0% found this document useful (0 votes)

17 views84 pages

Developing Applications With Azure Active Directory Principles of Authentication and Authorization For Architects and Developers 1st Edition Manas Mayank PDF Download

The document is a comprehensive guide on developing applications using Azure Active Directory, focusing on authentication and authorization principles for architects and developers. It covers various topics including OAuth flows, user-based authentication, and multi-factor authentication, along with practical examples for different application types. The book is authored by Manas Mayank and Mohit Garg and is published by Apress.

Uploaded by

embieguarte

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

17 views84 pages

Developing Applications With Azure Active Directory Principles of Authentication and Authorization For Architects and Developers 1st Edition Manas Mayank PDF Download

Uploaded by

embieguarte

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 84

Developing Applications With Azure Active

Directory Principles Of Authentication And

Authorization For Architects And Developers 1st
Edition Manas Mayank download
https://ebookbell.com/product/developing-applications-with-azure-
active-directory-principles-of-authentication-and-authorization-
for-architects-and-developers-1st-edition-manas-mayank-50195698

Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

Developing Applications With Ibm Filenet P8 Apis Ibm Redbooks

https://ebookbell.com/product/developing-applications-with-ibm-
filenet-p8-apis-ibm-redbooks-2100240

Developing Applications With Javatm And Uml 1st Edition Paul R Reed

https://ebookbell.com/product/developing-applications-with-javatm-and-
uml-1st-edition-paul-r-reed-2536430

Developing Applications With Visual Studio Net Richard Grimes

https://ebookbell.com/product/developing-applications-with-visual-
studio-net-richard-grimes-4099922

Developing Applications With Salesforce Chatter Rakesh Gupta

https://ebookbell.com/product/developing-applications-with-salesforce-
chatter-rakesh-gupta-4682704
Developing Applications With Enterprise Soa 1st Edition Martin Huvar

https://ebookbell.com/product/developing-applications-with-enterprise-
soa-1st-edition-martin-huvar-6853862

A Practical Guide To X Window Programming Developing Applications With

The Xt Intrinsics And Osfmotif First Edition Keller

https://ebookbell.com/product/a-practical-guide-to-x-window-
programming-developing-applications-with-the-xt-intrinsics-and-
osfmotif-first-edition-keller-7161400

Developing Android Applications With Adobe Air 1st Edition Vronique

Brossier

https://ebookbell.com/product/developing-android-applications-with-
adobe-air-1st-edition-vronique-brossier-2225514

Developing Android Applications With Flex 45 Rich Tretola

https://ebookbell.com/product/developing-android-applications-with-
flex-45-rich-tretola-2266422

Developing Ios Applications With Flex 45 Rich Tretola

https://ebookbell.com/product/developing-ios-applications-with-
flex-45-rich-tretola-2339714
Developing
Applications with
Azure Active Directory
Principles of Authentication and
Authorization for Architects
and Developers
—
Manas Mayank
Mohit Garg

www.allitebooks.com
Developing
Applications with
Azure Active Directory
Principles of Authentication
and Authorization for
Architects and Developers

Manas Mayank
Mohit Garg

www.allitebooks.com
Developing Applications with Azure Active Directory: Principles of
Authentication and Authorization for Architects and Developers
Manas Mayank Mohit Garg
Hyderabad, India Hyderabad, India

ISBN-13 (pbk): 978-1-4842-5039-6 ISBN-13 (electronic): 978-1-4842-5040-2

https://doi.org/10.1007/978-1-4842-5040-2

Copyright © 2019 by Manas Mayank and Mohit Garg

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole
or part of the material is concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical
way, and transmission or information storage and retrieval, electronic adaptation,
computer software, or by similar or dissimilar methodology now known or hereafter
developed.
Trademarked names, logos, and images may appear in this book. Rather than use a
trademark symbol with every occurrence of a trademarked name, logo, or image we use the
names, logos, and images only in an editorial fashion and to the benefit of the trademark
owner, with no intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms,
even if they are not identified as such, is not to be taken as an expression of opinion as to
whether or not they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the
date of publication, neither the authors nor the editors nor the publisher can accept any
legal responsibility for any errors or omissions that may be made. The publisher makes no
warranty, express or implied, with respect to the material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Smriti Srivastava
Development Editor: Siddhi Chavan
Coordinating Editor: Shrikant Vishwakarma
Cover designed by eStudioCalamar
Cover image designed by Freepik (www.freepik.com)
Distributed to the book trade worldwide by Springer Science+Business Media New York,
233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201)
348-4505, e-mail [email protected], or visit www.springeronline.com. Apress
Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business
Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail [email protected], or visit
http://www.apress.com/rights-permissions.
Apress titles may be purchased in bulk for academic, corporate, or promotional use.
eBook versions and licenses are also available for most titles. For more information,
reference our Print and eBook Bulk Sales web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is
available to readers on GitHub via the book’s product page, located at www.apress.com/
978-1-4842-5039-6. For more detailed information, please visit http://www.apress.com/
source-code.
Printed on acid-free paper

www.allitebooks.com
To my parents, Mrs. Ranjana Poddar and
Mr. B.B. Poddar. No words could do justice
to all that you have done.
To my sisters, Santwana Poddar and
Anima Poddar, you both are the best
that happened to me.
—Manas Mayank
This book is dedicated to my parents,
Pawan Kumar Garg and Saroj Garg.
Without their sacrifices, I wouldn’t have
accomplished whatever I have in my life.
I would also like to dedicate this to my wife,
Samiksha Gupta, who is always standing by
my side and supporting me during tough times.
—Mohit Garg

www.allitebooks.com
Table of Contents
About the Authors��xi
About the Technical Reviewer��xiii
Acknowledgments��xv
Introduction��xvii

Chapter 1: Introduction to Azure Active Directory��1

Authentication��2
Authorization��3
Azure Active Directory��4
Tokens��5
SPN��10
OAuth��11
OpenID Connect��11
Federated Identity��11
Single Sign-On��12
Pass-Through Authentication��12
Tenant��12
Multitenancy��13
Claims-Based Authentication��13
Azure AD B2B��14
Azure AD B2C��15
Summary��16

www.allitebooks.com
Table of Contents

Chapter 2: OAuth Flows and OpenID Connect��17

OAuth 2.0��18
OAuth 2.0 Grant Types��21
Authorization Code Grant��22
Implicit Grant��30
Resource Owner Password Credentials Grant��35
Client Credentials��38
OpenID Connect��42
OpenID Connect Metadata Document��42
Authentication Flow Using OpenID Connect��43
Tokens��44
Validating Tokens��46
Summary��46

Chapter 3: User-Based Authentication for Web Apps��47

Single-Page Application��48
Running the Application��50
Creating a Single-Page Application��52
Running the Application��60
Web App/Web API Authentication��62
Running the Application��64
Creating a Web App��66
Creating a Web API��78
Web App: HTTP Triggered Azure Function Authentication��84
Running the Application��86
Creating a Web App��88
Creating an HTTP Triggered Azure Function��88

vi
Table of Contents

Web App/Web API/Web API 2 (On-Behalf-Of)��94

Running the Application��96
Creating a Web App and a Web API 2��99
Creating a Web API��99
Multi-Factor Authentication��104
The Need for Multi-Factor Authentication��104
Configuring Multi-Factor Authentication for Azure AD��105
Summary��108

Chapter 4: User-Based Authentication for Native Applications��109

Authentication Using Code Grant Flow��110
Windows Console Application��112
Running the Application��112
Web API��113
Console App��114
Creating a Console App��115
Creating a Web API��117
Windows Presentation Foundation (WPF)��123
Running the Application��124
Web API��124
WPF App��125
Creating a WPF App��126
Creating a Web API��128
Universal Windows Platform (UWP)��131
Running the Application��132
HTTP Triggered Azure Function Endpoint��133
UWP App��134
Creating a UWP App��135
Creating an HTTP Triggered Azure Function��137

vii
Table of Contents

Android Application��143
Running the Application��144
HTTP Triggered Azure Function Endpoint��144
Android App��145
Creating an Android App��146
Creating an HTTP Triggered Azure Function��148
Summary��151

Chapter 5: Daemon Application Authentication��153

Client Credential Authentication Flow��153
Running Your Application��155
Web API��155
Console App��156
Creating a Console App��157
Creating a Web API��159
Client Credential Authentication Flow Using a Certificate��164
Running Your Application��166
Web API��167
Console App��168
Creating a Console App��169
Creating a Web API��172
Summary��173

Chapter 6: Active Directory Custom Data Extensions��175

Custom Data Extensions��175
Microsoft Graph with Azure AD��176
Running Your Application��180
Registering Your Application��180
Creating a Console Application��181
Calling Microsoft Graph to the Extend Resource Instance��182

viii
Table of Contents

Open Extensions��183
Create��183
Read��184
Update��185
Delete��186
Schema Extensions��187
Adding a Schema��188
Add-Update Schema Extension Value��190
Read Schema Extension Value��192
Remove Schema Extension Value��193
Summary��194

Chapter 7: Authenticating External Users��195

Azure Active Directory B2B��196
Configuring Azure AD for B2B Collaboration��197
Setting up Our Solution��198
Configuring to Support a Guest Inviter��201
Adding a Partner User as a Guest Inviter��204
Adding Google as an Identity Provider��209
Sending an Invitation to the End User��213
Configuring Code��215
Summary��218

Chapter 8: Multitenancy��219
Multitenancy Models��220
Setting up Our Solution��222
Configuring a User from Another AAD Tenant��223
Configuring an Application to Support Multitenancy��224

ix
Table of Contents

Configuring the Applications��227

Restricting the Azure AD Tenants��235
Multitenancy in an Application��236
Summary��245

Chapter 9: Introduction to Authorization��247

Setting up a Solution��248
Policy-Based Authorization��249
Role-Based Authorization��252
Security Groups��255
Claims-Based Authorization��258
Customizing Azure AD Claims��261
Resource-based Authorization��266
Summary��275

Index��277

x
About the Authors
Manas Mayank is currently working as a
senior consultant with Microsoft. He has
13 years of experience in designing and
developing software systems. An avid learner,
he loves knowing the hows and whys of a
software’s design. He also likes to explore
the latest technologies. Manas specializes
in end-to-end delivery of cloud-based
applications. More of a software purist, Manas
is a proponent of designing clean, simple, and efficient architecture.
Performance optimizations is one of his fortes. He holds a master’s
degree in information technology from IIIT-Bangalore. Outside of work,
he is a sports enthusiast. Find him at www.linkedin.com/in/manas-
mayank-b966505.

