Azure SignalR 服务的托管标识Managed identities for Azure SignalR Service

本文介绍了如何为 Azure SignalR 服务创建托管标识,以及如何在无服务器方案中使用它。This article shows you how to create a managed identity for Azure SignalR Service and how to use it in serverless scenarios.

重要

Azure SignalR 服务只能支持一个托管标识。Azure SignalR Service can support only one managed identity. 这意味着,你只能添加系统分配的标识或用户分配的标识。That means you can add either a system-assigned identity or a user-assigned identity.

添加系统分配的标识Add a system-assigned identity

若要在 Azure 门户中设置托管标识,需要首先创建一个 Azure SignalR 服务实例,然后启用该功能。To set up a managed identity in the Azure portal, you'll first create an Azure SignalR Service instance and then enable the feature.

  1. 像往常一样在门户中创建 Azure SignalR 服务实例。Create an Azure SignalR Service instance in the portal as you normally would. 在门户中浏览到它。Browse to it in the portal.

  2. 选择“标识”。Select Identity .

  3. 在“系统分配”选项卡中,将“状态”切换为“启用” 。On the System assigned tab, switch Status to On . 选择“保存” 。Select Save .

    在门户中添加系统分配的标识

添加用户分配的标识Add a user-assigned identity

若要使用用户分配的标识创建 Azure SignalR 服务实例,需要先创建该标识,然后将其资源标识符添加到你的服务。Creating an Azure SignalR Service instance with a user-assigned identity requires that you create the identity and then add its resource identifier to your service.

  1. 根据这些说明创建用户分配的托管标识资源。Create a user-assigned managed identity resource according to these instructions.

  2. 像往常一样在门户中创建 Azure SignalR 服务实例。Create an Azure SignalR Service instance in the portal as you normally would. 在门户中浏览到它。Browse to it in the portal.

  3. 选择“标识”。Select Identity .

  4. 在“用户分配”选项卡上,选择“添加”。On the User assigned tab, select Add .

  5. 搜索之前创建的标识并选择它。Search for the identity that you created earlier and select it. 选择“添加” 。Select Add .

    在门户中添加用户分配的标识

在无服务器方案中使用托管标识Use a managed identity in serverless scenarios

Azure SignalR 服务是一种完全托管的服务,因此你不能使用托管标识来手动获取令牌,Azure SignalR Service is a fully managed service, so you can't use a managed identity to get tokens manually. 而只能让 Azure SignalR 服务使用你设置的托管标识来获取访问令牌。Instead, Azure SignalR Service uses the managed identity that you set to obtain an access token. 然后,该服务将访问令牌设置为无服务器方案的上游请求中的 Authorization 标头。The service then sets the access token into an Authorization header in an upstream request in serverless scenarios.

在上游设置中启用托管标识身份验证Enable managed identity authentication in upstream settings

  1. 添加系统分配的标识或用户分配的标识。Add a system-assigned identity or user-assigned identity.

  2. 配置上游设置并使用 ManagedIdentity 作为“身份验证”设置。Configure upstream settings and use ManagedIdentity as the Auth settings. 若要了解如何创建包含身份验证的上游设置,请参阅上游设置To learn how to create upstream settings with authentication, see Upstream settings.

  3. 在托管标识身份验证设置中,对于“资源”,你可以指定目标资源。In the managed identity authentication settings, for Resource , you can specify the target resource. 资源将成为获取的访问令牌中的 aud 声明,可在上游终结点中用作验证的一部分。The resource will become an aud claim in the obtained access token, which can be used as a part of validation in your upstream endpoints. 资源可以是下列值之一:The resource can be one of the following:

    备注

    如果你在服务中亲自验证访问令牌,则可选择任何一种资源格式。If you validate an access token by yourself in your service, you can choose any one of the resource formats. 只需要确保“身份验证”设置中的“资源”值与验证一致即可。Just make sure that the Resource value in Auth settings and the validation are consistent. 如果对数据平面使用 Azure 基于角色的访问控制 (Azure RBAC),则必须使用服务提供商请求的资源。If you use Azure role-based access control (Azure RBAC) for a data plane, you must use the resource that the service provider requests.

验证访问令牌Validate access tokens

Authorization 标头中的令牌是 Microsoft 标识平台访问令牌The token in the Authorization header is a Microsoft identity platform access token.

若要验证访问令牌,你的应用还应当验证受众和签名令牌。To validate access tokens, your app should also validate the audience and the signing tokens. 这些需要根据 OpenID 发现文档中的值进行验证。These need to be validated against the values in the OpenID discovery document. 有关示例,请参阅文档的独立于租户的版本For example, see the tenant-independent version of the document.

Azure Active Directory (Azure AD) 中间件具有用于验证访问令牌的内置功能。The Azure Active Directory (Azure AD) middleware has built-in capabilities for validating access tokens. 你可以浏览我们的示例来查找所选语言的示例。You can browse through our samples to find one in the language of your choice.

我们提供了库和代码示例,用以演示如何轻松处理令牌验证。We provide libraries and code samples that show how to handle token validation. 还有多个可用于 JSON Web 令牌 (JWT) 验证的开源合作伙伴库。There are also several open-source partner libraries available for JSON Web Token (JWT) validation. 几乎针对每种平台和语言都提供了至少一个选项。There's at least one option for almost every platform and language out there. 有关 Azure AD 身份验证库和代码示例的详细信息,请参阅 Microsoft 标识平台身份验证库For more information about Azure AD authentication libraries and code samples, see Microsoft identity platform authentication libraries.

后续步骤Next steps