The OAuth Token Flow and Token Theft

The OAuth Token Flow

image-center

Using a client browser or app the user navigates to an application protected by Azure AD Authentication.
The App redirects them to Azure AD to complete authentication.
The user supplies their credential and/or multi-factor authentication.
Azure AD issues tokens and they are stored within the client.
The browser or application presents these tokens to access the application.

image-center

~ At some point the user’s device has been compromised.

The attacker readers and copies the issued tokens.
The attacker replays these tokens to access the resource as the user.

Note that Pass-the-cookie attacks can occur against any online authentication broker and are not limited to Azure AD.

Twitter Facebook LinkedIn

Scoping Azure AD Roles with Administrative Units

less than 1 minute read

In Azure AD, an Administrative Unit is a collection of Users, Groups and Devices. These groupings provide a means to apply granular control in the assignment...

Granting Background App Services, Daemons and Scripts Delegated Permissions for Microsoft Graph

less than 1 minute read

Background services, daemons and scripts interacting with Microsoft Graph are commonly configured to acquire Application level permissions. Application admin...

B2C Federating to a Single Azure AD Tenant

less than 1 minute read

A B2C tenant that federates back to single Azure AD tenant supporting Members, Guests (B2B) and Customers (or Consumers).

Azure AD Group Writeback to On-Premises AD

less than 1 minute read

Using the Azure AD Connect Group Writeback feature to synchronise cloud groups to on-premises.

The OAuth Token Flow and Token Theft

Chris Dymond