Mohit Garg is currently working as a

software engineer at Microsoft. He has more
than eight years of experience in Azure
technologies, including .NET Core, Azure
AD, Azure Data Factory, WebJobs, Functions,
Azure Storage, Azure SQL, Azure Cosmos
DB, and Service Fabrice. He is a Microsoft
Certified Azure Developer, and he loves
exploring the latest technologies. You can
reach Mohit Garg at [email protected] or www.linkedin.com/in/
mohit-garg-36880022

xi
About the Technical Reviewer
Vidya Vrat Agarwal is a software architect,
author, blogger, Microsoft MVP, C# Corner
MVP, speaker, and mentor. He is a TOGAF
certified architect and a Certified Scrum
Master (CSM). He is currently working as a
principal architect at T-Mobile Inc. USA.
He started working on Microsoft .NET with its
first beta release. Vidya is passionate about
people, process, and technology and loves
to contribute to the .NET community.
He lives in Redmond, WA, with his wife,
Rupali, two daughters—Pearly and Arshika, and puppy Angel. He blogs
at www.MyPassionFor.Net and can be reached at [email protected] or
on Twitter @dotnetauthor.

xiii
Acknowledgments
I have to start by thanking my awesome wife, Samiksha Gupta. From the
first day of writing this book till last day, she has supported me very well.
She was as important in getting this book done as I was. Thank you so
much, dear.
I would like to thank Mr. Shrenik Jhaveri, Ranjiv Sharma, and Krishna
Chaitanya Telikicherla for guiding me to learn Azure technologies and
Azure AD. They believed in me and constantly guided me to learn. Without
their support, this book may have not been possible.
I would also like to thank my elder sister Priyanka Garg, my brother-
in-law Satya Kejriwal, my younger brother Sahil Garg, and my best friends,
Deep lal Sharma, Chandra Pratap Singh, Shanshu Garg, and Lucky Garg,
who trusted me and encouraged me to do hard work.
I would also like to thank all the managers at Microsoft—Ashwani
Sharma, Manish Sangha, Anil Emmadi, Naveen Konduri, and Pramod
Walvekar—for always encouraging me to learn new technologies and to
work hard. You all helped me to give a better shape to my career.
I would also like to thank my colleagues at Microsoft: Apoorv Gupta,
Jebarson Jebamony, Piyush Jain, Prasad Ganganagunta, Rishabh Verma,
Sachin Gupta, Kuldeep Singh, Kshitij, and Chaitanya Cheruvu. I have
learned a lot from each and every one of you. Special thanks to Manas
Mayank and Rahul Sawhney for motivating me to write this book.
I would also like to thank my teachers at Chitkara University for
helping me to explore my potential. Thank you very much.

xv
Acknowledgments

Thanks to team at Apress Smriti Srivastava and Shrikant Vishwakarma

for giving opportunity to us to write this book. Thanks to Vidya Vrat and
Siddhi Chavan for doing the technical review.
—Mohit Garg
I would like to start by thanking members of my family: Bhagwan
Kumar and Sanjay Poddar. Special mention of the kids: Shambhavi Poddar,
Akshaj Poddar, Arush Poddar. Keep smiling.
Rahul Sawhney and Mohit Garg: if it were not for you, this book would
not have been possible.
Thanks to my besties for being there: Dineshwar Singh, Vineet
Anshuman, Amrita Dev, and Yogesh Sharma.
To the best people I had the opportunity to learn from: Sumeet
Deshpande, Gaurav Joshi, Subhavya Sharma, Apoorv Gupta, Manojkumar
Damodaran Nambisan, and Vagmi Mudumbai. Thank you.
I would like to extend my thanks to my managers and colleagues for
their support: Abhishek Ghosh, Akash Sarabhai, Jebarson Jebamony,
Rishabh Verma and Raviteja Jarugu.
Thanks to the faculty of my alma mater, IIIT – Bengaluru (Bangalore).
Thanks to the Apress team for helping shape this book: Smriti
Srivastava and Shrikant Vishwakarma. Thanks to Siddhi Chavan and Vidya
Vrat for your feedback.
— Manas Mayank

xvi
Introduction
Any enterprise application worth its salt will have some kind of
authentication built into it. Azure Active Directory is one of the top
cloud-based identity providers on the market. It goes beyond being a
traditional identity provider. Developers and architects are traditionally
aware of basic authentication mechanisms, like username and password,
certificate-based authentication, and so forth. This tends to influence
decision-making when choosing the most appropriate authentication
mechanisms for their cloud-based applications. The Internet is full of
subject matter, further compounding the understanding needed for
designing authentication.
This book concentrates on concepts using simple examples in its quest
to bridge the distance between developers and IT infra, helping you to
make the right design decisions. It is a one-stop source for getting around
most relevant concepts pertaining to Azure Active Directory.

xvii
CHAPTER 1

Introduction to Azure
Active Directory
The need for centralized management of users and devices over networks
led to the advent of directory services. The users and devices that need
to be authenticated over a network are referred to as resources. Directory
services act as a single point that provides information about all the
resources on a network.
As most of you are aware, Microsoft’s implementation of on-premises
directory services is called Active Directory. In this book, we will use the
abbreviation AD to refer to Active Directory in general.
With the surge of solutions based on cloud-based services, there was a
need for directory services that are accessible over the cloud and that are
not limited to an organization’s network. Microsoft’s offering for identity
and access management over the cloud is called Azure Active Directory
(AAD). The terms Azure AD and AAD are used interchangeably for Azure
Active Directory. Azure AD provides a ready-made solution to handle
authentication for your cloud-based applications or mobile apps.
This book talks about how to develop applications using Azure Active
Directory. In this chapter, we introduce Azure Active Directory and
some key terms related to it. This will help you understand the concepts
necessary for developing an application.

© Manas Mayank and Mohit Garg 2019 1

M. Mayank and M. Garg, Developing Applications with Azure Active Directory,
https://doi.org/10.1007/978-1-4842-5040-2_1
Chapter 1 Introduction to Azure Active Directory

To summarize, we will define the following concepts:

• Authentication

• Authorization

• Azure Active Directory

• Tokens

• SPN

• OAuth

• OpenID Connect

• Federated identity

• Single sign-on

• Pass-through authentication

• Tenants

• Multitenancy

• Claims-based authentication

• Azure AD B2B

• Azure AD B2C

Authentication
Authentication is a process for identifying a user’s identity. Authentication
can be divided into two phases.

• Identification. During identification, the identity of the

user is established using a username, email ID, mobile
number, and so forth. This information is then checked
to make sure that the user is valid.

2
Chapter 1 Introduction to Azure Active Directory

• Validation. As part of the authentication process,

the user provides credentials to identify themselves.
These credentials could be in the form of a username/
password, certificate, biometric information, a one-
time password, and so forth.

Authentication can be divided into three categories based on the

security level.

• Single-factor authentication. This is the traditional or

simplest form of authentication, in which users enter
their credentials. If the credentials are correct, then the
user is authenticated to use the application.

• Two-factor authentication. This is a more secure way

of authentication in which user credentials and another
factor are needed for authentication. This could be a
mobile one-time password (OTP), a security question, and
so forth. User credentials with an additional factor make it
nearly impossible for hackers to hack your credentials.

• Multi-factor authentication. This is the most secure

and advanced way of authentication. In addition to your
credentials, two or more additional factors are involved.
None of the factors should have any relationship
between them; they should be independent.

Authorization
Authorization is a process for verifying access permissions or privileges,
and determining the access level that the logged-in identity has access to.
Generally, authorization is the second step after authentication.
After the identity is established, a process fetches the roles/permissions/
privileges related to the established identity and the required content is

3
Chapter 1 Introduction to Azure Active Directory

shown based on the user permissions. In short, authentication is the

process of identifying who you are, whereas authorization is the process of
determining what actions you can perform.
Authorization can be divided into two categories based on the way that
permissions are given to the identity.

• Allow authorization. The identity has access to only

those permissions that are listed; it does not have
access if permission is not provided. This means that
the permissions that the identity has access to are white
listed, and the remaining permissions are automatically
denied.

• Deny authorization. The identity has access to

all permissions except the ones that are not given.
This means that the permissions the user doesn’t
have access to are black listed, and the rest of the
permissions are automatically allowed.

Azure Active Directory

Authentication is one of the important components in developing any
enterprise application. Simple authentication for an application is
rudimentary to implement. We can use a simple username and password
combination stored in a database. But implementing enterprise-level
authentication without using any identity provider can be very complex.
You need to manage users, passwords, expiration policies, password policy
management, and access management at the very least.
Things become more complicated if you use advanced concepts
required for authentication, such as multi-factor authentication,
one-time passwords, biometrics, and so forth. Developing these involves
huge development and infrastructure costs. Moreover, maintenance and
support costs are also very high. This is where established solutions like

4
Chapter 1 Introduction to Azure Active Directory

Azure AD are most effective. Before delving deeper into Azure AD, let’s
discuss some key terms related to Azure Active Directory.

Tokens
An online dictionary meaning of a token is “a tangible representation of a
fact.” In the context of authentication, a token represents facts about the
identity of a user or a resource. The set of facts is provided by directory
services, which for us is Azure AD.
Tokens are used for exchanging identity information; they are signed to
make them secure. They are signed using private keys and can be validated by
using public keys. Tokens are valid for only a specific period to avoid misuse.
Tokens can be represented in various industry-wide formats. JSON
Web Token (JWT) and Security Assertion Markup Language (SAML) are the
most commonly used formats for tokens. As soon as user authentication is
successful, the identity provider gives a token in response, which is valid for
a specific time and signed using private keys. That token can be exchanged
with other trusted systems to get access for a specific time.
A JWT token is most commonly used for integration with Azure Active
Directory. As obvious by its name, a JWT token represents the user in JSON
(JavaScript Object Notation) format. Here is a sample JWT token:

"eyJ0eXAiOiJKV1QiLCJhbGciOiJ………………………..71846CA77+9G++/
vUjvv71q77+977+9xrMoDQo="

You must be wondering why this token is in plain string format and
not in a JSON format. It is because the token is transformed using Base64
encoding. You need to do transformation using Base64 to see the actual
JSON format.
After transformation of this token, the retrieved string is divided into
three parts separated by ".". The following is a brief overview of the
various fields within a token. We touch on these fields over the course of
the book.

5
Chapter 1 Introduction to Azure Active Directory

• Headers. Information about the type of token and the

algorithm used to sign the token.

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0",
  "kid": "-sxMJMLCIDWMTPvZyJ6tx-CDxw0"
}

• typ: Type of token.

• alg: Encryption Algorithm is RS256.

• x5t: Thumbprint of public key used to sign the

token.

• kid: Like x5t. No longer part of Azure AD 2.0.

• Payload. Actual JWT token body.

{
  "aud": "https://your-resource",
  "iss": "https://sts.windows.net/72f988bf-86f1-41af-
91ab-2d7cd011db47/",
  "iat": 1548737381,
  "nbf": 1548737381,
  "exp": 1548741279,
  "acr": "1",
  "aio":"AVQAq/8KAAAA+sqxpQ0JBRhDY9/
dmeELZJlGFvbDbfdGFB7DnFbhx5tgXdEAOxCtjF8k
bYceM1COSkKIfBSNozYM7avIzYz0VaN/OFG22kCroWvC/
il4QcU=",
  "amr": [
    "wia",
    "mfa"

6
Chapter 1 Introduction to Azure Active Directory

  ],
  "appid": "5c6035f3-e94f-4ed3-821c-40870f6cf1f3",
  "appidacr": "2",
  "family_name": "Scott",
  "given_name": "James",
  "in_corp": "true",
  "ipaddr": "167.220.238.5",
  "name": "Mohit Garg",
  "oid": "dc5e633a-7058-474c-8f1c-435538e7d290",
  "onprem_sid": "S-1-5-21-2146773085-903363285-
719344707-2044714",
  "scp": "Employees.Read.All user_impersonation",
  "sub": "caF45MyAn57WqX5Omoeh9epNQ6lFKp5_xdVkj0ReGIs",
  "tid": "72f988bf-86f1-41af-91ab-2d7cd011db47",
  "unique_name": "*****@microsoft.com",
  "upn": "*****@microsoft.com",
  "uti": "ktKZuwI7pkSYiAtHyiIHAA",
  "ver": "1.0"
}

• aud. Contains the audience for which the token has

been generated. It is a unique ID assigned to your
application in Azure Active Directory, a.k.a. the
application ID.

• iss. Identifies the issuer of the token. It’s a security

token service URL appended by the tenant ID. The
tenant ID is a unique identifier to identify an
instance of AAD.

• iat. Stands for issued at and means the time at

which the token is issued. It’s a UNIX timestamp.

7
Chapter 1 Introduction to Azure Active Directory

• nbf. Stands for not before and means the token

should not be accepted before this time. It is a
UNIX timestamp.

• exp. Stands for expiration time and means the UNIX

timestamp after which the token is not valid.

• acr. Stands for authentication context class to

validate if the end user authentication meets the
requirement of ISO/IES 29115 standards. A 1 means
it meets and 0 means it doesn’t.

• aio. Internal to Azure AD to verify if the token can

be reused or not. An end user should not use this
token.

• amr. A JSON array of claims contains the

information about how the subject of the token will
be authenticated.

• appid. Stands for application ID. It contains the

ID of the application that has sent the request for
generation of the token.

• appidacr. Indicates the mechanism used for

authentication. We will discuss this in later
chapters.

• family_name. Provides the last name of the user

identity.

• given_name. Provides first name of the user

identity.
• in_corp. A boolean claim that specifies if the
request is from a corporate network or not.

