{"id":3519,"date":"2017-01-09T01:05:19","date_gmt":"2017-01-09T09:05:19","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/?p=3519"},"modified":"2017-01-09T01:06:31","modified_gmt":"2017-01-09T09:06:31","slug":"one-year-since-modern-authentication-with-azure-active-directory-for-web-applications-came-out","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2017\/01\/09\/one-year-since-modern-authentication-with-azure-active-directory-for-web-applications-came-out\/","title":{"rendered":"One year since “Modern Authentication with Azure Active Directory for Web Applications” came out"},"content":{"rendered":"

\"image\"<\/a><\/p>\n

About one year ago, I was all excited to finally hold in my hands the thing that swallowed most of the weekends and vacation days of 2015: a paper copy of my latest book, \u201cModern Authentication with Azure Active Directory for web Applications\u201d<\/a>. And I just realized I never wrote an \u201cannouncement\u201d post, so here it is!<\/p>\n

What is the book about, and why I wrote it<\/h2>\n

The TL;DR is that I wanted to fill a gap in the Azure AD content. Most of our docs were either aimed at helping you to quickly accomplish a task, without worrying too much about the general concepts behind it, or bite-size topic focusing on a individual topics. We had nothing meant to help a motivated developer to become an expert in the use of Azure AD, regardless of how much or how little he or she knew about identity already. So I wrote a book about it \"Smile\"<\/p>\n

Things worked out pretty well; lots of people claim that the book<\/a> helped them, which is really the best reward an author can hope for. Icing on the cake, my bosses liked it \u2013 to the point that they got a paper copy for each and everyone in our team (that\u2019s several hundreds people), and it is now part of the new hire package (BTW, did you know we are hiring? hit me if you are interested!).<\/p>\n

Want more details? Here there\u2019s the introduction, pasted verbatim from the book\u2019s<\/a> manuscript.<\/p>\n

Introduction<\/strong><\/h3>\n

It\u2019s never a good idea to use the word \u201cmodern\u201d in the title of a book.
\nGrowing up, one of the centerpieces of my family\u2019s bookshelf was a 15-tomes-strong encyclopedia titled Nuovissima Enciclopedia (Very new encyclopedia), and I always had a hard time reconciling the title with the fact that it was 10 years older than me.
\nI guarantee that the content in this book will get old faster than those old volumes\u2014cloud and development technologies evolve at a crazy pace\u2014and yet I could not resist referring to the main subject of the book as \u201cmodern authentication.\u201d
\nThe practices and technologies used to take care of authentication in business solutions have changed radically nearly overnight, by a perfect storm of companies moving their assets to the cloud, software vendors starting to sell their products via subscriptions, the explosive growth of social networks with the nascent awareness of consumers of their own digital identity, ubiquitous APIs offering programmatic access to everything, and the astonishing adoption rate of Internet-connected smartphones.
\n\u201cModern authentication\u201d is a catch-all term meant to capture how today\u2019s practices address challenges differently from their recent ancestors: JSON instead of XML, REST instead of SOAP, user consent and individual freedom alongside traditional admin-only processes, an emphasis on APIs and delegated access, explicit representation of clients, and so on. And if it is true that those practices will eventually stop appearing to be new\u2014they are already mainstream at this point\u2014the break with traditional approaches is so significant that I feel it\u2019s important to signal it with a strong title, even if your kids make fun of it a few years from now.
\nAs the landscape evolves, Active Directory evolves with it. When Microsoft itself introduced one of the most important SaaS products on the planet, Office 365, it felt firsthand how cloud-based workloads call for new ways of managing user access and application portfolios. To confront that challenge Microsoft developed Azure Active Directory (Azure AD), a reimagined Active Directory that takes advantage of all the new protocols, artifacts, and practices that I\u2019ve grouped under the modern authentication umbrella. Once it was clear that Azure AD was a Good Thing, it went on to become the main authentication service for all of Microsoft\u2019s cloud services, including Intune, Power BI, and Azure itself. But the real raison d\u2019etre of this book is that Microsoft opened Azure AD to every developer and organization so that it could be used for obtaining tokens to invoke Microsoft APIs and to handle authentication for your own web applications and web APIs.<\/p>\n

Modern Authentication with Azure Active Directory for Web Applications is an in-depth exploration of modern authentication protocols and techniques used to implement sign-on for web applications and to protect web API calls. Although the protocols and pattern descriptions are applicable to any platform, my focus is on how Azure AD, the latest version of Active Directory Federation Services (ADFS), and the OpenID Connect and OAuth2 components in ASP.NET implement those approaches to handle authentication in real applications.
\nThe text is meant to help you achieve expert-level understanding of the protocols and technologies involved in implementing modern authentication for a web app. Substantial space is reserved for architectural pattern descriptions, protocol considerations, and other abstract concerns that are necessary for correctly contextualizing the more hands-on advice that follows.
\nMost of the practical content in this book is about cloud and hybrid scenarios addressed via Azure AD. At the time of writing, the version of ADFS supporting modern authentication for web apps is still in technical preview; however, on-premises-only scenarios are covered whenever the relevant features are already available in the preview.<\/p>\n

