問題描述

https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/tree/master/chapter1

我已經(jīng)能夠成功地使用此示例代碼來進(jìn)行 AAD 應(yīng)用注冊.我很困惑為什么我們需要兩個單獨(dú)的應(yīng)用程序注冊，一個用于前端，一個用于 API.我可以將其設(shè)置為使用一個應(yīng)用程序嗎?如果是這樣，這種設(shè)置有什么缺點(diǎn)嗎?

I've been able to successfully use this example code to play with AAD app registrations. I'm confused as to why we need two separate app registrations, one for the front end, and one for the API. Could I just set this up to use one app? If so, is there a drawback to this setup?

謝謝

推薦答案

如果您愿意，可以這樣做，但一般不建議這樣做.原因有很多，但這里有一個簡單的示例:當(dāng)授予應(yīng)用程序權(quán)限時(通過應(yīng)用程序權(quán)限或委托權(quán)限)，您應(yīng)該遵循最小權(quán)限原則"；即只給應(yīng)用程序足夠的權(quán)限，而不是更多.客戶端應(yīng)用程序和 Web API 很可能需要不同的范圍/權(quán)限來完成他們需要做的工作，但使用相同的應(yīng)用程序注冊意味著您將無法分離每個所需的范圍.

You can do that if you wish so, but in general it is not recommended. There are a number of reasons why, but here's a quick example: when granting permissions to an application (either via app permissions or delegated permissions), you should follow the "principle of least privilege" i.e. give just enough permissions to an application and not more. It is quite possible that a client app and a web API will require different scopes/permissions to do the work they need to do, but using the same app registration means that you won't be able to separate the scopes required for each.

類似的情況是您更關(guān)心 Web API 的保護(hù)而不是客戶端應(yīng)用程序的保護(hù).假設(shè)您為 Web API 使用證書，但對于您的客戶端應(yīng)用程序只有一個客戶端密碼.同樣，在這種情況下，擁有單獨(dú)的應(yīng)用注冊將允許您根據(jù)其安全需求自定義每個應(yīng)用.

A similar case would be where you care more about the protection of your web API than your client app. Say, you use certificates for your web API but only a client secret would do for your client app. Again, in that case, having separate app registrations would allow you to customize each according to their security needs.

最后但同樣重要的是，假設(shè)您有多個客戶端應(yīng)用程序(SPA、移動設(shè)備、桌面應(yīng)用程序等)和一個 Web API，所有這些都在同一個應(yīng)用程序注冊中.對于您的業(yè)務(wù)邏輯，也許您需要能夠區(qū)分請求來自哪個客戶端應(yīng)用程序.盡管有多種方法可以通過單個應(yīng)用注冊來實(shí)現(xiàn)這一點(diǎn)，但單獨(dú)注冊會更加輕松.

Last but not least, say you have multiple client apps (a SPA, a mobile, a desktop app etc.), and a single web API, all in the same app registration. For your business logic, perhaps you need to be able to distinguish from which client app the request comes from. Although there are ways to achieve this with a single app registration, again it is much more hassle free to have separate registrations.

這篇關(guān)于使用 MSAL 和 Angular 為什么需要兩個單獨(dú)的 AAD 應(yīng)用注冊?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！