Azure委托和应用程序权限优先级 [英] Azure Delegated and Application permission precedence
问题描述
我已经创建了一个示例Web应用程序,该示例Web应用程序调用了Web API,并使用了针对Azure AD的oAuth代码授予流.Application已在Azure AD中注册,并且我还通过Azure门户授予了必需的权限.一切似乎都按预期进行.
I've created a sample web application calling a Web API and using oAuth code grant flow against Azure AD.Application is registered in Azure AD and I have given required permission as well through Azure portal. Everything seems working as expected.
有两种选择权限
-
代理权限
Delegate Permission
应用程序权限
建议为您的应用程序使用混合类型的权限集(应用程序+委托)吗?
Is it recommended to use mix kind of permission set (App + delegate) for your application?
如果我对委托和应用程序上的API都授予了类似的权限,则哪个权限集优先?它是否取决于oAuth流程,例如代码授予还是隐式?
If I give similar kind of permission to my API on both Delegate and Application,which permission set will take precedence? Will it depend on oAuth flow e.g. Code grant or Implicit ?
在我的代码中如何在访问相同资源时区分这些权限集.我想仅在已经存在相同类型的应用程序权限的情况下调用用户上下文?
In my code how can I differentiate these permission sets while accessing the same resource.I want to call on user context only even same type of application permission is already there?
推荐答案
应用程序权限和委派权限完全彼此独立.
Application Permissions and Delegated Permissions are completely independent of one another.
应用程序权限"rel =" noreferrer>客户端凭据流(也称为仅应用程序流").当您遵循此流程时,AAD将尝试基于客户端注册在应用程序注册中已预定义的应用程序权限"来授予其权限.这些权限将显示在 role 声明中的仅应用程序"令牌中.
Application Permissions apply when you follow the Client Credential Flow (also known as App Only Flow). When you follow this flow, AAD will try to grant permissions to the client application based on the Application Permissions it has predefined in the app registration. These permissions will appear in an App Only Token in the role claim.
在涉及用户的几乎所有其他流程中(代表代理, scp (作用域)声明中的App + User令牌中.
In nearly every other flow, where a user is involved (On-Behalf-Of, Authorization Code Grant Flow, Implicit Grant Flow, etc...) AAD will try to grant permissions to the client based on the Delegated Permissions it has predefined. These permissions will appear in App+User tokens in the scp (scope) claim.
在获取对资源的访问令牌时,您可以通过调整身份验证方法来控制应用程序被授予的权限.
You can control the kinds of permissions your app is granted by adjusting the authentication method when getting an access token to a resource.
这篇关于Azure委托和应用程序权限优先级的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