Who should read this book<\/h4>\n

I wrote this book to fill a void of expert-level content for modern authentication, Azure AD, and ADFS. Microsoft offers great online quick starts, samples, and reference documentation\u2014check out http:\/\/aka.ms\/aaddev\u2014that<\/a> are perfect for helping you fulfil the most common tasks as easily as possible. That content covers many scenarios and addresses the needs of the vast majority of developers, who can be extremely successful with their apps without ever knowing what actually goes on the wire, or why. I like to think of that level of operation as the automatic mode for handheld and smartphone cameras\u2014their defaults work great for nearly everybody, nearly all the time. But what happens if you want to take a picture of a lunar eclipse or any other challenging subject? That\u2019s when the point-and-click facade is no longer sufficient and knowing about aperture and exposure times becomes important. You can think of this book as a handbook for when you want to switch from automatic to manual settings. Doing so is useful for developers who work on solutions for which authentication requirements depart from the norm and for the devops who run such solutions.
\nDevelopers who worked with Windows Identity Foundation will find the text useful for transferring their skills to the new platform, and they\u2019ll pick up some new tricks along the way. The coverage of how the OWIN middleware works is deeper than anything I\u2019ve found on the Internet at this time: if you are interested in an in-depth case study of ASP.NET\u2019s Katana libraries, you\u2019ll find one here.
\nThis book also comes in handy for security experts coming from a classic background and looking to understand modern protocols and approaches to authentication\u2014the principles and protocols I describe can be applied well beyond Active Directory and ASP.NET. Security architects considering Azure AD for their solutions can use this book to understand how Azure AD operates. Protocol experts who want to understand how Azure AD and ADFS use OpenID Connect and OAuth2 will find plenty to mull over as well.<\/p>\n

Assumptions<\/h4>\n

This book is for senior professionals well versed in development, distributed architectures, and web-based solutions. You need to be familiar with HTTP trappings and have at least a basic understanding of networking concepts. All sample code is presented in C#, and all walk-throughs are based on Visual Studio. Azure AD and ADFS can be made use of from any programming stack and operating system; however, if you don\u2019t understand C# syntax and basic constructs (LINQ, etc.), it will be difficult for you to apply the coding advice in this book to your platform of choice. For good background, I\u2019d recommend John Sharp\u2019s Microsoft Visual C# Step by Step, Eighth Edition (Microsoft Press, 2015).
\nAbove all, this book assumes that you are strongly motivated to become an expert in modern authentication techniques and Azure AD development. The text does not take any shortcuts: you should not expect a light read; most chapters require significant focus and time investment.<\/p>\n

This book might not be for you if\u2026<\/h4>\n

This book might not be for you if you just want to learn how to use Azure AD or ADFS for common development tasks. You don\u2019t have to buy a book for that: the documentation and the samples available at http:\/\/aka.ms\/aaddev<\/a> will get you up and running in no time, thanks to crisp step-by-step instructions. If there are tasks you\u2019d like to see covered by the Azure AD docs, please use the feedback tools provided at that address: the Azure AD team is always looking for feedback for improving its documentation.
\nThis book is also not especially good as a lookup reference. The text covers a lot of ground, including information that isn\u2019t included in the documentation at this time, but the information is unveiled progressively, building on the reader\u2019s growing understanding of the topic. The book is optimized as a long lesson, not for looking things up.
\nFinally, this book won\u2019t be of much help if you are developing mobile, native, and rich-client applications. I originally intended to cover those types of applications, too, but the size of the book would have nearly doubled, so I had to cut them from this edition.<\/p>\n

Organization of this book<\/h4>\n

This book is meant to be read cover to cover. That\u2019s not what most people like to do, I know: bite-size and independent modules is the way to go today. I believe there are media more conducive to that approach, like video courses or the online documentation at http:\/\/aka.ms\/aaddev<\/a>. I chose to write a book because to achieve my goal\u2014helping you understand modern authentication principles and how to take advantage of them with Azure AD\u2014I cannot feed you only factlets and recipes. I have to present you with a significant amount of information, highlight relationships and implications for you, and then often ask you to tuck that knowledge away for a chapter or two before you actually end up using it. That\u2019s where I believe a book can still deliver value: by giving me the chance to hold your attention for a significant amount of time, I can afford a depth and breadth that I cannot achieve in a blog post. (By the way, did I mention that I do blog a lot as well? See www.cloudidentity.com and www.twitter.com\/vibronet.)
\nIf this book has a natural fault line in its organization, it lies between the first four chapters and the last six. The first group provides context, and the later chapters dive deeply into the protocols, code, libraries, and features of Active Directory. Here\u2019s a quick description of each chapter\u2019s focus:
\n\u25a0\u25a0
\nChapter 1, \u201cYour first Active Directory app,\u201d is a soft introduction to the topic, giving you a brief glimpse of what you can achieve with Azure AD. It mostly provides instructions on how to use Visual Studio tools to create a web app that\u2019s integrated with Azure AD. Instant gratification.
\n\u25a0\u25a0
\nChapter 2, \u201cIdentity protocols and application types,\u201d is a detailed history of identity protocols. It introduces terminology, topologies, and relationships between standards and helps you understand how modern authentication
\ncame to be and why identity is managed the way it is today.<\/p>\n

