When building solutions against an Azure Active Directory protected API, you oftentimes will need to have the application run headless, unattended or non-interactive. Like as a service job, or a console application. To solve this, people oftentimes use Application API authorization, which some endpoints support. But what about when you are working with an API that only supports Delegated authorization, such as the Yammer user_impersonation endpoint? Or when you need to ensure that requests are tied to the executing user? To solve that, we have the Device Code authorization flow.

The Device Code flow is an OAuth authorization flow that has the user authorize the requesting application from a separate interface than the one which the application is running on. The generated token is also infinitely renewable allowing for daemon or service style scenarios. This method works for any Delegated endpoint protected by Azure AD, it is not specific to Yammer. You likely have already experienced what the Device Code flow is like when setting up IoT devices. For example, when your TV asks you to put in a code to access Netflix, Hulu or your other services; that’s the Device Code flow. …

Image for post

When talking to customers about OAuth and Identity I oftentimes come across a few misconceptions around how standardized and consistent OAuth is which has led to blind spots when reviewing potential security issues.

First things first, OAuth is a specification, not a standard, what this means is it is up to an individual implementation for which parts of the specification are followed, and how they are followed. This has led to organic differences in how OAuth functions between different providers. …

Gaps in speed, precision, and privacy diminish the power of contact tracing against COVID-19. A holistic approach to filling these gaps can help contact tracing live up to its potential, enabling communities to safely reopen.

Image for post

“You’ve had contact with someone who has tested positive for COVID-19.”

The information in these words will save lives for the foreseeable future. It will help protect employees, colleagues, customers, children, family, partners, and friends.

  • When shared with individuals, this information will allow them to self-manage. They’ll be able to adjust their behavior to mitigate risks to the health and safety of others.
  • When shared with organizations, this information will allow them to act. Decision makers will be able to allocate resources and enact safety protocols that help contain outbreaks.

Collecting and sharing this information is a process called contact tracing. It’s increasingly seen as ​one of the biggest hopes for safely reopening workplaces and communities. Officially speaking, contact tracing is the process of identifying where, when, and how a person has contracted an illness and whom they may have exposed. …


Maarten Sundman

I build things

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store