问题描述
https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/tree/master/chapter1
我已经能够成功地使用此示例代码来进行 AAD 应用注册.我很困惑为什么我们需要两个单独的应用程序注册,一个用于前端,一个用于 API.我可以将其设置为使用一个应用程序吗?如果是这样,这种设置有什么缺点吗?
I've been able to successfully use this example code to play with AAD app registrations. I'm confused as to why we need two separate app registrations, one for the front end, and one for the API. Could I just set this up to use one app? If so, is there a drawback to this setup?
谢谢
推荐答案
如果您愿意,可以这样做,但一般不建议这样做.原因有很多,但这里有一个简单的示例:当授予应用程序权限时(通过应用程序权限或委托权限),您应该遵循最小权限原则";即只给应用程序足够的权限,而不是更多.客户端应用程序和 Web API 很可能需要不同的范围/权限来完成他们需要做的工作,但使用相同的应用程序注册意味着您将无法分离每个所需的范围.
You can do that if you wish so, but in general it is not recommended. There are a number of reasons why, but here's a quick example: when granting permissions to an application (either via app permissions or delegated permissions), you should follow the "principle of least privilege" i.e. give just enough permissions to an application and not more. It is quite possible that a client app and a web API will require different scopes/permissions to do the work they need to do, but using the same app registration means that you won't be able to separate the scopes required for each.
类似的情况是您更关心 Web API 的保护而不是客户端应用程序的保护.假设您为 Web API 使用证书,但对于您的客户端应用程序只有一个客户端密码.同样,在这种情况下,拥有单独的应用注册将允许您根据其安全需求自定义每个应用.
A similar case would be where you care more about the protection of your web API than your client app. Say, you use certificates for your web API but only a client secret would do for your client app. Again, in that case, having separate app registrations would allow you to customize each according to their security needs.
最后但同样重要的是,假设您有多个客户端应用程序(SPA、移动设备、桌面应用程序等)和一个 Web API,所有这些都在同一个应用程序注册中.对于您的业务逻辑,也许您需要能够区分请求来自哪个客户端应用程序.尽管有多种方法可以通过单个应用注册来实现这一点,但单独注册会更加轻松.
Last but not least, say you have multiple client apps (a SPA, a mobile, a desktop app etc.), and a single web API, all in the same app registration. For your business logic, perhaps you need to be able to distinguish from which client app the request comes from. Although there are ways to achieve this with a single app registration, again it is much more hassle free to have separate registrations.
这篇关于使用 MSAL 和 Angular 为什么需要两个单独的 AAD 应用注册?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!