Di Lin's Blog

The Microsoft Authentication Library (MSAL) supports several authentication flows for use in different application scenarios.

Ref

• Authentication flows

Microsoft Identity Platform

The Basics

• The Authorization Server is the Microsoft identity platform and is responsible for ensuring the user’s identity, granting and revoking access to resources, and issuing tokens. The authorization server is also known as the identity provider - it securely handles anything to do with the user’s information, their access, and the trust relationships between parties in a flow.
• The Resource Owner is typically the end user. It’s the party that owns the data and has the power to allow clients to access that data or resource.
• The OAuth Client is your app, identified by its application ID. The OAuth client is usually the party that the end user interacts with, and it requests tokens from the authorization server. The client must be granted permission to access the resource by the resource owner.
• The Resource Server is where the resource or data resides. It trusts the Authorization Server to securely authenticate and authorize the OAuth Client, and uses Bearer access tokens to ensure that access to a resource can be granted.

App Registration

• An Application ID that uniquely identifies your app
• A Redirect URI (optional) that can be used to direct responses back to your app
• A few other scenario-specific values.

Endpoints

Once registered, the app communicates with the Microsoft identity platform by sending requests to the endpoint:

1
2

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Tokens

// TOASK: How can bearer token ensure security in HTTP request? Can eavesdroppers get the header token?

• Access tokens - tokens that a resource server receives from a client, containing permissions the client has been granted.
• ID tokens - tokens that a client receives from the authorization server, used to sign in a user and get basic information about them.
• Refresh tokens - used by a client to get new access and ID tokens over time. These are opaque strings, and are only understandable by the authorization server.

Authorization Grant Types

Authorization Code Grant Flow

// TOASK: How does Web API validate token??

1. Request an authorization code.

   1 2 3 4 5 6 7 8 9 10 11

   // Line breaks for legibility only https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=query &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read%20api%3A%2F%2F &state=12345 &code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl &code_challenge_method=S256

2. Request an access token

   1 2 3 4 5 6 7 8 9 10 11 12 13

   // Line breaks for legibility only POST /{tenant}/oauth2/v2.0/token HTTP/1.1 Host: https://login.microsoftonline.com Content-Type: application/x-www-form-urlencoded client_id=6731de76-14a6-49ae-97bc-6eba6914391e &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr... &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &grant_type=authorization_code &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps. This secret needs to be URL-Encoded.

3. Refresh the access token

   1 2 3 4 5 6 7 8 9 10 11

   // Line breaks for legibility only POST /{tenant}/oauth2/v2.0/token HTTP/1.1 Host: https://login.microsoftonline.com Content-Type: application/x-www-form-urlencoded client_id=6731de76-14a6-49ae-97bc-6eba6914391e &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq... &grant_type=refresh_token &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps. This secret needs to be URL-Encoded

Authorization Code Flow (with PKCE) for SPA

// TOASK: Is it secure to use auth code in SPA when using PKCE?

Implicit Grant Flow

• Note: With the plans for third party cookies to be removed from browsers, the implicit grant flow is no longer a suitable authentication method. authorization code flow is recommended for all new applications including SPAs.

Resource Owner Password Credentials

Client Credentials

Example

In our implementation, Tab app uses authorization code flow with PKCE.

1. Tab App frontend gets auth code.
   1. Frontend browser pop up login page (/public/auth-start.html).
   2. User login and consent, frontend page redirect user to redirect_uri (/public/auth-end.html).
   3. End page parse authorization code and return to tab app.
2. Tab App sends the auth code to backend auth server to get access token.

More Read

• OAuth 2.0 Introduction

Ref

• OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform
• Scenario: Single-page application
• Microsoft identity platform and OAuth 2.0 authorization code flow

The format of a formal email in English

From / to / cc / bcc

Subject

Remember to have a concise and eye-catching subject so your email won’t get missed. DON’T send an email without a subject.

Greeting

• For the Germans and the English, use Dear xxx
• For the Americans, use Hi and Hello directly.
  • Hi Bob,
  • Hi team,

Body

• Introduction
• Body of the text
• Conclusion

Closing

• Thanks, / thank you,

  More casual and friendly in tone. Used when you’re asking for something.

• Regards, / Best regards,

  More professional. Better to use when close an informational note.

• Yours,

• Sincerely, / Yours sincerely,

• best,

• take care,

• cheers,

• talk soon,

Signature

Di Lin,
MetaOS team, DevDiv China

Useful Abbreviation

• ASAP: As soon as possible
• FYI: For your information
• OOF: Out-of-office
• WFH: Work from home
• TL’DR: Too long, don’t read
• LGTM: Look good to me
• TBD: To be done, to be decided

Example

Subject: vscode-iot-workbench v0.1.15 has been released

Hi team,

The latest vscode-iot-workbench v0.1.15 has just been released with all tests passed. For more details please see xxx. Thanks!

Regards,

Di Lin,
MetaOS team, DevDiv China

Email Samples on Different Topics

Discussion

• Please see my comment in line.

