使用AAD应用程序密钥和服务主体密码之间的身份验证区别 [英] Authentication difference between using AAD app key and Service Principal Password

问题描述

要在Azure中运行应用程序，我需要在Azure AD和相应的服务主体中创建一个应用程序.然后，我的应用程序针对该应用程序/主体对进行身份验证.要进行身份验证，我可以在应用程序注册中创建应用程序密钥，也可以在服务主体中创建密码(除其他选项外).从实践的角度来看有什么区别?

To run applications in Azure, I need to create an Application in Azure AD and a corresponding Service Principal. Then my application authenticates against this App/Principal pair. To authenticate, I can create an application key in the App registration, or I can create a password in the Service Principal (among other options). What's the difference from a practial standpoint?

例如，无论$ key是应用程序的密钥还是服务主体的密码，此代码(从外部)完全相同地运行:

For example, this code runs exactly the same (from the outside) whether the $key is the App's key or the Service Principal's password:

    $key = ConvertTo-SecureString $authKeyOrPassword -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential($appID, $key)
    Add-AzureRmAccount -Credential $cred -TenantId $tenantID -ServicePrincipal

我应何时对应用进行身份验证，何时应使用服务主体?

When should I authenticate against the App, and when should I use the Service Principal?

推荐答案

首先，让我解释一下为什么它在Azure AD中既具有应用程序主体又具有服务主体.这是Vittorio Bertocci的针对Web App的Azure AD for Web App的Mordent身份验证"的说明.

First, let me explain why it has both Applications and service principals in Azure AD. Here is the explanation from Mordent Authentication with Azure AD for Web App by Vittorio Bertocci.

Azure AD定义了一个新实体，即Application，它旨在 将应用程序描述为抽象实体:模板，如果您 将要.作为开发人员，您可以使用应用程序".在部署时 给定的Application对象可以用作创建一个蓝图的蓝图 ServicePrincipal表示以下应用程序的具体实例 目录.就是用来定义什么的那个ServicePrincipal 该应用实际上可以在该特定目标目录中执行操作，谁可以使用 它，它可以访问哪些资源等等.

Azure AD defines a new entity, the Application, which is meant to describe an application as an abstract entity: a template, if you will. As a developer, you work with Applications. At deployment time a given Application object can be used as a blueprint to create a ServicePrincipal representing a concrete instance of an application in a directory. It’s that ServicePrincipal that is used to define what the app can actually do in that specific target directory, who can use it, what resources it has access to, and so on.

和我一起忍受一个 再多一点，抽象部分就快结束了.主要途径 Azure AD从应用程序创建ServicePrincipal的哪个是 同意.这是流程的简化描述:假设您 在目录A中创建一个Application对象，提供所有 到目前为止，我们已经在较早的章节中讨论了协议坐标.说 租户B中的用户导航到应用程序的页面并触发 认证流程. Azure AD根据B对用户进行身份验证 它的主目录B.这样做，发现没有 B中应用程序的ServicePrincipal；因此，它会提示用户有关 他或她是否希望同意该应用有权访问 目录B(您以后将以什么身份查看).如果用户授予 同意，Azure AD使用A中的Application对象作为 在B中创建一个ServicePrincipal.与此同时，B记录当前用户已同意使用此应用程序(稍后将对此进行详细介绍).完成后，用户会收到用于访问该应用程序的令牌.

Bear with me just a little longer, the abstract part is almost over. The main way through which Azure AD creates a ServicePrincipal from an Application is consent. Here’s a simplified description of the flow: Say that you create an Application object in directory A, supplying all the protocol coordinates we’ve discussed so far in earlier chapters. Say that a user from tenant B navigates to the app’s pages and triggers an authentication flow. Azure AD authenticates the user from B against its home directory, B. In so doing, it sees that there is no ServicePrincipal for the app in B; hence, it prompts the user about whether he or she wants to consent for that app to have access to the directory B (you’ll see later in what capacity). If the user grants consent, Azure AD uses the Application object in A as a blueprint for creating a ServicePrincipal in B. Along with that, B records that the current user consented to the use of this application (expect lots of details on this later on). Once that’s done, the user receives a token for accessing the app.

如果您想了解Azure AD应用程序密钥和服务原理密码之间的区别，则最好了解应用程序与服务原理之间的关系.我将在此处复制并粘贴来自此页面的一些摘录文档

If you want to know the difference between Azure AD App key and service principle Password, you'd better know the relationship of Application and service principal. I will copy&paste here some extracts from this page of the documentation

在Azure门户中注册Azure AD应用程序时，在Azure AD租户中创建两个对象:一个应用程序对象和一个服务主体对象.

将应用程序对象视为在所有租户中使用的应用程序的全局表示形式，并将服务主体作为在特定租户中使用的本地表示形式.派生了哪些通用属性和默认属性，以用于创建相应的服务主体对象.

Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

因此，应用程序对象与软件应用程序具有1:1关系，与其对应的服务主体对象具有1:1:1关系.必须在使用该应用程序的每个租户中创建服务主体.它可以为登录和/或访问由租户保护的资源建立身份.

An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s).A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant.

示例图

摘要

现在，我们可以知道Azure AD应用程序密钥和服务原理密码之间的区别.它们属于不同的对象.与服务主体关联的密码.这仅适用于应用程序租户登录天蓝色.但是，您可以为App密钥值提供应用程序ID，以便与所有租户一起以该应用程序身份登录.

Now, we can know the difference between Azure AD App key and service principle password. They belong to different objects. The password to be associated with the service principal. This is just for the application tenant to login azure. However, you can provide the App key value with the application ID to log in as the application with all tenants.

要查看有关Azure Active Directory中的应用程序和服务主体对象的更多详细信息，可以参考

To see more details about Application and service principal objects in Azure Active Directory , you can refer to this document.

这篇关于使用AAD应用程序密钥和服务主体密码之间的身份验证区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！