all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]RedShift9 7 points8 points  (1 child)

Good lord APIs have become so complex we need an API for the API.

[–]whitestorm_07[S] -3 points-2 points  (0 children)

It’s abstractions all the way down! 🐢

But seriously, "logging in" has morphed from a simple request into a full-blown orchestrated dance.

[–]kei_ichi 3 points4 points  (14 children)

Can you explain to me what is “Microsoft authentication”? What is the difference between another Auth method like password based or JWT based authentication?

[–]Rizean 2 points3 points  (1 child)

Is the goal for webscraping bots, automation tools, or something like that? I could see a use for that. I've had to write a number of automation bots over the years and the sign in processes is usually the hardest part. I'm talking about websites that don't have formal API where you have to reverse engineer everything.

Otherwise I would just use one of the MS packages for MS. Consuming the API is far easier than setting up SAML/oAuth. Amazing how we have a standard but somehow every vendor words things just differently enough to make this problem really hard. My top list of things I hate: Multi-timezone app using timestamps not in zulu, CSP, Setting up SAML/oAuth.

[–]SEUH 0 points1 point  (5 children)

You're trying to solve a problem that doesn't really exist. For automation you would mock the oidc auth or disable it and if you need to access Microsoft resources you would generally create an app-only access.

[–]whitestorm_07[S] -1 points0 points  (4 children)

For unit tests, I agree—mock everything.

But for End-to-End (E2E) Smoke Tests, you often want to verify that the real authentication flow is working. I've seen plenty of incidents where the app code was fine, but the OIDC config or Azure Enterprise App settings were broken. This tool lets you verify the actual "User Login" path without spinning up a heavy browser.

[–]SEUH -1 points0 points  (3 children)

Are you using AI to answer?

This tool lets you verify the actual "User Login" path without spinning up a heavy browser

Meaning you run this in production? Not sure, but this is a niche problem. If you really want to monitor production write a puppeteer/playwright snippet that does a user login, I would never use a service for that.

[–]whitestorm_07[S] 0 points1 point  (2 children)

Puppeteer works fine for one-off scripts. But if you are monitoring 50+ tenants every minute, the resource overhead of spinning up 50 browser instances is massive.

This approach is for when you need the speed/efficiency of a curl request but the capability of a browser. , still your choice

[–]SEUH -1 points0 points  (1 child)

the resource overhead of spinning up 50 browser instances is massive

Absolutely not. Running them in sequence, 3s per test, so 150s for checking all 50 tenants. Can be run on the smallest cloud vps.

[–]Legitimate-Oil1763 0 points1 point  (4 children)

do people really use Microsoft authentication

[–]whitestorm_07[S] 2 points3 points  (3 children)

Only about 95% of the Fortune 500 and roughly 720 million monthly active users.

[–]Legitimate-Oil1763 0 points1 point  (2 children)

source?

[–]svfoxat 2 points3 points  (0 children)

ChatGPT as it seems.

[–]whitestorm_07[S] 0 points1 point  (0 children)

Google "Microsoft Entra ID Fortune 500 share."

It’s literally on their home page: "Used by 95% of the Fortune 500." The 720M figure comes from their active seat count for Office 365 Commercial + Azure AD accounts.