• When other team member raise another suggestion or solution you disagree, instead of arguing he’s wrong, you can try to agree on his solution first with sincere example. Then raise your solution, talk about the difference between them and come out with a conclusion with category.

  We agree that xxx is a good choice / idea when xxx. And it is perfect to do xxx. For example, xxx. This will xxx and will be a good choice.
  But for this scenario xxx, it is more clean to just do xxx.
  So to summerize, we would like to separate the two scenarios: 1. xxx. 2. xxx.

• During discussion email thread process, remember to occassionly thank the people discussing with you. This can ease the discussion tense and remind people that you are discussing to improve the product and not mean to aim anyone.

  Thanks @people for lots of suggestions, especially the xxx. The suggestion really helps to understand and re-think more about the design of xxx.

• Need more info.

  Thanks for the suggestions. Can you share more about the thoughts behind following ideas? Knowing the improvements we want to achieve with the ideas would be very helpful for us on detailed design. I also attached some technical details that may bring impact to the expected improvements.

• Do you want to collect all the concerns and open issues, and then we can schedule a meeting to resolve them?

• You mentioned other architectural concerns. Let’s get them on the table. Have you written them down somewhere? Happy to review.

• On the flip side, sharing credentials is considered an anti-pattern.

• Share the current status of your process. What your team has decided and been working on.

  To summarize current status: the xxx idea is great and we agree that we do sth. We’re actively working on the SDK design, and will share more details with sample code in next review meeting.

  Thanks for the feedback and I’d like to share our updates and ideas to discuss.
  Updated items:
  1.
  2.
  Need further discussion:
  1.
  2.

• Ask other team for technical advice.

  There’re some technical considerations and best practices that impacts our design. For example, xxx. This impacts the design of xxx. In the meanwhile, the existing xxx also follows similar practices. I’m not able to share all the considerations in the thread and apologize for the confusions caused.

• Greet new member join to discuss.

  Hi xxx, Glad to talk with you. To provide some background, we’re working on the xxx.
  I recommend we sit down with Bob who is the architect of xxx. I’ll brief him on the situation tomorrow and then set up a call with him so we can get the right design.
  Thank you very much, Alan. Looking forward to talk with you and Bob.

• Sync the release plan with other team. Call out if there is any concern so you don’t get blocked by other team.

  Can you share the release plan of the xxx support? That would be very helpful to our planning. And for the coding experience, we currently would like to have xxx (techinical details). If you have the same scenario implementation, please also share with us.

• Can you please articulate(明确说明) why specifically the xxx interface is not suitable for an xxx flow?
  Can you please articulate the release plans for the xxx, and point us to the design doc and/or code in progress if possible?

• Please have a look at the docs and feel free to let us know if further meeting needed or we could close it offline.

• I left a couple of additional comments for thought. I think we are really close now.

Project Trantision

When you are on a product transition process with other team, communication counts. This process usually includes cross-team communication and it is vital for your career reputation.

Farewell

Dear friends and colleagues,

As some of you know, I’m going to move on to a different role outside of <company-name>, and my last day is Friday, August 30th. I’m a fan of <company-name> since I was 22 years old, and enjoying my job here after joined in <company-name> 5 years ago. So this is really a hard decision to me in this summer, I think the decision is in the best choice of my career goals and personal interesting, or it’s called ‘follow my heart’.

5-years is not a short period in a person’s life, but how lucky I am is joining this team and working with you guys! It’s really an incredible wonderful journey in my life! Learn and grow, enjoy everything here, and make a lot of good friends. So thank you everyone, it’s been so great working with you!

It’s no goodbye but see you around, keep in touch!

Sincerely,
xxx

Hi,

Today is my last day working in <department-name>. I will soon start another role in <another-department-name>, to continue to explore the IoT territory.

It was still vivid to me the days and nights, smiles and tears we have been working on the <project-A>, <project-B>, <project-C> and all the products. Also I witness the growth of <department-name> that now we have multiple charts there. I was so thrilled to be part of this team. Thanks to all of you!

Specially thanks to Bob my manager, who provided numerous helps and guides to me during the past 3.5 years, to shape me up as a good PM for the domain I worked. I learned a lot from you and pretty sure it will benefit for my next endeavor.

I am still in the xxx domain, and we will also have lots of cross paths and collaborations in the near future. Looking forward to it.

Thanks,
xxx

Dear all,

As some of you may know, I am leaving <company-name> and today is my last working day.
I started my career in <company-name> back from Mar 2010 and it is 10 years already. It is still vivid to me all the days and nights, smiles and tears we have gone through along the way, from <project-A> to <project-B>. I felt so lucky when getting offer from <company-name> in 2009, and I still feel the same today.

Special thanks to my manager Alen and all SLTs, who give me all the opportunities in <department-name>, support me for the various decisions we have made, and encourage me to try something new. I’d like to say thank you to our PM team, especially Bob as well. We know each other for long time and started working together for several years. I really enjoy working with you and your team on various projects over the years. And thanks to all precious managers: Andrew, Eric, Tom and Mike. I cannot achieve so much without your help and guidance.

