Connecting to an AKS Cluster Non Interactivity — Part 2


Before we talk about OAuth2, let’s have a look at the problem it solves.

  1. POST a request with your username and password to to get an Authorization token.
  2. Using this token, it would then get all your gmail contacts
  3. It would then email each of them about MyCoolApp
  4. It would then forget your email and password, RIGHT?
  1. You are signed in to MyCoolApp and you click on the button to Tell your Gmail Contacts about MyCoolApp.
  2. A popup appears with a login screen to your Google Account. You are happy it’s google by clicking the padlock and checking it’s cert if signed by a trusted signing company. So enter your gmail username and password and click Login
  3. Now you are presented with a screen (in the same popup) with a list of Google resources that MyCoolApp wants access to. If you tick the box and accept, you will be redirected back to a MyCoolApp API (callback) with an Authorization Code in the URL.
  4. MyCoolApp will now use this Code along with it’s own Google Client ID and Secret to request an Access Token.
  5. MyCoolApp will then use this access token, to access you gmail contacts.

Open ID Connect

So while OAuth2 is used for Authorization, a layer developed on top of the OAuth2 protocol called Open ID Connect uses the OAuth2 flows for Authentication.

  1. MyCoolApp has a button to Log a User in with Google. The users clicks this button.
  2. The user is redirected to to Google’s Account Login page, and they user is satisfied this is really Googles Login page, so they enter their Google username and password.
  3. Next they are directed to a similar screen as before, but this time, it’s asking for MyCoolApp to have access to Read your Profile. This usually will give access to information like your first and second name, your email address and perhaps your birthday etc.
  4. If you tick the box and accept, as before, an Authorization code is sent back to the MyCoolApp Redirect URL.
  5. MyCoolApp then exchanges this Authorization Code for an ID Token (also called a JWT (JSON Web Token) token).
  6. Now this ID token identifies information about your, which are called Claims. These are claims about your identity. MyCoolApp can then use this ID token as a way of identifying you as a user of their application.

JSON Web Token (JWT)

In the last section we mentioned that the ID token is also known as a JWT token and we mentioned it contains a number of claims about a user. So let’s look at the makeup of a JWT token.

Microsoft Identity Platform

In the previous examples, I used Google’s OAuth2 servers, but for Azure and AKS, Microsoft have their own OAuth2 and OIDC implementation as part of their Microsoft Identify Platform.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adrian Hynes

Adrian Hynes


Cloud Platform Architect. Opinions and articles on medium are my own.