Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Continuous access evaluation for the provider #306

Open
7 tasks
eduardodfmex opened this issue May 22, 2024 · 0 comments
Open
7 tasks

Continuous access evaluation for the provider #306

eduardodfmex opened this issue May 22, 2024 · 0 comments
Assignees
@mawasile
Labels
enhancement New feature or request resource terraform resource security
Milestone
Preview 2

Comments

@eduardodfmex
Copy link
Contributor

eduardodfmex commented May 22, 2024
edited
Loading

Description

Continuous access evaluation

Token expiration and refresh are a standard mechanism in the industry. When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, access tokens are valid for one hour, when they expire the client is redirected to Microsoft Entra to refresh them. That refresh period provides an opportunity to reevaluate policies for user access. For example: we might choose not to refresh the token because of a Conditional Access policy, or because the user is disabled in the directory.

The mechanism for this conversation is continuous access evaluation (CAE), an industry standard based on Open ID Continuous Access Evaluation Profile (CAEP). The goal for critical event evaluation is for response to be near real time, but latency of up to 15 minutes might be observed because of event propagation time; however, IP locations policy enforcement is instant.

To prepare your applications to use CAE, see How to use Continuous Access Evaluation enabled APIs in your applications.

Authentication improvement

Key benefits

  • User termination or password change/reset: User session revocation is enforced in near real time.

  • Network location change: Conditional Access location policies are enforced in near real time.

  • Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.

Note

This could be an Entra configuration if that is the case we can create the documentation that apply for the provider.

Definition of Done

  • Auth Implementation
  • Unit Tests for Happy Path (if apply)
  • Unit Tests for error path (if apply)
  • Acceptance Tests (if apply)
  • Example in the /examples folder
  • Schema Documentation in code
  • Updated auto-generated provider docs with make docs

Contributions

Do you plan to raise a PR to address this issue? YES / NO?

See the contributing guide for more information about what's expected for contributions.
@eduardodfmex eduardodfmex added enhancement New feature or request resource terraform resource labels May 22, 2024
@mattdot mattdot added this to the Preview 2 milestone Jul 16, 2024
@mattdot mattdot changed the title Evaluate - Continuous access evaluation for the provider Continuous access evaluation for the provider Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mawasile mawasile

Labels
enhancement New feature or request resource terraform resource security
Projects
None yet
Milestone
Preview 2
Development

No branches or pull requests
3 participants
@mattdot @eduardodfmex @mawasile