I also want to say THANK YOU to all my current & previous colleagues, and partner teams. It is a great journey working with you over the years. It’s the lifetime memory to me.

Mobile and Wechat: xxxxxxxxxxx
Personal mail: xxx@outlook.com
Linkedin: https://www.linkedin.com/in/xxx/

xxx
<department-name>

Hi friends,

Some of you may already know that I’ll explore new adventures outside <company-name> from next week. Today is my last day at <company-name>.

I joined <company-name> after graduation in 2016. It’s my pleasure to start my career path from such a big company with many creative products. It’s also my fortune to work with so many talented teams and guys. Thanks Bob and <department-name> leadership team for giving me opportunity to work and improve myself in this comfortable environment.

Special thanks to my manager Alen, who gave me a lot of help and guidance in my career development, which will equip me for whole career. A role model can help me lay out a career path that is realistic and practical. I believe my future career will benefit a lot from you.

Also thanks for my mentor A, B and C. We’ve been working on different projects, I learnt a lot from you about how to face the challenges and strengthen talent.

To my buddies in <project-A>(as well as PM team), <project-B>, <project-C>, it’s nice working with you. Thanks for great moment we spent during and off work.

Thanks <teammate-A> for innovation and interesting ideas in all kinds of projects. Really enjoy the creative projects we worked together in IoT area.

In the future, you can reach me via +86xxxxxxxxxxx (Wechat with same mobile). Let’s keep in touch.

With best kind regards!

xxx

Congratulations

• Congratulations!
• Congratulations to you!
• Congrats to you!

Ask for Feedback

Hey Di,

The transition of IoT extensions is mainly completed. Would you please share your feedback with me about the collaboration, communication, management, etc.? I really appreciate your thoughts which are helpful to make me better in future projects :)

Yan

Ref

• How to Write Formal Emails in English`

Work Methodology is hard to change since we have inertia. Practice more to change it!

Presentation (Demo / Tech Sharing)

How to do presentation or tech sharing effectively?

1. Who is your audience and what do they want to hear / what can they take away? Construct your meterial from the stakeholders’ angle. Learn what your audience is doing.
2. Ask experts for what they recommend.
3. If you are doing a MVP demo, it is vital to get feedback cause that’s your main goal. Through demo, you can gather more points of view so you can improve your product at an early stage.
4. Rehearsal before presentation.

Turn Bad Porject to Shining Gold

The most vital thing is not how important or hard your task is. Of course good project means you have more resources. But if it happens that your project sucks, it is how you can do it perfectly that matters. Shine it by:

1. Do it well.
2. Communicate well between teams. Increase the across-team impact.
3. Empower other teams by your “little” and “trivial” project.

Think More

DO NOT only finish the task you are told to do. That’s just the basis.Take a second to think more:

1. Which part do I miss?
2. Ask experts for feedback that can improve your methodology and remind you aspects that you miss for your lack of industry experience.
3. Focus on the “WHY” part of your task. Does it make sense to do thing this way? Can we improve it?

Do Things THOROUGHLY

1. After your task is done, you can intiatively do a demonstration inside or outside the team. It is a good chance to gather feedback for your product and expand your impact.

2. Re-think the WHY part of the project. Can I improve anyhing?

3. How do I finish this task? Score yourself for the performance. What can I learn through this task?

4. Summerization and sharing.

5. Take an example, if you write a tool for your team, you can do the below thing to make this task complete:

   • Place the code in a correct and complant place where other team member can easily leverage it. (eg. Azure DevOps of big team’s org)
   • during development, keep stakeholders aware of the latest progress and your future action items. This can also remind them that you are contributing.
   • Write README file or tutorial / wiki for your tool so later when the project is transferred it can be easy to use.
   • Do demo.
   • Write project summary for it to remind all the pits you encountered.

Focus on the WHY part

Your boss literally does not care how technically hard your task is, it is the value of the task that he cares. Have a clear mind why your team is asking you to do the job you are currently work on. From your bos’s angle, what is the urgent problem he would like to resolve? Can you help with that?

Grow Sense of Ownership

Develop your ownership. Initiatively drive meetings / discussions over your project. Think more of your project. Your project is where you build your own career reputation.

Cross-team Communication

1. Drive the process. Don’t be passively pushed forward. You got to take the initiative.
2. Mind not to distractive readers in email thread. Construct your email logically and mind the subtle details. Or it might have bad effect on your boss who is not very familiar with the truth.
3. Effective communication.

Be Expert of What You Are Doing

Don’t just finish your task. Dig into the details of what you are doing. You got to be very familiar with the detailed implementation and all the subtle corner cases because that ensures your task quality.

Tips for Career

1. Gather feedback or compliment each time you co-work with others, especially cross-team. You can email the people describing the entire process and your thankness. Ask them to give you some feedback to help you grow.