8
Chapter 1 Introduction to Azure Active Directory

• ipaddr. Stands for IP address. It provides the

Internet Protocol address of the user.

• name. Provides the name of the user, which is used

for display purposes, and it is mutable.
• oid. Stands for object identifier. It is a unique
identifier for an object in Azure Active Directory. It
is in the form of GUID. It can be used as a unique
key in a database to identify the user.

onprem_sid. If on-premise authentication is

used, then the claim has this identifier. It is
used for legacy applications. SID is outside the
scope of this book. For more information, please
refer to https://docs.microsoft.com/en-us/
windows/desktop/SecAuthZ/sid-components.

• scp. Stands for scopes and means a set of scopes

exposed by the application for which the request
user or client has access to. Scopes are returned in a
space separated string.

• sub. Stands for subject. It’s a unique string for the

combination of a user and an application. It is
immutable and can be used as a unique key in a
database for authorization purposes. It is different
from an object identifier, which is unique for each user.

• tid. Stands for tenant ID. This is discussed later in

this chapter.

• unique_name. Present only in Azure AD v1. A claim

name is both unique and not unique. It is a human-
readable value that identifies the subject; it should
be used only for display purposes.

9
Chapter 1 Introduction to Azure Active Directory

• upn. Stands for user principal name. This is

discussed later in this chapter.

• uti. An internal claim used by Azure AD to

revalidate a token. An end user should not use this
token.

• ver. Stands for version. Indicates the version of the

access token. It can be either 1.0 or 2.0.

• Signature. Signed token content for validating the

authenticity using a public key. A token issued by Azure
AD is signed with an asymmetric encryption algorithm,
as shown in Figure 1-1.

Figure 1-1. Encrypted token

Note A token is not in human-readable format, because it is a raw

material required for validation of the token.

SPN
SPN stands for service principal name. To access any resource that is
secured by Azure Active Directory, you need a security principal. A
security principal defines the permissions and access policies, which
in turn help to enable Azure AD core features like authentication and
authorization. The security principal defined for an application is known
as a service principal. The SPN is required to access resources secured by
Azure AD. Access resources secured by Azure AD using an application
service principal are explained later in this book.

10
Chapter 1 Introduction to Azure Active Directory

O
Auth
OAuth stands for open authorization. It’s an open standard for token-
based authentication and authorization. It allows you to authorize
third-party applications by sharing a token containing logged-in user
information instead of the actual username and password. It was first
released in December 2007 as OAuth Core 1.0.
The second version of the OAuth standard (OAuth 2.0) was released
five years later. It is not backward compatible with OAuth 1.0. OAuth 2.0
has new authorization flows for web applications, mobile applications,
desktop applications, and smart devices.
Please refer to https://oauth.net/2/ to read more about OAuth and
OAuth 2.0.

O
penID Connect
OpenID Connect, also known as OIDC, is built on top of the OAuth 2.0
protocol. It defines standards for authentication based on JSON and HTTP
protocols. It helps verify the identity of the logged-in user compared to the
authorization it has over resources. It can provide basic information about
the logged-in user using the REST API.
OIDC allows different types of clients, including web clients, mobile
clients, and JavaScript clients to perform authentication and to request and
receive information about logged-in users and authenticated sessions.
Please refer to https://openid.net/connect/ to learn more about
OpenID Connect.

F ederated Identity
Consider a scenario where a single user might need to authenticate in
multiple organizations. Each of these organizations has different identity
providers. A user’s credentials are stored in its parent identity management

11
Chapter 1 Introduction to Azure Active Directory

system. Other identity providers can trust the parent identity management
system and allow the user to be validated in multiple organizations. A
federation refers to the protocols used to achieve this scenario. The user
identity provided by such a system is called a federated identity.

Single Sign-On
Single sign-on, or SSO, allows users to use one set of credentials to log
in to multiple applications. After authenticating, users do not need to
reauthenticate for other applications. This streamlines user experiences
and gives administrators better control over user identities. Protocols like
OAuth and OpenID Connect can work on applications in various platforms
to provide a seamless single sign-on experience.

Pass-Through Authentication
Pass-through authentication allows users to authenticate against an on-
prem Active Directory using AAD. Azure AD doesn’t save the username
and password. Whenever a user tries to sign in, Azure AD forwards
the request to an on-prem Active Directory so that the user can be
authenticated.

Tenant
In layman’s terms, tenant means a person who possesses a property or
land from a landlord. Similarly, in the world of identity management, a
tenant is a representation of an organization in the identity management
system. Multiple organizations can register and create their own tenant in
Azure Active Directory. A tenant can have multiple users from the same
organization.

12
Chapter 1 Introduction to Azure Active Directory

M
ultitenancy
Multitenancy refers to a single application consumed by users from
different organizations. One tenant develops the application and can invite
other tenants to use the same application. Multitenancy is a huge topic
that is discussed in a chapter later in this book.

C
laims-Based Authentication
Claims are a set of information that describes a given resource’s identity.
It’s a set of key/value pairs related to the logged-in identity (user or app),
for example, the user’s principal name, email address, groups, first name,
last name, and so forth.
In the context of Azure Active Directory, applications get claims after
successful authentication using OAuth 2.0 and OpenID Connect. In web
applications, claims are stored in a cookie in a secured manner to perform
claims-based authentication for further requests.
Microsoft released claims-based authentication with .NET Framework
3.0. The basic authentication flow shown in Figure 1-2 is for claims-based
authentication using Azure Active Directory.

1. The user makes a request to the web application.

2. The user is redirected to the Azure AD login page.

3. After successful authentication, Azure AD redirects

the user with a token that has user-related claims.

4. The claims are stored in cookie in a secure fashion.

5. The web application does the authentication using

claims and returns the response if the claims are
valid.

13
Chapter 1 Introduction to Azure Active Directory

Web App Azure

Active Directory

Request

Redirection to login

Response with token containing claims

Request

Authentication using claims

Response

Figure 1-2. Basic authentication flow

Azure AD B2B
B2B refers to business to business. If you need to securely share your
company’s applications and services with other companies or guest users,
you can use Azure AD B2B. You have full control over your organization’s
data. You can invite users from another organization, also using Azure
AD. Organizations not using Azure Active Directory can be added as a
guest user in the tenant. Partner users use their own identity management
solution. There is no need for any additional overhead from your
organization to maintain partner users.

14
Chapter 1 Introduction to Azure Active Directory

Invited users are able to use their own credentials to log in to your
application and services. You can customize your solution for inviting
users by using Azure AD B2B invite APIs.
The following are the advantages of using Azure AD B2B collaboration.
• You can invite any user with a valid email address. It is
not mandatory to be an Azure AD user.

• There is no need to manage external user accounts or

their identity providers.

• After the invitation, there is no need to sync accounts or

manage policies.

• External AD users are able to use the same credentials.

There is no need to manage different credentials for
different applications.

• If an invited user doesn’t have any associated AD or

live account, an account will be created for them after
accepting the invitation.

Developing applications using the Azure Active Directory business-to-

business collaboration is explained later.

Azure AD B2C
B2C stands for business-to-customer collaboration. If you need to create
a customer-facing application, you should use Azure AD B2C. Azure B2C
is based on similar components as AAD, but its core purpose is to provide
identity management for an organization’s customers. Users of Azure AD
B2C are able to log in with an existing identity (from external providers
like Facebook, Twitter, Google, Outlook, LinkedIn, etc.). There is no need
for a separate Azure AD user account; the same identity (username and
password) can be used to log in.

15
Chapter 1 Introduction to Azure Active Directory

Summary
Various Azure services can integrate with Azure AD and use it as an
identity provider. Azure AD is used as an identity provider by Microsoft
SaaS services like Office 365. It can also be integrated with third-party SaaS
solutions like Salesforce. In addition to SaaS solutions, Azure AD can be
used with Azure VMs and various Azure PaaS services. Furthermore, Azure
AD can be synchronized with on-premises Active Directory.
This chapter focused on introducing readers to the fundamentals
of authentication and Azure AD in a simple language. We started
by introducing the meaning of authentication and authorization
to understand the purpose of Azure Active Directory and related
technologies, such as Azure AD B2B and Azure AD B2C. We also touched
on various standards, such OAuth, OpenID, and OpenID Connect. Before
getting deeper into any technology, you should understand its various
standards and protocols.
We shall continue our journey by learning more about OAuth
standards in the next chapter.

16
CHAPTER 2

OAuth Flows and

OpenID Connect
In Chapter 1, we defined key terms related to Azure Active Directory.
Before getting into the practical details of any technology, you must
understand the standards that the technology is based upon. In this
chapter, we will cover the following topics.

• OAuth 2.0

• OAuth 2.0 Grant Types

• Authorization code
• Implicit
• Resource owner password credentials
• Client credentials

• OpenID Connect

• OpenID Connect metadata documents

• Authentication flows using OpenID Connect

• Tokens

• Validating tokens

To integrate applications with Azure AD, you must first understand the
OAuth and OpenID Connect standards.
© Manas Mayank and Mohit Garg 2019 17
M. Mayank and M. Garg, Developing Applications with Azure Active Directory,
https://doi.org/10.1007/978-1-4842-5040-2_2
Chapter 2 OAuth Flows and OpenID Connect

O
Auth 2.0
OAuth 2.0 standards are not backward compatible with OAuth 1.0. The
differences between the two are beyond the scope of this book. We will
concentrate on the latest OAuth 2.0 standards.
To understand the need for OAuth, let’s consider a real-world scenario.
Assume that you work for an organization that provides authorized access
to employees over secured areas. Employees swipe smart cards provided
by the organization’s security team to gain access to secured physical
spaces. When a visitor comes to see an employee, the visitor provides her
information, and the employee provides her credentials (along with the
employee’s smart card) to the representative of the security team. Security
personnel then issue a temporary visiting identity card to the visitor,
allowing her to enter the physical premises for a limited period. This real-
world scenario is roughly represented by the sequence diagram shown in
Figure 2-1.

Security Organization
Visitor Employee
Department Premises

Request to Visit

Employee's Credentials

Employee's Credentials and Visitor's Details

Temporary Identity Card

Employee's Workspace Access

Figure 2-1. Visitor access scenario

18
Chapter 2 OAuth Flows and OpenID Connect

If a third party (the client) needs to access a user’s (the resource

owner) resources from the server hosting the user’s resources (a resource
server), they will get a separate set of credentials (a token) from another
server (an authorization server) that is trusted by the resource server.
OAuth was designed to allow access to user resources by using another
set of credentials of the user’s credentials. Older systems needed users to
provide their credentials (for example, username and password), explicitly
to the third party trying to access the user’s resources. The OAuth protocol
evolved to address these concerns and has the following advantages over
earlier standards.

• Earlier standards of storing username/password with a

third party gave the third party unlimited access to the
user’s resources.

• Revoking access equated to changing the password.

• Risk from security perspective as password would be

stored at multiple places

The sequence diagram shown in Figure 2-2 depicts the OAuth flow.

Resource Authorization Resource

Client
Owner Server Server

(Step 1) Authorization Request

(Step 2) Authorization Grant

(Step 3) Authorization Grant

(Step 4) Access Token

(Step 5) Access Token

(Step 6) Protected Resource

Figure 2-2. OAuth flow

19
Chapter 2 OAuth Flows and OpenID Connect

As depicted in Figure 2-2, the following are the actors or roles in

OAuth flow.

• Client. An application trying to access a user’s

resources on behalf of the user. It does so by using
tokens. We discuss tokens in a subsequent section.

• Resource owner. The user or application that is the

owner of a resource. The resource is stored on the
resource server.

• Authorization server. After authenticating the

resource owner, provides the token to the client for
accessing the resource.

• Resource server. The server that hosts a resource

owned by the resource owner.

If we map our real-world visitor scenario, the sequence diagram could

be merged, as shown in Figure 2-3.

Resource Authorization Resource Server

Client
Owner Server (Security (Organization
(Visitor)
(Employee) Department) Premises)

Authorization Request (Request to Visit)

Authorization Grant (Employee's Credentials)

Authorization Grant (Employee's Credentials and visitor's details)

Access Token (Temporary Identity Card)

Protected Resource (Employee's workspace)

Figure 2-3. Merged sequence diagram

20
Chapter 2 OAuth Flows and OpenID Connect

We will use the basic OAuth flow sequence diagram (see Figure 2-2) as
a reference for explaining each of the steps.