Chapter 3, \u201cIntroducing Azure Active Directory and Active Directory Federation Services,\u201d presents basic concepts, terminology, and a list of developer-relevant features for Azure AD and ADFS. The hands-on chapters (Chapters 6-10) provide detailed descriptions of the features of both services that come into play in the scenarios of interest for the book.
\n\u25a0\u25a0
\nChapter 4, \u201cIntroducing the identity developer libraries,\u201d covers basic concepts, terminology, and the features of the Active Directory Authentication Library (ADAL) and ASP.NET OWIN middleware.
\n\u25a0\u25a0
\nChapter 5, \u201cGetting started with web sign-on and Active Directory,\u201d provides a walk-through of how to create from scratch a web app that can sign in with Azure AD. Starting with the vanilla MVC templates, you learn about the NuGets packages you need to add, what app provisioning steps you need to follow in the Azure portal, and what code you need to write to perform key authentication tasks.
\n\u25a0\u25a0
\nChapter 6, \u201cOpenID Connect and Azure AD web sign-on,\u201d provides a very detailed description of OpenID Connect and related standards, grounded on network traces of the actual traffic generated by the sample app. This is a very practical way of understanding the underlying protocol and why it operates the way it does. The descriptions of the constellation of ancillary specifications for OpenID Connect and OAuth2 will help you to navigate this rather crowded space, even if you are not planning to use Azure AD at the moment.
\n\u25a0\u25a0
\nChapter 7, \u201cThe OWIN OpenID Connect middleware,\u201d is a detailed analysis of how the authentication pipeline in ASP.NET works\u2014with an emphasis on the OpenID Connect middleware, its extensibility points, and what scenarios these are meant to address.
\n\u25a0\u25a0
\nChapter 8, \u201cAzure Active Directory application model,\u201d is a deep dive into the Azure AD application model: how Azure AD represents apps and handles consent, and how it deals with app provisioning, multitenancy, app roles, groups, app permissions, and the like.
\n\u25a0\u25a0
\nChapter 9, \u201cConsuming and exposing a web API protected by Azure Active Directory,\u201d does for web APIs what Chapters 6 and 7 do for web apps\u2014it explains the protocol flows used by web apps for gaining access to a protected API and describes how to use ADAL and the OAuth2 middleware for securely invoking and protecting a web API. This chapter also briefly introduces the Directory Graph API and discusses advanced scenarios such as exposing and securing both the user experience and an API from the same web project<\/p>\n

.\u25a0\u25a0<\/p>\n

Chapter 10, \u201cActive Directory Federation Services in Windows Server 2016 Technical Preview 3,\u201d discusses the new modern authentication features in ADFS, showing how to adapt web sign-on, web API invocation, and code protection covered in the earlier chapters to on-premises-only scenarios.
\n\u25a0\u25a0
\nThe appendix, \u201cFurther reading,\u201d provides you with pointers to online content describing ancillary topics and offerings that are still too new to be fully fleshed out in the book but are interesting and relevant to the subject of modern authentication.<\/p>\n

Free chapters<\/h2>\n

As it is tradition for Microsoft Press titles, we put out two sample chapters that can be freely downloaded<\/a> or read online.<\/p>\n

I chose the chapter on the Azure AD app model<\/a> and the deep dive on the OpenId Connect middleware<\/a> \u2013 I thought those were the topics that could benefit the most from a deep, comprehensive coverage and that also happened to be mostly absent from our reference docs at the time.<\/p>\n

Japanese translation<\/h2>\n

\"image\"<\/a><\/p>\n

There\u2019s an excellent Japanese version of the book<\/a>, available here<\/a> \u2013 courtesy of the excellent translation efforts of mr. @<\/s>junichia<\/b><\/a> and mr. @<\/s>phr_eidentity<\/b><\/a>. I can\u2019t tell you how happy I was to get my hands on it, and how honored I am that they decided the text was worth their work \u2013 such a proud moment \"Smile\"<\/p>\n

What changed in a year<\/h2>\n

Despite my boundless love for paper books<\/a>, I have to acknowledge that they have shortcomings: for example, it\u2019s pretty hard to update them as their content slides in obsolescence \"Smile\" so, what changed since the book came out of the printers?<\/p>\n