Underlying OAuth 2.0 is widely used protocol in recent times.
Give it a 👏Clap if you enjoyed this content! 🤝 Don’t forget to hit that follow button for more exciting updates! Your support fuels my creativity! 🚀
References:
https://www.microsoft.com/en-us/security/business/security-101/what-is-openid-connect-oidc