OAuth 2.0 Grant Types

The client accesses the resource owner’s resources by using an access
token. For the client to get this access token, it must receive authorization
from the resource owner. These credentials, which represent the resource
owner’s authorization, are called an authorization grant. An authorization
grant defines how an application gets an access token. It is used in steps 2
and 3 of the basic OAuth flow, as highlighted in Figure 2-4.

Resource Authorization Resource

Client
Owner Server Server

(Step 1) Authorization Request

(Step 2) Authorization Grant

(Step 3) Authorization Grant

(Step 4) Access Token

(Step 5) Access Token

(Step 6) Protected Resource

Figure 2-4. Basic OAuth flow

OAuth specification defines four different authorization grant types or

four different ways of getting access tokens. These types define the process
used to get an access token.

• Authorization code

• Implicit

21
Chapter 2 OAuth Flows and OpenID Connect

• Resource owner password credentials

• Client credentials

We discuss each of these grant types in this chapter. This chapter also
introduces OAuth 2.0 standards. Azure AD–specific details are covered in
subsequent chapters.

Authorization Code Grant

An authorization code grant is one of the most common grant flows used.
It deals with scenarios where the client application is deployed on a web
server and the actual code is not exposed publicly.
The following criteria can be used as general preconditions for
choosing an authorization code grant.

• The client application is a web app served from a web

server.

• The client application can interact with the resource

owner agent, generally a web browser.

• The client application can securely save the client ID

and client secret, without publicly exposing them. We
talk about client IDs and client secrets in later sections.

• The client application can react to the resource owner’s

actions.

• The client application is capable of receiving requests

from the authorization server, generally via redirection.

The diagram shown in Figure 2-5 details the process of an

authorization code flow. The following are the actors in the authorization
code flow (the corresponding actors from the previous section are in
parentheses).

22
Chapter 2 OAuth Flows and OpenID Connect

OAuth 2
OAuth 2 Token
User Native App Authorization Web API
Endpoint
Endpoint

Start the application

Request for login

Enter Credentials in login pop-up

Returns the authorization code

Request bearer access token

by providing authorization
code for Web API

Return access token

and refresh token

Call Web API by adding access

token in authorization header

Validate
access token

Return the data

to the native app

On access token expiration, request new access

token using refresh token

Return new access token

and refresh token

Call Web API by adding new access

token in authorization header

Figure 2-5. Process for authorization code flow

• User (resource owner). The owner of the resource.

The user interacts with the client application via a user
agent (browser).

• Client application (client). This is a web application

trying to access a secured resource. The client
application can also be a native app.

• OAuth 2 Authorization endpoint/Token endpoint

(authorization server). Different authorization server
endpoints used to get different kinds of tokens.

• Web API (resource server). API providing the resource

owned by the resource owner.

23
Chapter 2 OAuth Flows and OpenID Connect

The following are the steps for an authorization code grant.

1. The user tries to access and log in through the client

application URL.

2. The client application redirects the unauthenticated

user to the authorization endpoint of the
authorization server. The client constructs a request
URI in the following format.

https://aad-tenant/authorize?
response_type=code
&client_id=client123
&redirect_uri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fclient-application%2Fcallback
&scope=read+write
&state=abc

Table 2-1 describes the significance of each of the

parameters.

Table 2-1. Parameter Descriptions

Sr. No. Parameter Required/ Description
Optional

1. response_type Required Should be set to “code” for code grant flow.

2. client_id Required The client application must be registered
with the authorization server to access
secured resources. The client_id is a
unique ID, by which the authorization server
uniquely identifies the client application,
which is provided by the authorization
server. We discuss the process of
registration on Azure AD in Chapter 3.
(continued)

24
Chapter 2 OAuth Flows and OpenID Connect

Table 2-1. (continued)

Sr. No. Parameter Required/ Description
Optional

3. redirect_uri Optional After authenticating the resource owner,

the authorization server redirects the
browser to this URI.
4. Scope Optional Scope is a list of case-sensitive strings
delimited by space. It defines the
permissions requested by the client.
Possible values for the scope are
predefined on the authorization server.
5. State Recommended A random string included by the client
in the request. The authorization server
includes this string when redirecting a
user agent to the client application. The
client validates if the string is the same as
the request. It is used to avoid cross-site
request forgery (CSRF).

3. The authorization server redirects the user to log in

and prompts the user to authenticate.

4. The user enters his credentials for authentication.

5. Assuming that user authentication is successful,

the authorization server redirects the user agent
to the URI, which is specified in the redirect_uri
parameter in step 3. The response format is as follows.

https:// client-application/callback?
code=xyz123
&state=abc

25
Chapter 2 OAuth Flows and OpenID Connect

Table 2-2 describes the significance of each of the

parameters.

Table 2-2. Parameter Descriptions

S.No. Parameter Required/ Optional Description

1. code Required This is the authorization code generated

by the authorization server; it can be used
only once. The code should have a limited
lifetime; the maximum recommended
lifetime is 10 minutes. It is generated
for the combination of the client_id and
redirect_uri parameters of the request
(see step 2).
2. state Required The same value that was sent in the
request parameter (see step 2).

6. After receiving the authorization code in the

previous step, the client application requests
an access token from the token endpoint of the
authorization server by using a post request and
exchanging the authorization code. The format of
the request is as follows.

https://aad-tenant/token

The parameters of the post request are shown in

Table 2-3.

26
Chapter 2 OAuth Flows and OpenID Connect

Table 2-3. Parameter Descriptions

S.No. Parameter Required/ Description
Optional

1. grant_type Required Should be set to authorization_code.

2. code Required The authorization code, as received in the
authorization response in step 5.
3. redirect_uri Required Same as the authorization code request in
step 2. Should be included if it was present
in the original authorization code request.
4. client_id Required Unique ID, by which the authorization server
uniquely identifies the client application. The
same as the authorization request in step 2.
5. client_secret Required The client application is registered with
the authorization server. As part of the
completion of the registration process, the
authorization server generates client_id and
client_secret for the client application. While
client_id uniquely identifies the application
and can be publicly visible, client_secret
is confidential. Consider client_id and
client_secret equivalent to a username and
password, respectively.

7. If the authorization token request is successful, the

authorization server sends the response back to the
client application. The response is in the following
format.

27
Chapter 2 OAuth Flows and OpenID Connect

   {
           "access_token": "abc123",
           "token_type": "bearer",
           "expires_in": 3600,
           "refresh_token": "xyz890",
           "scope": "read write"
       }

Table 2-4 shows the significance of each of the

parameters.

Table 2-4. Parameter Descriptions

S.No. Parameter Required/ Description
Optional

1. access_token Required The access token returned by the

authorization server. We discuss token IDs in
later sections.
2. token_type Required The only value supported by Azure AD is
“bearer”. It signifies the type of token
understood by the client. Further information
is beyond the scope of this book.
3. expires_in Recommended The lifetime (in seconds) that a token is
valid. The token expires after this period.
4. refresh_token Optional After the token expires, a refresh token
could be utilized to get a new access token.
They are long-lasting and bound to the client
application to which they were issued.
5. scope Optional The same as the scope specified by the
client in the authorization code request in
step 2.

28
Chapter 2 OAuth Flows and OpenID Connect

8. After getting the access code, the client uses the

access token to access the Web API. We briefly
touched on tokens in Chapter 1. Headers of all
requests to the API should include the Authorization
header.

"Authorization: Bearer eyJ0..."

Depending on the validating token, the API could

either allow access to the resource or throw an error.

9. If the access token has expired or is invalid, the

client application can request another access token
by sending a refresh token. The client does so by
sending a post request to the token endpoint of the
authorization server. The request’s parameters are
described in Table 2-5.

Table 2-5. Parameter Descriptions

S.No. Parameter Required/ Description
Optional

1. grant_type Required Should be set to refresh_token.

2. refresh_ Required The refresh token sent by the authorization
token server to the client application. This is the
same as refresh_token, which is received
while requesting the access token in step 7.
3. scope Optional Considered the same as the original request,
if not included. You can’t add a value that
was not in the original request for the
access token.

29
Chapter 2 OAuth Flows and OpenID Connect

10. In the event of a successful request, the

authorization server returns the response in the
same format as when the request for the access
token was made (the same as step 7.)

Implicit Grant
This flow is typically used by applications implemented using scripting
languages like JavaScript. The secured resource is directly accessed using
the scripting language. An implicit grant is a variant of an authorization
code grant flow. But instead of having separate requests for getting the
authorization code and the access token, the access token is received after
authorizing with the “authorize” endpoint. There is no separate client_id
and client_secret authentication. Since the access token is exposed to the
resource owner and the other application on the client device, an implicit
grant is considered less secure. Since it is less secure, an implicit grant flow
does not use a refresh token.
The following criteria are the general rules for choosing an implicit
grant.

• The client application accesses resources by using

scripting languages like JavaScript. Single-page
applications are recommended to use this flow.

• Client applications are a hybrid of post-back-based web

applications. They also use AJAX calls to refresh pages
from different resource APIs.

• The client application can react to the resource owner’s

actions.

• The client application is capable of receiving requests

from the authorization server, generally via redirection.

30
Chapter 2 OAuth Flows and OpenID Connect

The diagram shown in Figure 2-6 details the process flow for an
implicit grant. The following are the actors for the implicit grant flow (the
mapping of the actors defined in Figure 2-3 are in parentheses).

• User (resource owner). The owner of the resource.

The user interacts with the client application via a user
agent (browser).

• Client application (client). A web application trying

to access a secured resource. The client application is
JavaScript-based (or SPA).

• OAuth 2 Authorization endpoint (authorization

server). The endpoint of the authorization server used
to get access tokens.

• Web API (resource server). API providing the resource

owned by the resource owner.

&OLHQW 2$XWK$XWKRUL]DWLRQ
8VHU %URZVHU :HE$3,
$SSOLFDWLRQ (QGSRLQW
8VHUEURZVHVWKH
63$
%URZVHUVHQGUHTXHVWWRZHEDSS

5HGLUHFWLRQWRORJLQSDJH

8VHUHQWHUVFUHGHQWLDOV
&UHGHQWLDOVVXEPLWWHGWR2$XWK
$XWKRUL]DWLRQ(QGSRLQW

5HWXUQ,'WRNHQ

DFFHVVWRNHQ

&DOO:HE$3,E\DGGLQJDFFHVV
WRNHQLQDXWKRUL]DWLRQKHDGHU

9DOLGDWH
DFFHVVWRNHQ

5HWXUQWKHGDWD
WRWKHZHEDSS

Figure 2-6. Process flow for implicit grant

31
Chapter 2 OAuth Flows and OpenID Connect

The following are the steps for an implicit grant.

1. The user tries to access and log in through the client

application URL.

2. The client application redirects the unauthenticated

user to the authorization endpoint of the
authorization server. The client constructs a request
URI in the following format.

https://aad-tenant/authorize?
response_type=token
&client_id=client123
&redirect_uri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fclient-application%2Fcallback
&scope=read+write
&state=abc

Table 2-6 describes the significance of each of the

parameters.

Table 2-6. Parameter Descriptions

S.No. Parameter Required/ Description
Optional

1. response_type Required Should be set to “token” for an implicit grant

flow vs. “code” for a code grant flow.
2. client_id Required The client application must be registered with
the authorization server to access secured
resources. The client_id is a unique ID by which
the authorization server uniquely identifies
the client application. It is provided by the
authorization server. We discuss the process of
registration on Azure AD in Chapter 3.
(continued)

32
Chapter 2 OAuth Flows and OpenID Connect

Table 2-6. (continued)

S.No. Parameter Required/ Description

Optional

3. redirect_uri Optional After authenticating the resource owner, the

authorization server redirects the browser to
this URI.
4. scope Optional Scope is a list of case-sensitive strings
delimited by space. It defines the
permissions being requested by the client.
Possible values for the scope are predefined
on the authorization server.
5. state Recommended This is a random string included by the client in
the request. The authorization server includes
this string when redirecting a user agent to the
client application. The client validates the string
the same as the request. This is used to avoid
cross-site request forgery.

