使用 AAD 应用程序密钥和服务主体密码之间的身份验证差异
Authentication difference between using AAD app key and Service Principal Password
对于 Azure 中的 运行 个应用程序,我需要在 Azure AD 中创建一个应用程序和一个相应的服务主体。然后我的应用程序根据这个 App/Principal 对进行身份验证。要进行身份验证,我可以在应用程序注册中创建一个应用程序密钥,或者我可以在服务主体中创建一个密码(以及其他选项)。从实际的角度来看有什么区别?
例如,无论 $key 是应用程序的密钥还是服务主体的密码,此代码 运行(从外部看)完全相同:
$key = ConvertTo-SecureString $authKeyOrPassword -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($appID, $key)
Add-AzureRmAccount -Credential $cred -TenantId $tenantID -ServicePrincipal
什么时候应该对应用程序进行身份验证,什么时候应该使用服务主体?
首先,让我解释一下为什么它在 Azure AD 中既有应用程序又有服务主体。这是来自 Vittorio Bertocci 的 Mordent Authentication with Azure AD for Web App 的解释。
Azure AD defines a new entity, the Application, which is meant to
describe an application as an abstract entity: a template, if you
will. As a developer, you work with Applications. At deployment time a
given Application object can be used as a blueprint to create a
ServicePrincipal representing a concrete instance of an application in
a directory. It’s that ServicePrincipal that is used to define what
the app can actually do in that specific target directory, who can use
it, what resources it has access to, and so on.
Bear with me just a
little longer, the abstract part is almost over. The main way through
which Azure AD creates a ServicePrincipal from an Application is
consent. Here’s a simplified description of the flow: Say that you
create an Application object in directory A, supplying all the
protocol coordinates we’ve discussed so far in earlier chapters. Say
that a user from tenant B navigates to the app’s pages and triggers
an authentication flow. Azure AD authenticates the user from B against
its home directory, B. In so doing, it sees that there is no
ServicePrincipal for the app in B; hence, it prompts the user about
whether he or she wants to consent for that app to have access to the
directory B (you’ll see later in what capacity). If the user grants
consent, Azure AD uses the Application object in A as a blueprint for
creating a ServicePrincipal in B. Along with that, B records that the current user consented to the use of this application (expect lots of details on this later on). Once that’s done, the user receives a token for accessing the app.
如果你想知道Azure AD App key和service principle Password的区别,你最好知道Application和service principal的关系。我将在此处复制并粘贴 this page of the documentation
中的一些摘录
-
When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant: an application object, and a service principal object.
-
Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.
-
An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s).A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant.
示例图
总结
现在,我们可以知道Azure AD应用密钥和服务主体密码的区别了。它们属于不同的对象。要与服务主体关联的密码。这仅供应用程序租户登录 azure。但是,您可以提供 App 键值和应用程序 ID,以应用程序身份与所有租户一起登录。
要查看有关 Azure Active Directory 中的应用程序和服务主体对象的更多详细信息,您可以参考 this document。
对于 Azure 中的 运行 个应用程序,我需要在 Azure AD 中创建一个应用程序和一个相应的服务主体。然后我的应用程序根据这个 App/Principal 对进行身份验证。要进行身份验证,我可以在应用程序注册中创建一个应用程序密钥,或者我可以在服务主体中创建一个密码(以及其他选项)。从实际的角度来看有什么区别?
例如,无论 $key 是应用程序的密钥还是服务主体的密码,此代码 运行(从外部看)完全相同:
$key = ConvertTo-SecureString $authKeyOrPassword -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($appID, $key)
Add-AzureRmAccount -Credential $cred -TenantId $tenantID -ServicePrincipal
什么时候应该对应用程序进行身份验证,什么时候应该使用服务主体?
首先,让我解释一下为什么它在 Azure AD 中既有应用程序又有服务主体。这是来自 Vittorio Bertocci 的 Mordent Authentication with Azure AD for Web App 的解释。
Azure AD defines a new entity, the Application, which is meant to describe an application as an abstract entity: a template, if you will. As a developer, you work with Applications. At deployment time a given Application object can be used as a blueprint to create a ServicePrincipal representing a concrete instance of an application in a directory. It’s that ServicePrincipal that is used to define what the app can actually do in that specific target directory, who can use it, what resources it has access to, and so on.
Bear with me just a little longer, the abstract part is almost over. The main way through which Azure AD creates a ServicePrincipal from an Application is consent. Here’s a simplified description of the flow: Say that you create an Application object in directory A, supplying all the protocol coordinates we’ve discussed so far in earlier chapters. Say that a user from tenant B navigates to the app’s pages and triggers an authentication flow. Azure AD authenticates the user from B against its home directory, B. In so doing, it sees that there is no ServicePrincipal for the app in B; hence, it prompts the user about whether he or she wants to consent for that app to have access to the directory B (you’ll see later in what capacity). If the user grants consent, Azure AD uses the Application object in A as a blueprint for creating a ServicePrincipal in B. Along with that, B records that the current user consented to the use of this application (expect lots of details on this later on). Once that’s done, the user receives a token for accessing the app.
如果你想知道Azure AD App key和service principle Password的区别,你最好知道Application和service principal的关系。我将在此处复制并粘贴 this page of the documentation
中的一些摘录-
When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant: an application object, and a service principal object.
-
Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.
-
An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s).A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant.
示例图
总结
现在,我们可以知道Azure AD应用密钥和服务主体密码的区别了。它们属于不同的对象。要与服务主体关联的密码。这仅供应用程序租户登录 azure。但是,您可以提供 App 键值和应用程序 ID,以应用程序身份与所有租户一起登录。
要查看有关 Azure Active Directory 中的应用程序和服务主体对象的更多详细信息,您可以参考 this document。