Azure Active Directory中的本机应用程序和Web应用程序之间的确切区别是什么 [英] What is the exact difference between native app and web app in Azure Active Directory

问题描述

当我们在Azure Active Directory中注册应用程序以使用图形API时，我看到有两种类型的应用程序Web应用程序和本机应用程序.

When we register an application in the Azure Active Directory for using graph api, I see there are two types of application Web application and Native application.

在创建Web应用程序时，需要两个值:1.登录URL和2. App ID URL.这些值的用途是什么?我们是否需要真实的URL或仅 https://localhost:randomePort 足够?

While creating web application there are two values requested 1. Sign-on URL and 2. App ID url. What is the use of these values ? Do we required real world url or just https://localhost:randomePort enough ?

另一方面，在创建本机应用程序时，我只能看到一个必需的值重定向URL".

On the other hand while creating Native application, I can see only one required value 'Redirect URL'.

我可以使用REST调用获取Web应用程序的访问令牌

I can obtain access token for web application using REST call

POST https://login.microsoftonline.com/<tenant-id>/oauth2/token

grant_type      client_credentials
client_id       (the client ID of the calling service application in the AD)
client secret   (the key configured in the calling service application in the AD)
resource        https://graph.windows.net

但是如何使用此类REST调用获取本机应用程序的访问令牌?因为没有本机应用的客户机密

关于权限，对于本机应用程序，我只能看到可用的委托权限选项，而对于Web应用程序，我可以看到应用程序权限以及委托权限选项.

Coming to permissions, for the native app, I can see only delegated permissions option available while for web app I can see application permission as well as delegated permissions option.

在REST调用示例之上的另一件事是对应用程序进行身份验证，如何通过REST调用使用其凭据对用户进行身份验证?

One more thing, above REST call example authenticates application, How can I authenticate user using his credential using REST call ?

推荐答案

本地应用程序是OAuth2的公共客户端.这些应用程序只能在设备上运行，并且不受信任来维护机密-因此，它们在目录中的输入没有相应的属性.没有秘密，就无法断言应用程序的身份-因此，此类应用程序无法获得应用程序级别的权限，门户网站UX反映了这一点. 相反，再次用OAuth2的话来说，Web应用是机密客户端.他们可以为用户获取委派的令牌，但是他们也可以使用客户端凭据自己获取令牌. 本机应用可以通过OAuth2授权授予为用户获取令牌.您可以在 https://azure中找到所有受支持拓扑的完整概述. microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/.每个方案描述都指向更多面向实施的指南.

Native applications are public clients in OAuth2 parlance. Those apps are meant to run on a device and aren't trusted to maintain a secret - hence, their entry in the directory does not have the corresponding property. Without a secret, there is no way to assert the identity of the app - hence such apps cannot gain app level permissions and the portal UX reflects that. Conversely web apps are, again in OAuth2 parlance, confidential clients. They can get delegated tokens for their users, but they can also use client credentials to get tokens as themselves. Native apps can obtain tokens for the user via the OAuth2 authorization grant. You can find a complete overview of all supported topologies at https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/. Each scenario description point to more implementation oriented guidance.

这篇关于Azure Active Directory中的本机应用程序和Web应用程序之间的确切区别是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！