3. The authorization server redirects the user to log in

and prompts the user to authenticate.

4. The user enters his credentials for authentication.

5. Assuming that user authentication is successful, the

authorization server redirects the user agent to the
URI specified in the redirect_uri, as follows.

https:// client-application/callback#
access_token =xyz123
& token_type =bearer

33
Chapter 2 OAuth Flows and OpenID Connect

&expires_in=3600
&scope= read+write
&state=abc

Note that there is no refresh token returned.

Table 2-7 describes the significance of each of the
parameters.

Table 2-7. Parameter Description

S.No. Parameter Required/ Description
Optional

1. access_token Required The implicit grant flow returns the access

token instead of the authorization code. Also,
note that the token is returned as a query
fragment (vs. a query parameter).
2. token_type Required The only value supported by Azure AD is
“bearer”. It signifies the type of token
understood by the client. Further information
is beyond the scope of this book.
3. expires_in Recommended The lifetime (in seconds) that a token is
valid. The token expires after this period.
4. scope Optional Considered the same as the original request,
if not included. We can’t add a value that
was not in the original request for the
access token.
5. state Required The same value that was sent in the request
parameter (see step 2).

6. After getting the access token, the client uses the

access token to access the Web API.

34
Chapter 2 OAuth Flows and OpenID Connect

Resource Owner Password Credentials Grant

The resource owner password credentials grant, or simply password grant,
is one of the simplest grant flows. This grant requires the resource owner
to provide a username and password to the client application. Since the
resource owner’s credentials are exposed to the client application, the
resource owner should trust the client application. A password grant is
generally used for internal client applications; it should not be used with
third-party applications. The following are use cases for which a password
grant is applicable.

• The resource owner has a trust relationship with the

client application.

• The services and applications trying to access a

resource API belong to the same resource API provider.

• Migrate older username and password–based

applications to use OAuth.

• Secure client application devices using a username and

password by storing the access token (with a specific
expiration time) and using an access token to access
the resource API, instead of prompting for a username
and password on each login.

The diagram shown in Figure 2-7 details the process flow for a
password grant. The following are the actors for the password grant flow
(the mapping to the actors defined in Figure 2-3 is in parentheses).

• User (resource owner). The owner of the resource.

The user interacts with the client application via a user
agent (browser).

• Client application (client). This is a web application

trying to access a secured resource.

35
Random documents with unrelated
content Scribd suggests to you:
been entirely absent since birth. Many little girls and babies have no
hymen. It can be destroyed by accident or injured by operations, or
examinations where the physician did not use the greatest care. In
some women it is easily destroyed; in others it is more difficult. It is
not at all uncommon for a physician to find the hymen unruptured
when he comes to deliver the first born child. All of which goes to
prove that neither its presence nor its absence is necessarily the sign
of virginity.
Now that we have some idea of the situation of the reproductive
organs and their relations to one another we shall be ready to
consider in greater detail the ovule or egg in the ovary.
PUBERTY—PART II.
Beginning with puberty the eggs from the ovary are expelled as they
ripen or mature. This process is called ovulation and occurs about
every twenty-eight days. It is closely related to menstruation, but it
is not menstruation as you will soon learn. Some writers say the egg
is expelled at other times than at the menstrual periods; another
writer asserts that one passes every six hours, alternating male and
female. There are many views and ideas on the subject of ovulation,
but I will tell you of the most generally accepted theory, that the egg
is expelled from the ovary every twenty-eight days.
When the egg ripens, the ovary discharges it and sends it on to find
its way through the tubes to the uterus. Here we find the blood
supply of the uterus greatly increased in preparation for the egg. We
find the inner lining of the uterus becomes very soft and smooth so
that the egg can very easily find a place in which to lodge itself after
it has been fertilized. We also find that the cells swell and multiply,
all in preparation to welcome and nourish the incoming egg or
ovum. If the egg is fertilized by the male, it then remains in the
uterus to develop. If not, it is thrown out, together with all the
preparation made to receive it. The cells burst and discharge their
contents; the mucus, blood, cells and all come away in what is called
the menstrual flow.
At one time woman was thought to be the only creature which
menstruated. But science now tells us that all warm blooded animals
which walk erect menstruate. The discharge is chiefly due to the
position which in standing upright, throws the large part of the
uterus higher than the neck. In animals, such as dogs, cats, etc., the
same process goes on, but the position of these animals keeps the
large part of the uterus lower than the small part, where the blood is
retained and then reabsorbed into the system.
This process goes on every four weeks in girls after they reach the
age of puberty and continues at regular periods as long as the egg is
not fertilized until the reproductive age is over, which is usually
between the forty-fifth and fiftieth year. If, however, the egg is
fertilized the menstrual flow ceases and this blood supply goes to
nourish the new life in the uterus. It does not appear again until
after the birth of the child, and usually ceases while the child
depends upon the milk from the mammal glands.
The age at which this process (menstruation) first takes place in girls
differs in individuals. Climate has some effect upon it, for girls in
warm or Southern climates mature earlier than in colder places. In
this climate the average girl reaches puberty at fourteen years of
age. Some have been known to reach it as early as the eleventh and
others not until the eighteenth year, all in the same place and yet
normal and healthy, which shows there is no reason for anxiety if the
girl does not menstruate at fourteen, provided she is developing
normally and is in good health. During the first few years after its
appearances the periods are likely to be irregular. This is because
the sexual organs are not fully developed. Often the period does not
occur after the first time for three, five, eight months and sometimes
a year. This irregularity continues for two or three years. Cases of
girls coming from Europe have been known where the period was
perfectly established over there, but after arriving in this climate the
menstrual flow did not occur again for a year and over. Usually this
irregularity lasts only a few months, and when once it has become
regular, there should be no worry over its arrival a day or two earlier
or later.
The length of time the period lasts differs in women also. The
average length of time is four or five days, yet there are women in
which it lasts fully a week, and others but a few hours. The length of
time should not be of as much concern as the amount of discharge
which is expelled each time. It is, of course, difficult to estimate this,
but physicians claim that more than three protectives in twenty-four
hours should not be used. In all women the flow is most profuse
during the first two days.
The care of the health should receive more attention during the first
two days than is usually given it. To the girl who has to work from
early morning until late at night, these two days are unusually hard
on her nerves and on her general health, and I regret that I have no
new message for her to help lighten the burden, which under the
present atrocious industrial system makes it so hard for her.
Physicians say there should be no need of interrupting the regular
routine of the day at this time more than any other. There are a few
strong women to whom this period makes no difference, but the
average girl in this country spends two days of pain and discomfort.
Out of 1,000 girls questioned, only 16 per cent. were entirely free
from pain, which proves that the time has come for women to cease
being ashamed of this function, and insisting upon at least one day's
rest at the expense of her employer. Some of the old biblical ideas
instilling into the man's mind, that a woman is unclean at this time
has been the cause of much hardship and many sneers endured by
a woman during these periods. The consequence has been that she
will bear the most intense pain rather than allow the men working
with her to suspect that she is menstruating. It is all nonsense and
wrong, and it is time women should band together in one great
sisterhood to protect one another from being slowly drained and
exhausted of their powers of motherhood for the benefit of their
exploiters. Women who belong to unions should demand that this
day be given them and their sisters. Girls continue to suffer pains in
the abdomen and back, pains running down the limbs, headache,
often nausea, besides being nervous and irritable, yet hang on a
strap in an overcrowded street car, stand or sit all day in the shop or
at the machine and utter no protest. They know, too, they are not
alone in this suffering, for they see about them day after day
hundreds of other women enduring the same pain, yet they remain
silent.
How long will you endure this, working women?
There is one thing to remember, that the greatest strain comes on
the nervous system at this period. One of the best ways to assist in
building up the nerve strength is in sleep and rest and for the girl
who dares not remain away from the shop fearing to lose her “job”
the next best thing is to get to bed early, for there's nothing that
builds up the exhausted nerves like sleep.
Fortunately, the girl at school has some consideration shown her at
this time, and it is well that this is so, for until the period becomes
established there is special danger of overdoing in school work,
which often causes St. Vitus dance and other nervous disorders.
I believe in the regular warm tub bath, or cold sponge followed by a
good rubbing all over the body at this time, together with nine or ten
hours' sleep, and light, nourishing food without stimulant. If the
bowels are active, it often lessens the pain considerably, and it is
very important that every girl attend to this if she has any regard for
her health. There are a few abnormalities of the menstrual function
which I will not take the space to state here. Before leaving the
subject, I wish to impress upon the reader that most abnormalities,
such as too little or too much flow, or very great exhausting pain are
usually caused, not by any disease of the generative organs, but
more often a disturbance of the general health, which can often be
treated and cured by building up the system.
Every girl should learn the laws of menstruation and its hygiene and
have a full understanding of the same. The menstrual function
occurs only in the female at puberty, but at the same time there
comes to both boys and girls, or male and female, a mysterious and
impelling influence, which has great power over the lives of both
during the adolescent period unless they understand and control it.
This is known as the Sexual Impulse.
CHAPTER IV.
SEXUAL IMPULSE—PART I.
The sexual impulse is the strongest force in all living creatures. It is
this that animates the struggle for existence; it is this that attracts
and unites two beings, that they may reproduce their kind; it is this
that inspires man to the highest and noblest thoughts; it is this also
that inspires man to all endeavors and achievements, to all art and
poetry; this impulse is the creative instinct which dominates all living
things and without which life must die. If, then, this force, this
impulse plays so strong a part in our lives, is it not necessary that
we know something about it?

At the time of puberty there comes both to boys and girls, two
impulses—one, the desire to touch or caress; to come in contact
with, to write or to speak to, an individual of the opposite sex. This
impulse is much stronger in girls than in boys. The other is the
impulse that impels the individual to discharge the accumulation of
ripe sex cells, and relieve himself of the nervous tension which this
accumulation produces. This impulse is stronger in boys than in girls.
One writer states that this is an unconscious desire for relief from
physical congestion, not differing greatly from the sense of relief
which the emptying of the bladder or rectum produces.

These two impulses together, according to Moll, constitute the

Sexual Impulse, and this constitutes the foundation upon which love,
the greatest of all emotions, is based.

At the time of puberty, we learned from the last article, that the first
manifestations of sexual maturity in the girl is the appearance of the
menstrual flow. But also at puberty there comes the sexual impulse,
which evidences itself during sleep, in a filmy substance dropping
from the mouth of the uterus. This “detumescence” does not appear
very often in young girls, but later in life when sex instinct becomes
stronger it occurs during sleep, especially in young widows having
experienced sexual relations. They are, however, seldom aware of its
taking place; consequently, it has not the danger which it presents
to the boy.

