问题
I am finding Application Registrations in Azure very confusing. In my question here AuthClientId and Application Id turned out to be the same thing, so why are two names being used?
What is the logic behind this choice of naming?
[Update]
From Joy's link to the glossary I see
application id (client id)
"The unique identifier Azure AD issues to an application registration that identifies a specific application and the associated configurations. This application id (client id) is used when performing authentication requests and is provided to the authentication libraries in development time."
I see that Client Id links to a page at ietf.org Which states
"2.2. Client Identifier
The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client."
I guess the metaphor is all about the supplier,customer,product relationship Where the supplier is Active Directory, the product is authentication and the customer is an application registration.
It is the concept of an "application registration" as a customer that I am having trouble getting used to. I seek help understanding the choice of words.
The idea of a multi-tenant application does not really work with the "client" metaphor.
[Update] This link is the most helpful yet and the most authoritative Copying from the link
1.1. Roles
OAuth defines four roles:
resource owner An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
resource server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
client An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
authorization server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
The interaction between the authorization server and resource server is beyond the scope of this specification. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.
However it is still confusing.
"An application making protected resource requests on behalf of the resource owner and with its authorization "
What does it mean by "making a protected resource request on behalf of the resource owner"?
[Update]
After studying Wayne Yang's answer I found this picture at Slack's oauth page
回答1:
why is an AuthClientId also called an Application Id?
Client Id is the standard definition in OAuth2.0 protocol. It's actual application too. Application Id is just another name in Azure Portal.
This name is more nearly to the application meaning itself. E.g Native Client can be called with the client, but a Web App/Api is actually a server service which runs in a server. But they are all applications.
So Application id is better to make sense for common users. But client Id is a standard definition which you cannot change it.
What does it mean by "making a protected resource request on behalf of the resource owner"?
It means that the client can on behalf of users to request an access token and send the access token to the Resource. (If you let users do this by themselves, it's unsafe and complex)
In OAuth2.0 framework, the client is the bridge for Users(Resource Owner), the App (protected resource) and the Identity provider(Authorization server). If a user wants to access to the SaaS app, he will send an authorization request to the client, not the Authorization Server directly. Then the client can on behalf of the user to request an access token from the Authorization server and send access token to the App.
Here is the protocol flow:
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
From C to F, Client is on behalf of the resource owner to obtain an access token and send access token.
For AAD, there is a document for Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow:
Client: Native App
Resource: Web API
Resource Owner: the User
Authorization Server: AAD
Here the Native app is the client which on behalf of the user to request token and send the token to the resource.
回答2:
Why the confusion arises in the Client ID topic here is:
In the Azure old portal (https://manage.windowsazure.com) they mention the “Client ID” as “Client ID ” and when it comes to the Azure new portal (http://portal.azure.com) they provide “Application ID” as well as “Object ID” ,so here the confusion starts generally many may copy the “Object ID” as “Client ID” ,but in the new portal we need to copy the “Application ID” as our “Client ID”.
Hope this provides clarity for many who still have confusion.
回答3:
In Azure, to create a Service Principal you have to register an Application. Thats why its called Application Id (AppId). So:
AppId = ClientId = AuthClientId = Id of your Application
and
TenantId = DirectoryId = Name or Guid of your Azure Active Directory
来源:https://stackoverflow.com/questions/51075832/in-azure-why-is-an-authclientid-also-called-an-application-id