Security for web services covers several areas: authentication answers the question who is calling the web service, while authorization answers the question is the caller allowed to call the web service operation. After successful authentication of a...
Insomnia is pretty poor when using mTLS with PKCS#12. As mTLS is demanded by CJ, I see it as draw back. In Postman, you could directly import PKCS#12, with Insomnia you need to decompose it to a PEM for cert and key.
Yes, it is possible, but comes with some boundary conditions.1) Azure AD is not frameable. This means the authentication with IAS/Azure AD must have happened before hitting the inner frame. Usually the parent and the inner frame are using the same IA...
Nice blog.
One additional comment. Instead of using client secrets for authentication, you can change to certificates with private key jwt.
Get the certificate from IAS, e.g. from <IAS>/admin/#/tenantSettings/openIdConnect -> display active certi...
IAS offers a validate functionality. This has been enhanced to run a complete authentication request with Azure AD. In case errors occur, you get details on the errors there.You find the validate button under Identity Provider -> Open ID Connect Conf...
Instead of using client secrets, the recommendation is to configure an IAS tenant as custom platform IdP and authenticate using username/password.We looked at the option for supporting clientid/secret, but it has to many shortcomings.See https://blog...
