公共客户端和机密客户端应用程序Public client and confidential client applications

Microsoft 身份验证库 (MSAL) 定义两种类型的客户端:公共客户端和机密客户端。Microsoft Authentication Library (MSAL) defines two types of clients: public clients and confidential clients. 这两种客户端的区分方式是,它们能否在授权服务器上安全地完成身份验证,以及能否维持客户端凭据的保密性。The two client types are distinguished by their ability to authenticate securely with the authorization server and maintain the confidentiality of their client credentials. 相比之下,Azure AD 身份验证库 (ADAL) 使用所谓的“身份验证上下文”(与 Azure AD 建立的连接)。 In contrast, Azure AD Authentication Library (ADAL) uses what's called authentication context (which is a connection to Azure AD).

  • 机密客户端应用程序 是在服务器上运行的应用(Web 应用、Web API 应用,甚至服务/守护程序应用)。Confidential client applications are apps that run on servers (web apps, web API apps, or even service/daemon apps). 它们被认为很难访问,因此能够保守应用程序的机密。They're considered difficult to access, and for that reason capable of keeping an application secret. 机密客户端可以保存配置时机密。Confidential clients can hold configuration-time secrets. 客户端的每个实例采用不同的配置(包括客户端 ID 和客户端机密)。Each instance of the client has a distinct configuration (including client ID and client secret). 最终用户很难提取这些值。These values are difficult for end users to extract. Web 应用是最常见的机密客户端。A web app is the most common confidential client. 客户端 ID 通过 Web 浏览器公开,但机密仅在传回通道中传递,永远不会直接公开。The client ID is exposed through the web browser, but the secret is passed only in the back channel and never directly exposed.

    机密客户端应用Confidential client apps:
    Web 应用 Web API 守护程序/服务Web app Web API Daemon/service

  • 公共客户端应用程序是在设备、台式计算机或 Web 浏览器中运行的应用。Public client applications are apps that run on devices or desktop computers or in a web browser. 我们并不确信这些应用程序能够安全保守应用程序的机密,因此,它们只是代表用户访问 Web API。They're not trusted to safely keep application secrets, so they only access web APIs on behalf of the user. (它们仅支持公共客户端流。)公共客户端无法保存配置时机密,因此它们没有客户端机密。(They support only public client flows.) Public clients can't hold configuration-time secrets, so they don't have client secrets.

    公共客户端应用Public client apps:
    桌面应用 无浏览器 API 移动应用Desktop app Browserless API Mobile app

Note

在 MSAL.js 中,公共和机密客户端应用没有区分开来。In MSAL.js, there is no separation of public and confidential client apps. MSAL.js 以基于用户代理的应用形式表示客户端应用,其中,在用户代理中执行客户端代码的公共客户端类似于 Web 浏览器。MSAL.js represents client apps as user agent-based apps, public clients in which the client code is executed in a user agent like a web browser. 这些客户端不存储机密,因为浏览器上下文可公开访问。These clients don't store secrets because the browser context is openly accessible.

客户端类型的比较Comparing the client types

下面是公共客户端与机密客户端之间的一些相似之处和差别:Here are some similarities and differences between public client and confidential client apps:

  • 这两种应用都会维护用户令牌缓存,并可以静默方式获取令牌(如果该令牌已在令牌缓存中)。Both kinds of app maintain a user token cache and can acquire a token silently (when the token is already in the token cache). 机密客户端应用还为应用本身的令牌提供应用令牌缓存。Confidential client apps also have an app token cache for tokens that are for the app itself.
  • 这两种应用都会管理用户帐户,并可以从用户令牌缓存中获取帐户、从其标识符中获取帐户,或删除帐户。Both types of app manage user accounts and can get an account from the user token cache, get an account from its identifier, or remove an account.
  • 公共客户端应用提供四种方式来获取令牌(四种身份验证流)。Public client apps have four ways to acquire a token (four authentication flows). 机密客户端应用提供三种方式来获取令牌(以及一种用于计算标识提供者授权终结点 URL 的方式)。Confidential client apps have three ways to acquire a token (and one way to compute the URL of the identity provider authorize endpoint). 有关详细信息,请参阅获取令牌For more information, see Acquiring tokens.

如果你已使用 ADAL,可能会注意到,与 ADAL 的身份验证上下文不同,在 MSAL 中,客户端 ID(也称为“应用程序 ID”或“应用 ID”)只会在构造应用程序时传递一次。 If you've used ADAL, you might notice that, unlike ADAL's authentication context, in MSAL the client ID (also called the application ID or app ID) is passed once at the construction of the application. 当应用获取令牌时,不再需要传递此 ID。It doesn't need to be passed again when the app acquires a token. 公共和机密客户端应用都是如此。This is true for both for public and confidential client apps. 还会为机密客户端应用的构造函数传递客户端凭据:这些应用与标识提供者共享的机密。Constructors of confidential client apps are also passed client credentials: the secret they share with the identity provider.

后续步骤Next steps

学习内容:Learn about: