AAD令牌:为什么aud有时会显示应用程序ID,有时是应用程序URL? [英] AAD token: Why aud sometimes shows app id, sometimes it's the app url?
问题描述
我在我的网站上使用adal.js进行AAD身份验证。
解码AAD令牌后,声音看起来有所不同,它是AAD中的应用程序api。
但是,当我尝试了解AAD在不同情况下的工作方式时,几乎所有文档的AAD令牌示例都将aud显示为资源URL,例如 http://contoso.com/ 。
I'm using adal.js for my website for AAD authentication. After decode the AAD token, the aud looks differently, it's the app api in AAD. However, when I try to understand how AAD works in different scenarios, almost all the documentation's example of AAD token shows aud as the resource url, like http://contoso.com/.
根据我的理解,aud表示为此令牌发行。
Based on my understanding, aud means this token is issued for. There's no restriction to what it should actually be.
但是我很好奇为什么AAD的aud行为不一致的主要原因是什么。
为什么有时可以是应用程序ID,有时又可以是URL?
为什么不始终使用应用程序ID或始终使用url?
Why it can be app id sometimes, and be a url sometimes? Why not app id all the time or url all the time?
有人可以帮助分享一些想法吗?
Could someone help to share some thoughts?
谢谢。
推荐答案
ADAL.JS处理两种类型的令牌: id_token 和 access_token 。 id_token代表已在您的应用程序中登录的用户的身份。大致来说,它仅包含2个部分-提供凭据的用户ID和获取令牌的应用程序ID。在id_token的情况下,aud的值为Guid,并且与获取令牌的应用程序的AppId相对应。从OAUTH v2的角度来看,这是一个包含用户想要访问的资源的应用程序。
ADAL.JS deals with 2 types of tokens: id_token and access_token. id_token represents an identity of the user who has signed-in within your application. Very roughly it contains just 2 pieces - the ID of the user who provided the credentials and the ID of the application which acquired the token. In case of id_token the value of aud is Guid and corresponds to the AppId of the application acquired the token. From OAUTH v2 point of view this is the same application which contains resources the user wants to access.
说到access_token-它不仅代表了上述两个用户,还代表了用户以及获取应用程序,还有具有用户打算访问的一组资源的应用程序。在大多数情况下,用aud声明表示的第二个应用程序将是一个Uri,它代表服务主体名称(或App ID Uri或 IdentifierUri )-所有这些都是同义词。此值是从客户端AAD应用程序指向服务器AAD应用程序(包含受保护资源的服务器)的一种方式。
Speaking of access_token - it represents not only those 2 mentioned above, the user and the acquiring application, but also an application with a set of resources the user is intended to access. This 2nd application, represented by aud claim, in majority of cases, will be a Uri which represents Service Principal Name (or App ID Uri or IdentifierUri) - all of those are synonyms. This value is a way to point from a Client AAD App to a Server AAD App - the one containing protected resources.
因此,ADAL.JS首先要求用户提供凭据并获取id_token,然后将其他请求发送到AAD端点以获取access_token。如果您同时查看这两个令牌,则会在aud声明中看到不同类型的价值,如上文所述。
So, ADAL.JS first asks for a user's credentials and acquires an id_token and then it is sending additional request to AAD endpoint to get access_token. If you look into both of those tokens you will see different kind of value in the aud claim as explained above.
在aud声明中也可能有Guid for access_tokens-该Guid将对应于资源应用程序的AppId,因此,如果您有一个解析值的代码,则它必须准备好不仅处理Uris,而且还准备处理Guids。
It is also possible to have a Guid in the aud claim for access_tokens - that Guid will correspond to the AppId of the resource application, so, if you have a code which parses the value it must be ready to process not only Uris but also Guids.
这篇关于AAD令牌:为什么aud有时会显示应用程序ID,有时是应用程序URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