In the preceding article on puberty, we discussed only the girl at

puberty, but here it is necessary to understand that during puberty
many changes take place in the boy, such as change of voice, the
growth of hair on the face, various parts of the body, and most
important, the discharge of the sexual fluid commonly known as
seminal emissions. This latter symptom appears in every normal
healthy boy on reaching the age of puberty, but unlike the menstrual
period which occurs at a stated period in girls, the seminal emissions
do not depend upon a special period; they occur at different times,
often twice a month. Unlike menstruation, which in the girl lasts
from two to seven days, the discharge lasts only a few seconds, and
is not accompanied by pain. This expulsion is considered perfectly
normal, and is not a sign of physical or sexual weakness, but a sign
that a surplus accumulation of ripe sex cells are present and have
come to their full development and overflow. Nature takes care of
this and uses all of this life-giving fluid according to the needs of the
individual, casting off the surplus.
It is this symptom that alarms young boys at puberty. It is this
overflow which enables quack doctors to play upon the innocent and
ignorant boy, telling him that it is an indication of weakness. And it is
also this—as the result of telling older boys about it—that leads boys
to houses of prostitution; for they are told by their ignorant advisers
that they must have sexual relations or endanger their sexual
capacity.
It is also this overflow which, occurring in sleep awakens the boy,
and he is conscious of what has occurred; he is conscious also of a
pleasurable sensation which this sense of relief produces, and unless
warned against it he will try at some later time to bring on this relief
by friction or mechanical means, which is known as masturbation—
often called self-abuse. The age of puberty is one of the periods in
an individual's life in which it is easiest to acquire this habit, in girls
as well as in boys, although the girl may not be conscious of any
sensation, through the accumulation of the “detumescence”. Yet
there is the same nervous tension that exists in boys, due to
congestion of the now fully developed genital organs, perhaps
slighter in intensity, but it is there and the girl becomes conscious of
it.
In talking to older girls about sex, menstruation, etc., she is often
led into the habit of masturbation. Cases have been known where
children formed this habit in infancy almost, through the ignorance
of nurses or even mothers, who, not aware of the consequences,
have kept babies from crying by gently patting or rubbing the sexual
parts. It may be caused also by uncleanliness, itching, tight clothing,
etc.
When the habit is formed in very small children, it can be exercised
in the very presence of the parents, but they being ignorant of the
habit itself, or the consequences, interpret the actions as “baby
ways”. Again, the habit is formed upon entering school. It is said no
school is free from it; and it is a fact that no institution today is free
from pupils who practice masturbation.
In public schools are found groups of perverted boys and girls whose
depraved ideas sooner or later permeate the place. A recent issue of
a conservative woman's journal says: “In absolute filth of
conversation nothing could equal the talk of boys and girls during
recess in our schools. What is still worse is that the child is generally
instructed in masturbation, prostitution and sometimes sexual
perversity.”
This subject of masturbation is at present under discussion from
many points of view among the medical profession; some claiming,
that, as with venereal diseases, we lay too much stress on the
matter, and exaggerate the harm done to the individual by it. One
writer plainly states that it is of such common practice that out of a
hundred young men and women, ninety-nine are addicted to it, and
the hundredth one is lying. Another says that out of a hundred men
and women arriving at the age of 25, ninety-nine have practiced it at
some time.
By these examples such writers would try to prove that because
ninety-nine people out of one hundred are not in insane asylums the
practice cannot be as harmful as it is stated by others to be.
Let us take a sane and logical view of this subject.
In children, before they have reached the age of puberty, prior to
the development of the sexual organs, it stands to reason that to
abuse these organs before they are strong enough to be exercised
must weaken them for their natural functions. Again, masturbation,
unlike the sexual act, can be practiced individually and at all times
and nearly anywhere. This gives the individual unlimited opportunity
for indulgence, and consequently drains and exhausts the system of
the vitality necessary for full development.
In the boy or girl past puberty we find one of the most dangerous
forms of masturbation, i. e., mental masturbation, which consists of
forming mental pictures, or thinking of obscene or voluptuous
pictures. This form is considered especially harmful to the brain, for
the habit becomes so fixed that it is almost impossible to free the
thoughts from lustful pictures. Every girl should guard against the
man who invariably turns a word or sentence into a lustful, or
commonly termed, “smutty” channel, for nine times out of ten he is
a mental masturbator.
Perhaps the greatest physical danger to the chronic masturbator is
the inability to perform the sexual act naturally. The strong physical
irritants which are used are likely to produce catarrhal disease of
these organs in both sexes, producing such irritating sensations that
relief is demanded, and this can be obtained only by repeating the
habit, and so it continues. The individual promises himself over and
over again after such exercises to overcome the habit, but his will
power gradually becomes destroyed and the impulse continues. He
knows and intuitively feels such practice degrades him and destroys
his character; he feels he is losing control of himself, and also
realizes that his health, especially his nervous system is being
undermined.
In my personal experience as a trained nurse while attending
persons afflicted with various and often revolting diseases, no matter
what their ailments, I never found any one so repulsive as the
chronic masturbator.
It would not be difficult to fill page upon page of heart-rending
confessions made by young girls, whose lives were blighted by this
pernicious habit, always begun so innocently, for even after they
have ceased the habit, they find themselves incapable of any relief
in the natural act. This causes a nervous and excited condition in the
girl, tossing about nervously for hours after. It is much more difficult
for a girl to overcome the habit than a man. The effects are more
permanent in her.
Before closing this subject, however, I want to tell of a case of an
eight year old boy I attended during an attack of measles. I found
he was shy and unresponsive, and at times very nervous and
irritable with a strong liking to be alone. I observed him closely for a
few days and reported the results of my observation to the attending
physician. He was convinced of the truth, that the little fellow was
masturbating. The physician assigned me to the task of talking to
the child, who acknowledged that he was “touching” himself and
had been ever since he could remember. The little fellow's mother
had died when he was in infancy, leaving beside himself a brother a
year older with whom he slept. I explained to him the danger as well
as I could and the result was that I was awakened in the night by
whisperings and found the little fellow asking the older brother to tie
his hands to the bedpost. This the older brother did with a
handkerchief, and the child went to sleep in this way every night
during the few weeks I was attending him. The first few nights he
was awake practically all of the time struggling to overcome this
habit, which he finally overcame completely.
At puberty every boy and girl should be taught these dangers and
temptations and also how to avoid them, by keeping active, mentally
and physically, going to bed only when sleepy, avoiding intoxicating
drinks and stimulants.
We have strayed some distance, I know, from the beginning of our
subject—Sexual Impulse—to treat of its perversion (masturbation),
but we shall now take up the normal natural impulse and see what
there is that every girl should know.
SEXUAL IMPULSE—PART II.
In the first part of this article we learned that the sexual impulse is a
combination of the two impulses: the one which impels the
discharge of ripe sex cells, strongest in the boy, and the other which
impels the individual to touch or caress an individual of the opposite
sex, strongest in the girl.
Every girl has in mind an ideal man. This ideal begins to form
sometime in the early adolescent age. He is usually distinct in her
mind as to his physical qualities, such as dark or light hair, or brown
or blue eyes. He is always a certain physical type and often remains
an ideal to her through life. At the forming period of the type she
will be attracted toward many men who seem to answer the ideal
type, but as she reads and develops through the various stages of
the adolescent period, the ideal changes and grows with her. As she
reaches the romantic stage the ideal must be brave, daring,
courteous. If she is inclined toward outdoor sports he must be
athletic. And so it goes on until the twenty-third year, when the
average girl has a fairly settled idea of the man who would suit her
as a mate through life.
When the sexual impulse makes itself felt strongly in the adolescent
boy or girl, they, feeling satisfied with the physical beauty and
perfection of the other, marry, they are unconscious that the
incentive to love when based on physical attraction alone is soon
destroyed. For sickness, poverty or disease will affect even the most
seemingly perfect physical attraction.
Let us not confuse the sexual impulse with love, for it alone is not
love, but merely a necessary quality for the growth of love.
No sexual attraction or impulse is the foundation of the beautiful
emotion of love. Upon this is built respect, self-control, sympathy,
unity of purpose, many common tastes and desires, building up and
up until this real love unites two individuals as one being, one life.
Then it becomes the strongest and purest emotion of which the
human soul is capable. There is no doubt that the natural aim of the
sexual impulse is the sexual act, yet when the impulse is strongest
and followed by the sexual act without love or any of the relative
instincts which go to make up love, the relations are invariably
followed by a feeling of disgust. Respect for each other and for one's
self is a primary essential to this intimate relation.
In plant and animal life the reproductive cell of the male is the active
seeker of the passive female cell, imbued with the instinct to chase
and bodily capture the female cell for the purpose of reproduction.
This instinct man, as he is today, has inherited, and, as with the
lower forms of life, the senses are intensely involved. It is kept alive
by the sense of sight, sound and smell, and reaches its highest
development through the sense of touch. It is heightened by
touching smooth and soft surfaces—which is said to account for the
pleasure of kissing.
In the early part of this article I spoke of the desire to touch being
stronger in girls than in boys. This desire leads a girl to kiss and
fondle a man without any conscious desire for the sexual act;
whereas in the man, to be touched and caressed by the girl for
whom he has a sexual attraction, stimulates the accumulation of sex
cells, and the desire for the sexual act becomes paramount in his
mind. Many a young girl bubbling over with the joy of living,
innocent of any serious consequences, is oft-times misjudged by
men on account of these natural actions. But she soon puts on her
armor of defense, and stifles and represses any outbursts of
affection.
Society, too, condemns the natural expression of woman's emotion,
save under certain prescribed conditions. In consequence of this,
women suppress their natural desires and direct this great force into
other channels, participating in the bigger and broader movements
and activities in which they are active today.
This is one reason why the type of the so-called “old maid”, so
characteristic of the generation past, has disappeared. These great
maternal powers are being used up in the activities of modern life.
Instead of allowing it to remain dormant and make her odd and
whimsical, the modern woman turns her sexual impulse into a big
directing force.
That the male creature is the pursuer of the female in all forms of
life, there is no question, but that the female has the choice of
selection and uses fine discrimination in her choice, cannot be
denied either. This instinct of selection seems to lie dormant in
women of today, for at puberty nature calls to every girl to make a
selection suitable to her nature. Yet few girls follow this instinct on
account of the specter of economic insecurity which looms up before
them. Instead of asking themselves: “Are we mateable and
sympathetic?” they ask: “Shall we have enough food, clothing and
shelter?”
Indeed, girls, this system increases our degradation, and places us in
ideals lower than the animals. All over the civilized world today girls
are being given and taken in marriage with but one purpose in view:
to be well-supported by the man who takes her. She does not
concern herself with the man's physical condition; his hereditary
taints, the cleanliness of his mind or past life, nor with the future of
the race.
There will no doubt be a great change in woman's attitude on this
subject in the next few years. When women gain their economic
freedom they will cease being playthings and utilities for men, but
will assert themselves and choose the father of their offspring. As
Bernard Shaw tells of her in one of his greatest plays, she will hunt
down her ideal in order to produce the Superman.

There seems to be a general tendency on the part of the woman

who is demanding political freedom, to demand sexual freedom also.
When a girl reaches the age nearing thirty her natural development
tends toward sexual freedom. It seems as though nature, knowing
the time of reproduction is drawing to a close, calls with all the fury
of her strength to complete its development and procreate.
It is at this age where physicians claim a woman awakens to the
sexual desire, and it is at this age that women seek affection, or
gratification with a “lover.” To her there is nothing to say; she is
mature, developed and can judge for herself where best her
happiness lies.
But to the young girl at the age of say twenty, or even younger,
immature, mentally undeveloped, there is something she should
know, and that is that every physical impulse, every sensual feeling,
every lustful desire will come to her whitewashed with the sacred
word “Love”.
Neither the boy nor the girl knows the difference between the sexual
impulse and love. A boy meets a girl he feels a great attraction for
her, he feels the sexual impulse throbbing within him, he is full of
this life-giving current, he feels it throughout his being; he walks
lighter and straighter, he feels it in his voice, in his laughter; he
grows tenderer within himself, and to women. He feels all this and is
sure it is a love that will never die. If there is an attraction on the
girl's part there is no difficulty in persuading her that this feeling is
love.
But it is not love; it is the creative force or sexual impulse scattered
through his being and the sexual act brings it to a focus.
If motherhood comes to the girl through this relation, she has
developed and the experience has enriched her life. But today the
girl has an idea she has escaped the greatest disgrace when she has
avoided motherhood. If the relation was based on physical attraction
alone, a few abortions and the monotony of every day life soon
remove this, and the man goes elsewhere in search of this wonderful
sensation which he felt at first, but did not know how to keep or
how to use.
The girl, however, has become a new being, sexually awakened and
conscious of it, but ignorant of the use of the forces she possesses,
she plunges forth blindly, with social and economic forces against
her, and prostitution beckoning at every turn. So she soon passes
with the crowd on the road to the Easiest Way. This is the story of
thousands of young girls living in prostitution.
Women should know that the creative instinct does not need to be
expended entirely on the propagation of the race. Though the sex
cells are placed in a part of the anatomy for the essential purpose of
easily expelling them into the female for the purpose of
reproduction, there are other elements in the sexual fluid which are
the essence of blood, nerve, brain and muscle. When redirected into
the building and strengthening of these, we find men or women of
the greatest endurance and greatest magnetic power. A girl can
waste her creative powers by brooding over a love affair to the
extent of exhausting her system, with results not unlike the effects
of masturbation and debauchery.
The sexual impulse is natural. It is natural in animals, degenerates,
and in man. But in man it is mixed with other essentials which,
together, are termed love. These essentials are derived from man's
power of reasoning by which he is known as a higher species and
through which he differs from the animals.
When man emerged from the jungle and stood upright on his hind
legs, the shape of his head and his face changed from the long jaw
and flat head of the animal to the flat face and high head of the
man. All progress from that time forward was made along mental
lines. According to universal law then in existence he should have
been limited to a geographical area and killed by the extreme heat
or cold or starved for one kind of food if it were not obtained, but
against all these he fought, because he became endowed with such
attributes as reason, knowledge and will-power. Instead of using his
creative powers solely in hunting food and reproducing his species,
he used this force in making plans for his self-preservation. He built
rafts and boats to cross rivers and streams; he devised methods of
clothing himself against extreme heat and cold and discovered
various ways of preparing food for different climates suitable for his
various needs. In other words he conserved his creative force and
redirected it into its channels which have resulted in giving him
precedence over all other living creatures. For man has developed a
conscious mind which asserts itself by reasoning, which in turn has
developed his brain power.
It is said a fish as large as a man has a brain no larger than the
kernel of an almond. In all fish and reptiles where there is no great
brain development, there is also no conscious sexual control. The
lower down in the scale of human development we go the less
sexual control we find. It is said the aboriginal Australian, the lowest
known species of the human family, just a step higher than the
chimpanzee in brain development, has so little sexual control that
police authority alone prevents him from obtaining sexual
satisfaction on the streets. According to one writer, the rapist has
just enough brain development to raise him above the animal, but
like the animal, when in heat, knows no law except nature, which
impels him to procreate, whatever the result. Every normal man and
woman has the power to control and direct his sexual impulse. Men
and women who have it in control and constantly use their brain
cells thinking deeply, are never sensual.
It is well to understand that the natural aim of the sexual impulse is
the sexual act and the natural aim of the sexual act is reproduction,
though it does not always result in this. It is possible for conception
to take place without love, it is even possible that there is no
conscious knowledge to procreate before or during the act, yet this
does not disprove the fact that nature has designed it for the
purpose of reproduction, no matter what uses man has put it to
today. This subject of procreation we shall discuss next.
Every girl should know that to hold in check the sexual impulse, to
absorb this power into the system until there is a freely conscious
sympathy, a confidence and respect between her and her ideal, that
this will go toward building up the sexual impulse and will make the
purest, strongest and most sacred passion of adult life, compared to
which all other passions pale into insignificance.
CHAPTER V.
REPRODUCTION—PART I.
In teaching children or young persons the process of reproduction
one of the cleanest, most natural and beautiful methods of doing
this is to tell them the process which goes on in the various forms of
life in the flower, fish, frog, bird and to lead up to the highest and
most complex of all living creatures—man.
They watch the butterfly and bee carry a load of pollen from the
father buttercup to fertilize the seeds within the mother flower. They
watch Mr. and Mrs. Frog awaken from their long winter nap, and
stirred by the life-giving impulse within them, start for the breeding
pond. They watch Father Thrush win his mate and patiently stand
guard over her during the tedious hatching days. They are told and
see that the flowers depend upon outside forces to bring the pollen
from the male to the female to fertilize the seeds before the seeds
could grow. They are taught that the mother fish lay her eggs in the
water first and that the father fish, unlike the flowers, being able to
move about, carries the pollen (which is now a fluid) to the seeds
himself. They are told that Father Frog, being a higher creature,
fertilized the eggs before they reached the water, and Father Thrush
being still higher in the scale fertilized the eggs before they left the
mother's body. That the higher the species was, the greater the care
required to preserve that species.
In this way the mind is prepared for the information which should
follow.
The girl at puberty should be taught this process and something of
what goes on within the womb after the ovum has been fertilized.
She should know that all organic life is the result of a simple cell;
that man is a community of cells, banded together and depending
upon each cell to carry on its work, for the benefit of the whole.
Let us first, then, get an idea of a cell and what it is and what it
does. A cell is a tiny portion of living matter having in its center a
spot or nucleus which represents the point of germination; it is
separated from its sister cells by partitions of cell membrane.
A simple cell is formed by the fusion of two germ cells when they
meet to exchange nuclear elements. After this fusion they are able
to proceed with fission, which means splitting into parts, and it is the
subsequent cellular growth of the fused germ-cell that constitutes
reproduction.
There are two kinds of reproductive cells, the ova in the female and
the spermatozoa in the male.
When the sexual act takes place, there is deposited into the vagina a
secretion known as semen. According to Sutkowsky, each deposit or
ejaculation contains 50,000,000 of spermatozoa.
About the same time in the act there occurs in the female,
spasmodic contractions of the muscles of the uterus which draws in
a small amount of the sperm which the male has left there.
The sperm cell of the male under the microscope shows that it
contains both head and tail.
The tail enables it to move and advance with a tadpole-like motion
toward the ovum.
As in the lower forms of life, the male cell has within it the instinct to
chase and capture the female cell. Consequently, it does not depend
upon the uterine contractions of the female to enable it to reach the
ovum for fertilization. The vagina being a corrugated or wrinkled
tube, hides and secretes the sperm cell for days, unless it is
removed with water or killed by poisonous injections.
When, however, the sperm comes near the ovum it is drawn to it as
to a magnet.
The ovum being carefully protected by nature within the ovaries,
leaves its sister cells and travels alone. The sperm cell, however,
having more dangerous paths to travel, must provide against the
uncertainty of doing its great work by going in numbers, though it
takes but one single cell to produce human life.
A number of the male cells go to meet the ovum, but only one
enters it. Almost at the moment the head enters the ovum it
becomes completely absorbed by the ovum and all trace of it is lost.
This union of the two cells is called fertilization, fecundation,
impregnation, or conception. Any of these terms may be used. This
union usually takes place in the tube, but the fertilized egg does not
remain there; it wanders along and finds its way into the uterus.
Now that the ovum has been fertilized, it readily becomes attached
to the soft lining of the uterus which has been specially prepared to
receive it. No menstruation occurs. The woman is now pregnant. A
new being is created, and marvelous changes will now take place
within the tiny cell clinging so weakly to the lining of the uterus. At
this time the ovum is so small it can scarcely be seen by the naked
eye, but in two weeks it has grown to the size of a pea; in four
weeks to the size of a walnut, and in eight weeks to the size of a
lemon. At this time it is three inches long and is completely formed,
the head being much larger in proportion to the rest of its body.
What has happened to the ovum in these few weeks is briefly this:
All the changes in the evolution of the animal kingdom, that man
had to pass through to arrive at his present shape, the human
embryo goes through step by step within the uterus in a very short
period. Immediately after fertilization the ovum begins to divide into
sections or lobes, into 2, 4, 8, 16, 32, etc. cells until they are almost
countless. Each cell splits in the middle of the nucleus, forming two
complete new cells and so on.
The next stage is represented by this mass of cells forming
themselves into a shape like a hollow ball. The third stage is the
meeting of the two layers of cells, as if the ball had collapsed, and
these two layers meet and unite as one, stretch and flatten out like a
worm. After this stage things become more complicated; new organs
begin to develop, line marks for the backbone and intestinal canal
show themselves, as do the bony and muscular structure of the
skeleton.
A slight pulsation is observed, showing the development of the
heart. The head fold is formed by a gradual bending of the spinal
column at the front end of the ovum, which we will now call the
embryo. There are also formed at this time, processes which soon
become arms and legs, there is a furrow on the face, pits for the
eyes; all of which has happened in less than four weeks.
From this time forward development is rapid; the bones, which up to
this time have been soft matter, grow harder, and all organs which
were only outlined,
FIG. II.

Foetus in the Uterus at two months'

pregnancy.
now become definitely formed. At the end of the fourth month it has
grown to its natural shape. The remaining months it increases in size
and gains strength. The uterus becomes enlarged, rises out of the
pelvis and occupies the abdominal cavity. It takes forty weeks or 280
days to complete the growth of the human embryo, although the
time may be two weeks more or less and yet be normal.
Let us see how the child has been fed all this time. When the ovum
is fertilized and up to the eighth week it is fed by delicate branched
threads, which form a covering for it. These threads are called “villi”,
and dip into the uterine surface for nourishment from the mother to
supply the embryo.
About the eighth week these “villi” have grown greatly intertwined
into a mass of spongy tissue full of blood vessels called the placenta
(afterbirth). This fastens itself to one side of the uterus, takes
oxygen as well as nutriment from the mother and sends it through
the umbilical cord to the child, the point of attachment being at the
navel, the depression left on the belly of the child by the cutting of
the umbilical cord at birth. In the same way it takes the waste
product from the child to the mother, and she, in turn, throws them
out of her system through the kidneys, bowels and skin. The child
and placenta are both encased within a membraneous sac, which
secretes and serves to hold a watery fluid in which the child swims.
The child is folded together with legs on the thighs and thighs on the
belly, arms on the chest and head bent forward over the breast.
Toward the end of the term it moves about slightly, often stretches a
little, and has periods of rest when it scarcely moves, and again
periods of great activity. A mother first feels the child move in the
fourth or fifth month. Often the young mother at this time begins to
worry over her acts lest something she should do might deform the
precious charge she carries. This, as you can readily understand
from its early development, is impossible, for by the end of the
second month the child has been formed, and no mental
impressions of the mother can alter its shape. Just as the nucleus of
the male sperm has within it all the contributions which the father of
the child can give it, until after it is born, so does the mother give it
its physical qualities right at the beginning.
Whatever is to be inherited from the father must be within the
substance of the spermatozoon at the time the ovum is fertilized. He
has no further pre-natal influence over it.
It is interesting to observe that the children of so-called great men
are seldom above the average in intelligence, where, on the other
hand, almost all men of great minds have had intelligent mothers.
How great or how little influence a mother has over her child
through her thoughts has not been proven, nor has the subject of
determining or influencing sex of the unborn child been settled.
At the end of nine months the child's development is complete and it
is ready for its journey to the outside world. The process of this
journey is called “labor”—a word which will describe the mother's
share in it. When this occurs before the embryo is able to live
outside the uterus it is known as abortion.
REPRODUCTION—PART II.
In the first part of this essay I said that if the process of labor occurs
before the seventh month (which is the earliest time the foetus can
live for any length of time outside the womb) it is known as abortion
or miscarriage. When labor occurs later than this or within two
weeks before term, it is known as premature labor.
The average girl in using the word abortion, has in mind a criminal
act, whereby the process of pregnancy is purposely interrupted. She
prefers the word miscarriage.
There is also a belief among girls that a miscarriage occurring in the
early stages of pregnancy can be brought about without bad results
or any serious consequences to her health.
It is a mistake to regard an abortion as of slight importance, for any
interruption in the process of pregnancy is always more dangerous
than the natural labor at full term. One writer claims there are more
women ill in consequence of abortion than from full term childbirth,
on account of which there are so many women who are semi-
invalids.
There can be no doubt that the often excessive loss of blood leaves
the woman in a weak and rundown condition, thereby lessening her
powers of resistance to other diseases.
The shock to the woman's system is greater than that produced by
natural labor, and consequently leaves her in a hysterical and often
critically nervous state for some time after.
The causes of abortion are many. Among them are overexertion,
overexcitement, shock, fright, fall, great anger, dancing, fatigue,
lifting heavy weights, purgative medicines and excessive sexual
intercourse.
The dangers resulting from abortion are blood poison, hemorrhage—
even lockjaw has been known to be the result of abortion, also the
danger that one miscarriage is likely to follow another, and disables a
woman to carry a child to the full term.
If there is the same care and treatment given the woman who
aborts as the woman in childbirth, she will naturally be less likely to
suffer serious results than if no medical attention were given her.
One of the most common disturbances of pregnancy is nausea, more
commonly called “morning sickness,” because it is felt in the morning
when the woman first assumes the erect position. As a rule, this
lasts only during the early months.
About the latter part of the fourth month, or often not before the
fifth month, movements of the foetus are felt. These movements are
called “life”, and women are glad of this signal that all is progressing
naturally. One writer said a woman had described the first feeling of
life as “the trembling movements of a bird within the hand.”
There are often many nervous manifestations accompanying the
pregnant woman, such as headache, neuralgia, toothache and as a
usual thing, constipation is always present, and should receive
attention. The teeth also should receive attention at this time for
they decay easily on account of the secretions in the mouth which
are increased during pregnancy.
The breasts enlarge in the early months of pregnancy, and there is a
fullness and tingling felt often in the fifth week. The nipples become
erect and the skin around the nipple becomes dark brown. These are
only a few of the disturbances of pregnancy, but enough to show
that other organs beside the uterus are tested in strength and how
important it is to have a good healthy body. In fact, every tissue and
fiber in the woman's body feels the impetus of pregnancy, and all
kinds of physical changes occur. Like in June, “Every clod feels a stir
of might, an instinct within it that reaches and towers.”—Howell.
One of the common questions asked by young women in early
married life is how to tell if they are pregnant.
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookbell.com

