对目标为事件处理程序的事件传递进行身份验证(Azure 事件网格)Authenticate event delivery to event handlers (Azure Event Grid)

本文介绍如何对目标为事件处理程序的事件传递进行身份验证。This article provides information on authenticating event delivery to event handlers. 本文还介绍如何使用 Azure Active Directory (Azure AD) 或共享机密保护用于从事件网格接收事件的 Webhook 终结点。It also shows how to secure the webhook endpoints that are used to receive events from Event Grid using Azure Active Directory (Azure AD) or a shared secret.

使用系统分配的标识进行事件传递Use system-assigned identities for event delivery

可以为主题或域启用系统分配的托管标识,并使用该标识将事件转发到支持的目标,如服务总线队列和主题、事件中心和存储帐户。You can enable a system-assigned managed identity for a topic or domain and use the identity to forward events to supported destinations such as Service Bus queues and topics, event hubs, and storage accounts.

步骤如下:Here are the steps:

  1. 使用系统分配的标识创建主题或域,或者更新现有主题或域以启用标识。Create a topic or domain with a system-assigned identity, or update an existing topic or domain to enable identity.
  2. 在目标(例如,服务总线队列)上将标识添加到相应角色(例如,服务总线数据发送方)。Add the identity to an appropriate role (for example, Service Bus Data Sender) on the destination (for example, a Service Bus queue).
  3. 创建事件订阅时,请允许使用标识将事件传递到目标。When you create event subscriptions, enable the usage of the identity to deliver events to the destination.

有关详细的分步说明,请参阅使用托管标识传递事件For detailed step-by-step instructions, see Event delivery with a managed identity.

对 Webhook 终结点的事件传递进行身份验证Authenticate event delivery to webhook endpoints

下面各部分介绍了如何对 Webhook 终结点的事件传递进行身份验证。The following sections describe how to authenticate event delivery to webhook endpoints. 无论使用何种方法,都需要使用验证握手机制。You need to use a validation handshake mechanism irrespective of the method you use. 有关详细信息,请参阅 Webhook 事件传递See Webhook event delivery for details.

使用 Azure Active Directory (Azure AD)Using Azure Active Directory (Azure AD)

可以使用 Azure AD 保护用于从事件网格接收事件的 Webhook 终结点。You can secure the webhook endpoint that's used to receive events from Event Grid by using Azure AD. 需要创建 Azure AD 应用程序,并在授权事件网格的应用程序中创建角色和服务主体,同时还需要将事件订阅配置为使用 Azure AD 应用程序。You'll need to create an Azure AD application, create a role and service principal in your application authorizing Event Grid, and configure the event subscription to use the Azure AD application. 了解如何使用事件网格配置 Azure Active DirectoryLearn how to Configure Azure Active Directory with Event Grid.

使用客户端密码作为查询参数Using client secret as a query parameter

还可以通过向在创建事件订阅时指定的 Webhook 目标 URL 添加查询参数来保护 Webhook 终结点。You can also secure your webhook endpoint by adding query parameters to the webhook destination URL specified as part of creating an Event Subscription. 将其中一个查询参数设置为客户端密码,如访问令牌或共享密码。Set one of the query parameters to be a client secret such as an access token or a shared secret. 事件网格服务会在发往 Webhook 的每个事件传递请求中加入所有查询参数。Event Grid service includes all the query parameters in every event delivery request to the webhook. Webhook 服务可以检索和验证密码。The webhook service can retrieve and validate the secret. 如果更新了客户端密码,还需要更新事件订阅。If the client secret is updated, event subscription also needs to be updated. 为了避免在此密码轮换期间出现传递失败,让 Webhook 在有限的时间内同时接受新旧密码,然后再使用新密码更新事件订阅。To avoid delivery failures during this secret rotation, make the webhook accept both old and new secrets for a limited duration before updating the event subscription with the new secret.

由于查询参数可能包含客户端密码,因此需要格外小心地处理它们。As query parameters could contain client secrets, they are handled with extra care. 它们以加密的形式存储,并且服务操作员无法访问。They are stored as encrypted and are not accessible to service operators. 它们不作为服务日志/跟踪的一部分进行记录。They are not logged as part of the service logs/traces. 检索事件订阅属性时,默认情况下不会返回目标查询参数。When retrieving the Event Subscription properties, destination query parameters aren't returned by default. 例如:--include-full-endpoint-url 参数将用于 Azure CLIFor example: --include-full-endpoint-url parameter is to be used in Azure CLI.

若要详细了解如何将事件传递到 Webhook,请参阅 Webhook 事件传递For more information on delivering events to webhooks, see Webhook event delivery

重要

Azure 事件网格只支持 HTTPS Webhook 终结点。Azure Event Grid only supports HTTPS webhook endpoints.

后续步骤Next steps

请参阅对发布客户端进行身份验证,了解如何对将事件发布到主题或域的客户端进行身份验证。See Authenticate publishing clients to learn about authenticating clients publishing events to topics or domains.