Missing documentation/comments about AAD long-lived bearer token #52
Labels
documentation
Improvements or additions to documentation
duplicate
This issue or pull request already exists
question
Further information is requested
Comments
|
Yes, been struggling with trying to understand how to turn this into a multi-tenant enabled solution. Creating a fixed token per AD tenant doesnt make sense. Would not checking the issued Azure AD token be better than a long lived secret? |
marcusca10
added
documentation
|
Duplicate for #35 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The comments in ConfigureService for production say that you should not "rely on a token generated by Azure AD".
Is that comment correct?
The tutorial says that the only valid option for non-gallery apps is to use a long-lived bearer token.
I can create a JWT access_token to my SCIM API with 3 year expire date, and paste that in the Secret Token field. But that is just a glorified 'shared secret' - how is that safer than using the /scim/token development endpoint?
If I leave 'secret token' blank, at least I can verify the issuer in the AAD generated token and know that I am called from the correct Tenant, instead of having a fixed token that could be compromised.
NB my question is similar to issues #35 and #37 and Rickards post on SO. However the fact remains that ConfigureService in SCIMReferenceCode only contains code on how not to do things..
The text was updated successfully, but these errors were encountered: