Menu
We are working on a web app that makes rest calls to office 365. In the process, we get an app-only access token from azure active directory after providing necessary details. Using this access token, we get access to the resources of all the users present in the active directory at the same time do various outlook operations(rest calls!!). Anyone would be able to view these requests and responses using applications like fiddler or other web debuggers.This is a vulnerability that can be exploited to make calls to the server by anyone who can use the access token which is openly visible.
things can be clearly put forth using the following images:-
Our obvious question would be, how can such a scenario be avoided and how to secure our rest call, it is to be taken that access token is a must to reach office 365 or else operations cant be executed? please help !!
613
If you're concerned about the fact that your users may misuse the token, one thing you could do is have all the requests route through your server instead of making REST API calls directly from the browser. At all times you can keep the bearer token on the server. Your users would call your API and then your API (which are running on your server) would call Office 365 APIs on behalf of the user using that token.
However you need to consider the scenario that the user is authenticated/authorized against their Office 365 and the token would not allow them to do any operation they are not allowed to. They simply can't take that token and issue any arbitrary request they don't have permission to.
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
