I am finding Application Registrations in Azure very confusing. In my question here AuthClientId and Application Id turned out to be the same thing, so why are two names being used?
What is the logic behind this choice of naming?
[Update]
From Joy's link to the glossary I see
application id (client id)
"The unique identifier Azure AD issues to an application registration that identifies a specific application and the associated configurations. This application id (client id) is used when performing authentication requests and is provided to the authentication libraries in development time."
I see that Client Id links to a page at ietf.org Which states
"2.2. Client Identifier
The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client."
I guess the metaphor is all about the supplier,customer,product relationship Where the supplier is Active Directory, the product is authentication and the customer is an application registration.
It is the concept of an "application registration" as a customer that I am having trouble getting used to. I seek help understanding the choice of words.
The idea of a multi-tenant application does not really work with the "client" metaphor.
[Update] This link is the most helpful yet and the most authoritative Copying from the link
1.1. Roles
OAuth defines four roles:
resource owner An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
resource server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
client An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
authorization server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
The interaction between the authorization server and resource server is beyond the scope of this specification. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.
However it is still confusing.
"An application making protected resource requests on behalf of the resource owner and with its authorization "
What does it mean by "making a protected resource request on behalf of the resource owner"?
[Update]
After studying Wayne Yang's answer I found this picture at Slack's oauth page
appId will be same for single application object that represents this application as well as it will be same for all service principals created for this application. objectId will be a unique value for application object and each of the service principal. This uniquely identifies the object in Azure AD.
application id (client id) "The unique identifier Azure AD issues to an application registration that identifies a specific application and the associated configurations. This application id (client id) is used when performing authentication requests and is provided to the authentication libraries in development time."
In Azure Active Directory, select App registrations. In Azure Active Directory > App registrations, select your application. Copy the Application ID and store it. This value is the Azure Application ID in the Tufin wizard.
The application ID URI is a URI that uniquely identifies the application in your Azure Active Directory. The URI can be anything you want as long as it is unique to your directory and a valid URI. A subtle distinction between the sign-on URL and the application ID URI is the use of a URL for one and a URI for another.
why is an AuthClientId also called an Application Id?
Client Id
is the standard definition in OAuth2.0 protocol. It's actual application too. Application Id
is just another name in Azure Portal.
This name is more nearly to the application meaning itself. E.g Native Client can be called with the client, but a Web App/Api is actually a server service which runs in a server. But they are all applications.
So Application id is better to make sense for common users. But client Id
is a standard definition which you cannot change it.
What does it mean by "making a protected resource request on behalf of the resource owner"?
It means that the client can on behalf of users to request an access token and send the access token to the Resource. (If you let users do this by themselves, it's unsafe and complex)
In OAuth2.0 framework, the client is the bridge for Users(Resource Owner), the App (protected resource) and the Identity provider(Authorization server). If a user wants to access to the SaaS app, he will send an authorization request to the client, not the Authorization Server directly. Then the client can on behalf of the user to request an access token from the Authorization server and send access token to the App.
Here is the protocol flow:
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
From C
to F
, Client is on behalf of the resource owner to obtain an access token and send access token.
For AAD, there is a document for Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow:
Client: Native App
Resource: Web API
Resource Owner: the User
Authorization Server: AAD
Here the Native app is the client which on behalf of the user to request token and send the token to the resource.
In Azure, to create a Service Principal you have to register an Application. Thats why its called Application Id (AppId). So:
AppId = ClientId = AuthClientId = Id of your Application
and
TenantId = DirectoryId = Name or Guid of your Azure Active Directory
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With