Workplace Ninjas Oslo: Identity in Production Explained

Explaining developers how to correctly implement identity in production, that is a topic that does not get enough attention. Most developers don’t really like to talk about security or identity. They see it as a nuisance, “I have to do this, but I don’t really like it”.

Luise and I feel different about this topic. We enjoy talking security in relation to developers. Which is why we submitted our talk Identity in prod: Live-debugging AADSTS errors & building secretless architectures that don’t break to Workplace Ninja’s Norway.

The abstract

Most sign-in outages are self-inflicted; wrong tenant; expired secrets; bad redirect URIs; missing consent; misapplied Conditional Access. We will debug the top AADSTS errors live and then redesign the apps to avoid them. You will see working patterns for secretless server-to-server calls with Managed Identity; secure CI/CD using workload identity federation from GitHub; reliable interactive auth using Authorization Code + PKCE; and robust API-to-API with On-Behalf-Of. We will use Entra sign-in logs; Kusto; MSAL logs; App Insights; and Azure CLI. You will leave with all new insights to use less secrets and a minimal repo you can clone to reproduce the demos.

The talk

We showed all the attendees in the room how to make your application more secure and resilient. Replacing client id/secret with managed identities will solve a bunch of issues with your production app. Being on stage with Luise was a lot of fun, we finished our talk almost on time 😉.

Meeting others

I always seem to find the same security people at conferences like these. It was very nice to meet everybody (again) this year.