Eoffice Deployment Framework (Print)
No ratings yet
Eoffice Deployment Framework (Print)
20 pages
Sap Hana Cloud Platform HCP
No ratings yet
Sap Hana Cloud Platform HCP
3 pages
Lecture 1 Week 1 E-COMMERCE
No ratings yet
Lecture 1 Week 1 E-COMMERCE
8 pages
Functional Specification - REPORT
No ratings yet
Functional Specification - REPORT
7 pages
ISACA
No ratings yet
ISACA
32 pages
DB Topic 7
No ratings yet
DB Topic 7
30 pages
Case Study
No ratings yet
Case Study
5 pages
Data Saving and Swapping OXO
No ratings yet
Data Saving and Swapping OXO
6 pages
Unit-3 (CPU Scheduling & Deadlocks)
100% (1)
Unit-3 (CPU Scheduling & Deadlocks)
128 pages
RIPE - Reverse DNS
No ratings yet
RIPE - Reverse DNS
9 pages
Unit4 - Software Architectur&Desing
No ratings yet
Unit4 - Software Architectur&Desing
29 pages
391 - Information Technology Concepts (Open) - R - 2021
No ratings yet
391 - Information Technology Concepts (Open) - R - 2021
12 pages
Pengantar Basis Data: Kemas Rahmat Saleh Wiharja Fakultas Teknik Informatika Ittelkom
No ratings yet
Pengantar Basis Data: Kemas Rahmat Saleh Wiharja Fakultas Teknik Informatika Ittelkom
41 pages
Unit 1: Introduction To Business Process Automation in Sap S/4Hana
No ratings yet
Unit 1: Introduction To Business Process Automation in Sap S/4Hana
10 pages
Video Systems Quick Access Tool 49935
No ratings yet
Video Systems Quick Access Tool 49935
2 pages
Screenshot 2023-07-24 at 11.25.49 AM
No ratings yet
Screenshot 2023-07-24 at 11.25.49 AM
1 page
Exercise1 RS
No ratings yet
Exercise1 RS
5 pages
Safe Secure Campus Architecture Guide
No ratings yet
Safe Secure Campus Architecture Guide
33 pages
VISA Mastercard Requirements For Websites
No ratings yet
VISA Mastercard Requirements For Websites
1 page
GFSA Alumni Badge Usage Guide 2023
No ratings yet
GFSA Alumni Badge Usage Guide 2023
5 pages
Chapter 2. Computer Hardware
No ratings yet
Chapter 2. Computer Hardware
14 pages
Brands Et Holtzblatt (2015)
No ratings yet
Brands Et Holtzblatt (2015)
13 pages
CLASSEDGE - Linux Installation - Configuration-Reference Guide For Version
No ratings yet
CLASSEDGE - Linux Installation - Configuration-Reference Guide For Version
39 pages
Introduction To Information Technology For Business (Presentation)
100% (1)
Introduction To Information Technology For Business (Presentation)
27 pages
CV M Iqbal Arrafii
No ratings yet
CV M Iqbal Arrafii
1 page
More Data On Unit 1.2.2
No ratings yet
More Data On Unit 1.2.2
9 pages
EGB I QB III Sem OCT 2024
No ratings yet
EGB I QB III Sem OCT 2024
6 pages
Salesforce Shield
No ratings yet
Salesforce Shield
25 pages
L6. System Software
No ratings yet
L6. System Software
9 pages
Activate - Retrieve A Firewall Management License When The Panorama Virtual Appliance Is Internet-Connected
No ratings yet
Activate - Retrieve A Firewall Management License When The Panorama Virtual Appliance Is Internet-Connected
3 pages
Principles: Life and Work
From Everand
Principles: Life and Work
Ray Dalio
4/5 (648)
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
From Everand
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
Brené Brown
4/5 (1175)
The Glass Castle: A Memoir
From Everand
The Glass Castle: A Memoir
Jeannette Walls
4.5/5 (1856)
Sing, Unburied, Sing: A Novel
From Everand
Sing, Unburied, Sing: A Novel
Jesmyn Ward
4/5 (1267)
The Perks of Being a Wallflower
From Everand
The Perks of Being a Wallflower
Stephen Chbosky
4.5/5 (4103)
Her Body and Other Parties: Stories
From Everand
Her Body and Other Parties: Stories
Carmen Maria Machado
4/5 (903)
Shoe Dog: A Memoir by the Creator of Nike
From Everand
Shoe Dog: A Memoir by the Creator of Nike
Phil Knight
4.5/5 (629)
Steve Jobs
From Everand
Steve Jobs
Walter Isaacson
4.5/5 (1139)
The Emperor of All Maladies: A Biography of Cancer
From Everand
The Emperor of All Maladies: A Biography of Cancer
Siddhartha Mukherjee
4.5/5 (298)
The Outsider: A Novel
From Everand
The Outsider: A Novel
Stephen King
4/5 (2886)
Angela's Ashes: A Memoir
From Everand
Angela's Ashes: A Memoir
Frank McCourt
4.5/5 (943)
The World Is Flat 3.0: A Brief History of the Twenty-first Century
From Everand
The World Is Flat 3.0: A Brief History of the Twenty-first Century
Thomas L. Friedman
3.5/5 (2289)
The Yellow House: A Memoir (2019 National Book Award Winner)
From Everand
The Yellow House: A Memoir (2019 National Book Award Winner)
Sarah M. Broom
4/5 (100)
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
From Everand
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
Dave Eggers
3.5/5 (233)
Fear: Trump in the White House
From Everand
Fear: Trump in the White House
Bob Woodward
3.5/5 (836)
Team of Rivals: The Political Genius of Abraham Lincoln
From Everand
Team of Rivals: The Political Genius of Abraham Lincoln
Doris Kearns Goodwin
4.5/5 (244)
Little Women
From Everand
Little Women
Louisa May Alcott
4.5/5 (2369)
Rise of ISIS: A Threat We Can't Ignore
From Everand
Rise of ISIS: A Threat We Can't Ignore
Jay Sekulow
3.5/5 (144)
Manhattan Beach: A Novel
From Everand
Manhattan Beach: A Novel
Jennifer Egan
3.5/5 (919)
John Adams
From Everand
John Adams
David McCullough
4.5/5 (2546)
The Light Between Oceans: A Novel
From Everand
The Light Between Oceans: A Novel
M.L. Stedman
4.5/5 (815)
The Unwinding: An Inner History of the New America
From Everand
The Unwinding: An Inner History of the New America
George Packer
4/5 (45)

Developing Applications With Azure Active Directory Principles of Authentication and Authorization For Architects and Developers 1st Edition Manas Mayank PDF Download

Uploaded by

Developing Applications With Azure Active Directory Principles of Authentication and Authorization For Architects and Developers 1st Edition Manas Mayank PDF Download

Uploaded by

Developing Applications With Azure Active

Directory Principles Of Authentication And

Explore and download more ebooks at ebookbell.com

Developing Applications With Ibm Filenet P8 Apis Ibm Redbooks

Developing Applications With Visual Studio Net Richard Grimes

Developing Applications With Salesforce Chatter Rakesh Gupta

A Practical Guide To X Window Programming Developing Applications With

Developing Android Applications With Adobe Air 1st Edition Vronique

Developing Android Applications With Flex 45 Rich Tretola

Developing Ios Applications With Flex 45 Rich Tretola

ISBN-13 (pbk): 978-1-4842-5039-6 ISBN-13 (electronic): 978-1-4842-5040-2

Copyright © 2019 by Manas Mayank and Mohit Garg

Chapter 1: Introduction to Azure Active Directory�������������������������������1

Chapter 2: OAuth Flows and OpenID Connect�������������������������������������17

Chapter 3: User-Based Authentication for Web Apps�������������������������47

Web App/Web API/Web API 2 (On-Behalf-Of)������������������������������������������������������94

Chapter 4: User-Based Authentication for Native Applications��������109

Chapter 5: Daemon Application Authentication��������������������������������153

Chapter 6: Active Directory Custom Data Extensions�����������������������175

Chapter 7: Authenticating External Users����������������������������������������195

Configuring the Applications�����������������������������������������������������������������������227

Chapter 9: Introduction to Authorization������������������������������������������247

Mohit Garg is currently working as a

Thanks to team at Apress Smriti Srivastava and Shrikant Vishwakarma

© Manas Mayank and Mohit Garg 2019 1

To summarize, we will define the following concepts:

• Azure Active Directory

• Identification. During identification, the identity of the

• Validation. As part of the authentication process,

Authentication can be divided into three categories based on the

• Single-factor authentication. This is the traditional or

• Two-factor authentication. This is a more secure way

• Multi-factor authentication. This is the most secure

shown based on the user permissions. In short, authentication is the

• Allow authorization. The identity has access to only

• Deny authorization. The identity has access to

Azure Active Directory

• Headers. Information about the type of token and the

• typ: Type of token.

• alg: Encryption Algorithm is RS256.

• x5t: Thumbprint of public key used to sign the

• kid: Like x5t. No longer part of Azure AD 2.0.

• Payload. Actual JWT token body.

• aud. Contains the audience for which the token has

• iss. Identifies the issuer of the token. It’s a security

• iat. Stands for issued at and means the time at

• nbf. Stands for not before and means the token

• exp. Stands for expiration time and means the UNIX

• acr. Stands for authentication context class to

• aio. Internal to Azure AD to verify if the token can

• amr. A JSON array of claims contains the

• appid. Stands for application ID. It contains the

• appidacr. Indicates the mechanism used for

• family_name. Provides the last name of the user

• given_name. Provides first name of the user

• ipaddr. Stands for IP address. It provides the

• name. Provides the name of the user, which is used

onprem_sid. If on-premise authentication is

• scp. Stands for scopes and means a set of scopes

• sub. Stands for subject. It’s a unique string for the

• tid. Stands for tenant ID. This is discussed later in

• unique_name. Present only in Azure AD v1. A claim

• upn. Stands for user principal name. This is

• uti. An internal claim used by Azure AD to

• ver. Stands for version. Indicates the version of the

• Signature. Signed token content for validating the

Figure 1-1. Encrypted token

Note A token is not in human-readable format, because it is a raw

1. The user makes a request to the web application.

2. The user is redirected to the Azure AD login page.

3. After successful authentication, Azure AD redirects

4. The claims are stored in cookie in a secure fashion.

5. The web application does the authentication using

Web App Azure

Response with token containing claims

Authentication using claims

Chapter 1: Introduction to Azure Active Directory��1

Chapter 2: OAuth Flows and OpenID Connect��17

Chapter 3: User-Based Authentication for Web Apps��47

Web App/Web API/Web API 2 (On-Behalf-Of)��94

Chapter 4: User-Based Authentication for Native Applications��109

Chapter 5: Daemon Application Authentication��153

Chapter 6: Active Directory Custom Data Extensions��175

Chapter 7: Authenticating External Users��195

Configuring the Applications��227

Chapter 9: Introduction to Authorization��247

Azure Active Directory

Developing applications using the Azure Active Directory business-to-

Authorization Code Grant