問題描述

https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/tree/master/chapter1

我已經能夠成功地使用此示例代碼來進行 AAD 應用注冊.我很困惑為什么我們需要兩個單獨的應用程序注冊，一個用于前端，一個用于 API.我可以將其設置為使用一個應用程序嗎?如果是這樣，這種設置有什么缺點嗎?

I've been able to successfully use this example code to play with AAD app registrations. I'm confused as to why we need two separate app registrations, one for the front end, and one for the API. Could I just set this up to use one app? If so, is there a drawback to this setup?

謝謝

推薦答案

如果您愿意，可以這樣做，但一般不建議這樣做.原因有很多，但這里有一個簡單的示例:當授予應用程序權限時(通過應用程序權限或委托權限)，您應該遵循最小權限原則"；即只給應用程序足夠的權限，而不是更多.客戶端應用程序和 Web API 很可能需要不同的范圍/權限來完成他們需要做的工作，但使用相同的應用程序注冊意味著您將無法分離每個所需的范圍.

You can do that if you wish so, but in general it is not recommended. There are a number of reasons why, but here's a quick example: when granting permissions to an application (either via app permissions or delegated permissions), you should follow the "principle of least privilege" i.e. give just enough permissions to an application and not more. It is quite possible that a client app and a web API will require different scopes/permissions to do the work they need to do, but using the same app registration means that you won't be able to separate the scopes required for each.

類似的情況是您更關心 Web API 的保護而不是客戶端應用程序的保護.假設您為 Web API 使用證書，但對于您的客戶端應用程序只有一個客戶端密碼.同樣，在這種情況下，擁有單獨的應用注冊將允許您根據其安全需求自定義每個應用.

A similar case would be where you care more about the protection of your web API than your client app. Say, you use certificates for your web API but only a client secret would do for your client app. Again, in that case, having separate app registrations would allow you to customize each according to their security needs.

最后但同樣重要的是，假設您有多個客戶端應用程序(SPA、移動設備、桌面應用程序等)和一個 Web API，所有這些都在同一個應用程序注冊中.對于您的業務邏輯，也許您需要能夠區分請求來自哪個客戶端應用程序.盡管有多種方法可以通過單個應用注冊來實現這一點，但單獨注冊會更加輕松.

Last but not least, say you have multiple client apps (a SPA, a mobile, a desktop app etc.), and a single web API, all in the same app registration. For your business logic, perhaps you need to be able to distinguish from which client app the request comes from. Although there are ways to achieve this with a single app registration, again it is much more hassle free to have separate registrations.

這篇關于使用 MSAL 和 Angular 為什么需要兩個單獨的 AAD 應用注冊?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！