提高你开发的守护程序应用程序中身份验证和授权的复原能力Increase the resilience of authentication and authorization in daemon applications you develop

本文提供了有关开发人员如何使用 Microsoft 标识平台和 Azure Active Directory 提高守护程序应用程序复原能力的指南。This article provides guidance on how developers can use the Microsoft identity platform and Azure Active Directory to increase the resilience of daemon applications. 这包括后台进程、服务、服务器到服务器应用以及不带用户的应用程序。This includes background processes, services, server to server apps, and applications without users.

向 Microsoft 标识发出调用的守护程序应用程序

使用 Azure 资源的托管标识Use Managed Identities for Azure Resources

在 Azure 上构建守护程序应用的开发人员可以使用 Azure 资源的托管标识Developers building daemon apps on Azure can use Managed Identities for Azure Resources. 托管标识使开发人员无需管理机密和凭据。Managed Identities eliminate the need for developers to manage secrets and credentials. 通过避免在证书过期、轮换或信任方面出现错误,此功能提高了复原能力。The feature improves resilience by avoiding mistakes around certificate expiry, rotation errors, or trust. 它还具有一些专门用于提高复原能力的内置功能。It also has several built-in features meant specifically to increase resilience.

托管标识使用生存期较长的访问令牌和 Microsoft 标识中的信息,在现有令牌过期之前的较大时间范围内主动获取新令牌。Managed Identities use long lived access tokens and information from Microsoft Identity to proactively acquire new tokens within a large window of time before the existing token expires. 尝试获取新令牌时,应用可以继续运行。Your app can continue to run while attempting to acquire a new token.

托管标识还使用区域终结点来针对区域外故障提高性能和复原能力。Managed Identities also use regional endpoints to improve performance and resilience against out-of-region failures. 使用区域终结点有助于使所有流量都处于某个地理区域内。Using a regional endpoint helps to keep all traffic inside a geographical area. 例如,如果你的 Azure 资源在 ChinaNorth2 中,则所有流量(包括 Microsoft 标识生成的流量)都应存在于 ChinaNorth2 中。For example, if your Azure Resource is in ChinaNorth2, all the traffic, including Microsoft Identity generated traffic, should stay in ChinaNorth2. 这样,通过整合服务的依赖项,便消除了可能的故障点。This eliminates possible points of failure by consolidating the dependencies of your service.

使用 Microsoft 身份验证库Use the Microsoft Authentication Library

不使用托管标识的守护程序应用开发人员可以使用 Microsoft 身份验证库 (MSAL),该库使得实现身份验证和授权变得简单,并会自动使用用于复原的最佳做法。Developers of daemon apps who do not use Managed Identities can use the Microsoft Authentication Library (MSAL), which makes implementing authentication and authorization simple, and automatically uses best practices for resilience. MSAL 将使提供所需客户端凭据的过程变得更简单。MSAL will make the process of providing the required Client Credentials easier. 例如,在使用基于证书的凭据时,应用程序不需要实现创建 JSON Web 令牌断言以及对其进行签名。For example, your application does not need to implement creating and signing JSON Web Token assertions when using certificate-based credentials.

使用面向 .NET 开发人员的 Microsoft.Identity.WebUse Microsoft.Identity.Web for .NET Developers

在 ASP.NET Core 上构建守护程序应用的开发人员可以使用 Microsoft.Identity.Web 库。Developers building daemon apps on ASP.NET Core can use the Microsoft.Identity.Web library. 此库在 MSAL 的基础上构建,使得为 ASP.NET Core 应用实现授权更加容易。This library is built on top of MSAL to make implementing authorization even easier for ASP.NET Core apps. 它包括了多个分布式令牌缓存策略,以用于可在多个区域运行的分布式应用。It includes several distributed token cache strategies for distributed apps that can run in multiple regions.

缓存和存储令牌Cache and store tokens

如果未使用 MSAL 来实现身份验证和授权,则可以实施一些用于缓存和存储令牌的最佳做法。If you are not using MSAL to implement authentication and authorization, you can implement some best practices for caching and storing tokens. MSAL 自动实施并遵循这些最佳做法。MSAL implements and follows these best practices automatically.

应用程序会从标识提供程序获取用于授权该应用程序调用受保护 API 的令牌。An application acquires tokens from an Identity provider to authorize the application to call protected APIs. 当你的应用接收令牌时,包含令牌的响应还会包含一个“expires_in”属性,该属性告知应用程序可将令牌缓存并重复使用多长时间。When your app receives tokens, the response that contains the tokens also contains an "expires_in" property that tells the application how long to cache, and reuse, the token. 请务必让应用程序使用“expires_in”属性来确定令牌的有效期。It is important that applications use the "expires_in" property to determine the lifespan of the token. 应用程序绝对不得尝试对 API 访问令牌进行解码。Application must never attempt to decode an API access token. 使用缓存的令牌可防止你的应用与 Microsoft 标识之间发生不必要的流量。Using the cached token prevents unnecessary traffic between your app and Microsoft Identity. 你的用户可以在该令牌的生存期内保持登录到你的应用程序。Your user can stay signed-in to your application for the length of that token's lifetime.

正确处理服务响应Properly handle service responses

最后,当应用程序应当处理所有错误响应时,某些响应可能会影响复原。Finally, while applications should handle all error responses, there are some responses that can impact resilience. 如果你的应用程序收到 HTTP 429 响应代码(请求过多),则 Microsoft 标识会限制你的请求。If your application receives an HTTP 429 response code, Too Many Requests, Microsoft Identity is throttling your requests. 如果你的应用继续发出太多请求,则会继续限制你的应用,阻止它接收令牌。If your app continues to make too many requests, it will continue to be throttled preventing your app from receiving tokens. 你的应用程序不应再次尝试获取令牌,直至经过“Retry-After”响应字段中的时间(以秒为单位)之后。Your application should not attempt to acquire a token again until after the time, in seconds, in the "Retry-After" response field has passed. 收到 429 响应通常表示应用程序未正确缓存并重复使用令牌。Receiving a 429 response is often an indication that the application is not caching and reusing tokens correctly. 开发人员应当查看令牌在应用程序中是如何缓存并重复使用的。Developers should review how tokens are cached and reused in the application.

当应用程序收到 HTTP 5xx 响应代码时,应用不得进入快速重试循环。When an application receives an HTTP 5xx response code the app must not enter a fast retry loop. 如果收到 HTTP 5xx 响应代码,应用程序应遵循与对 429 响应相同的“Retry-After”处理。When present, the application should honor the same "Retry-After" handling as it does for a 429 response. 如果响应未提供“Retry-After”标头,我们建议实施指数退避重试,第一次重试至少应比该响应晚 5 秒。If no "Retry-After" header is provided by the response, we recommend implementing an exponential back-off retry with the first retry at least 5 seconds after the response.

当请求超时时,应用程序不应立即重试。When a request times out applications should not retry immediately. 应实施指数退避重试,第一次重试至少应比该响应晚 5 秒。Implement an exponential back-off retry with the first retry at least 5 seconds after the response.

后续步骤Next steps