Skip to content

Authentication and Security

OAuth 2.0 flow

oauth:
  provider: "Microsoft"
  authorizationUrl: "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize"
  tokenUrl: "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token"
  clientId: "{env:MS_CLIENT_ID}"
  clientSecret: "{env:MS_CLIENT_SECRET}"
  scopes:
    - "openid"
    - "profile"
    - "email"
    - "offline_access"
  redirectUri: "{baseUrl}/oauth/callback"

Webhook validation

webhookSecurity:
  # HMAC signature validation
  hmac:
    algorithm: "sha256"
    headerName: "X-Signature"
    secret: "{env:WEBHOOK_SECRET}"

  # IP whitelist
  ipWhitelist:
    - "52.31.0.0/16"
    - "185.166.0.0/16"

  # Rate limiting
  rateLimit:
    requests: 100
    window: 60  # seconds

Best practices

Rule Description
Environment variables Always keep credentials in env vars
HMAC validation Always validate webhook signatures
IP whitelist Restrict access to known IPs
Rate limiting Protect against DDoS
HTTPS All communication over HTTPS
Token rotation Rotate API keys regularly