Azure Active Directory 应用程序注册如何建立信任?
[英]How does an Azure Active Directory app registration establish trust?
问题描述
The Microsoft docs state: 
微软文档state:
Registering your application establishes a trust relationship between your app and the Microsoft identity platform.
What exactly is meant by "trust" here and how does the app registration establish said trust?这里的“信任”到底是什么意思,应用程序注册如何建立这种信任?
The way I understand it the registration basically makes the app known to the AD, but how does that make the AD, the app is redirecting to for interactive logins, more trust-worthy to the app?我理解注册的方式基本上让 AD 知道该应用程序,但是这如何使 AD(应用程序重定向到交互式登录)更值得应用程序信任? Couldn't a malicious AD just pretend to know any app that's using it for logins?难道恶意广告就不能假装知道任何使用它进行登录的应用程序吗? Wouldn't it need some kind of shared secret to assure the app that the AD really is the AD?难道不需要某种共享秘密来向应用程序保证广告确实是广告吗? And isn't HTTPS establishing that trust already? HTTPS 不是已经建立了这种信任吗?
It makes more sense to me the other way around: the AD receives a login request along with a redirect URI set by the app.反过来对我来说更有意义:AD 收到登录请求以及应用程序设置的重定向 URI。 But if the redirect URI is not known to the AD then the request is not trust-worthy and will be rejected.但是,如果 AD 不知道重定向 URI,则该请求不可信,将被拒绝。
I'm probably misunderstanding something, so could someone please explain the idea behind this?我可能误解了什么,所以有人可以解释一下这背后的想法吗?
1 个解决方案
解决方案1
1 2023-01-23 16:53:05
In authentication world trust is a complicated word.在认证世界中,信任是一个复杂的词。 In my opinion, the easiest way to approach this thing is taking the Google Sign-In -button as an example.在我看来,处理这件事最简单的方法是以Google 登录按钮为例。 You can use it to log in with your Google account on almost every website out there.您可以使用它在几乎所有网站上使用您的 Google 帐户登录。 Does this mean Google trusts every website out there using it?这是否意味着谷歌信任所有使用它的网站? No, of course not.不,当然不是。 Do those websites trust Google?这些网站信任谷歌吗? Sure they do, they have no visibility if Google returns the correct information about the users to them.他们当然知道,如果谷歌向他们返回有关用户的正确信息,他们就看不到了。
The case is very similar here as in most cases you will be using the same protocol to implement it (OAuth2 OIDC).这里的情况非常相似,因为在大多数情况下,您将使用相同的协议来实现它 (OAuth2 OIDC)。
You are correct, you need to configure secrets & returnUrls to make sure that the App Registration is not used for malicious purposes, however, this does not create trust between the identity provider and the application.您是对的,您需要配置 secrets 和 returnUrls 以确保 App Registration 不被用于恶意目的,但是,这不会在身份提供者和应用程序之间建立信任。 It's just technical measures to protect the client.这只是保护客户的技术措施。
However, you can of course trust the application if you want to.但是,如果您愿意,您当然可以信任该应用程序。 The most common way is to grant it access to scopes so the application can do actions on behalf of the user.最常见的方法是授予它访问范围的权限,以便应用程序可以代表用户执行操作。 Usually this is done by those consent screens you probably know ("grant access to your email and phone number").通常这是通过您可能知道的那些同意屏幕完成的(“授予对您的 email 和电话号码的访问权限”)。 In enterprise setting, they are often omitted and access is granted with admin constent .在企业环境中,它们通常被省略,访问权限被授予admin content 。
TL;DR;长话短说;博士; There is no inherit trust just because there is an App Registration, however you can trust an app to access user data.没有继承信任仅仅因为有一个应用程序注册,但是你可以信任一个应用程序来访问用户数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.