You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/communication-services/concepts/identity-model.md
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,28 +16,28 @@ ms.subservice: identity
16
16
# Identity model
17
17
Azure Communication Services is an identity-agnostic service, which offers multiple benefits:
18
18
19
-
- Reuse existing identities from your identity management system and simply map them with Azure Communication Services identities.
20
-
-Provides integration flexibility as identity-agnostic model works well with your existing identity system.
21
-
-You can Keep your user's data, such as their name, private as you don't need to duplicate it in Azure Communication Services.
19
+
- Reuse existing identities from your identity management system and map them with Azure Communication Services identities.
20
+
-Works well with any existing identity system and has no dependency on a specific identity provider.
21
+
- Keep your user's data, such as their name, private as you don't need to duplicate it in Azure Communication Services.
22
22
23
23
Azure Communication Services identity model works with two key concepts.
24
24
25
25
## User identity / mapping
26
-
Uniquely identifies a user through a user-identifier, which is generated by Azure Communication Services when a user is created. External identifiers such as phone numbers, users, devices, applications, and GUIDs can't be used for identity in Azure Communication Services. You can create Azure Communication Service user identities for free. Charges are only incurred when the user consumes communications modalities such as a chat or a call. Your users identity can be mapped to Azure Communication Services user Identity in 1:1, 1:N, N:1, N:N configurations. A user can participate in multiple communication sessions, using multiple devices, simultaneously. Mapping between Azure Communication Services user identity and customer's private user identity is kept and maintained by the customer. For example, customers can add a `CommunicationServicesId` column in their user table to store the associated Azure Communication Services identity.
26
+
When you create a user identity via SDK or REST API, Azure Communication Services creates a unique user identifier. External identifiers such as phone numbers, user/device/application ids, or user names can't be used directly in Azure Communication Services. Instead you will have to maintain a mapping to your own user id system. Creating Azure Communication Service user identities is free. Charges are only incurred when the user consumes communication modalities such as a chat or a call. How to you use your generated Communication Services identity depends on your scenario. For example, you can map it 1:1, 1:N, N:1, or N:N, and you can use it for human users or applications. A user can participate in multiple communication sessions, using multiple devices, simultaneously. Mapping between Azure Communication Services user identity and your own identity system is your responsibility as a developer. For example, you can add a `CommunicationServicesId` column in your existing user table to store the associated Azure Communication Services identity. This is described in more detail under [Client-server architecture](#client-server-architecture) below.
27
27
28
28
## Access tokens
29
-
After a user identity is created, a user is granted with the capability to participate in communications using chat or calls, using access tokens. For example, only a user with chat token can participate in chat and user with VoIP token can participate in a VoIP call. A user can have multiple tokens simultaneously. Azure Communication Services supports multiple types of tokens to account for users who require full access vs limited access. Access tokens have the following properties.
29
+
After a user identity is created, a user then needs an access token with specific scopes to participate in communications using chat or calls. For example, only a user with a token with the `chat` scope can participate in chat and a user with a token with `voip` scope can participate in a VoIP call. A user can have multiple tokens simultaneously. Azure Communication Services supports multiple token scopes to account for users who require full access vs limited access. Access tokens have the following properties.
30
30
31
31
|Property|Description|
32
32
|---|----|
33
-
|Identity|Uniquely identifies a token|
34
-
|Expiration|An access token is valid for a period of time between 1 and 24 hours. After it expires, the access token is invalidated and can't be used to access any primitive. To generate a token with a custom validity, specify the desired validity period when generating the token. If no custom validity is specified, the token will be valid for 24 hours. We recommend using short lifetime tokens for one-off meetings and longer lifetime tokens for agents using the application for longer periods of time|
35
-
|Scope|The scope parameter defines a nonempty set of primitives (Chat/VoIP) that can be used.
33
+
|Subject|The user identity which is represented by the token.|
34
+
|Expiration|An access token is valid for at least 1 hour and up to 24 hours. After it expires, the access token is invalid and can't be used to access the service. To create a token with a custom expiration time, specify the desired validity in minutes (>=60, <1440). By default, the token is valid for 24 hours. We recommend using short lifetime tokens for one-off meetings and longer lifetime tokens for users who use your application for longer periods of time.|
35
+
|Scopes|The scopes define which communication primitives (Chat/VoIP) can be accessed with the token.|
36
36
37
-
An access token is a JSON Web Token (JWT) and has integrity protection. That is, its claims can't be changed after it's issued. So a manual change of properties such as identity, expiration, or scopes will invalidate the access token. If primitives are used with invalidated tokens, then access will be denied to the primitives. Azure Communication Services supports the following scopes for access tokens.
37
+
An access token is a JSON Web Token (JWT) and has integrity protection. That is, its claims can't be changed after it has been issued. So a manual change of properties such as subject, expiration, or scopes invalidates the access token because the token signature no longer matches. If communication primitives are used with invalid tokens, then access will be denied. Even though tokens aren't encrypted or obfuscated, your application should not depend on the token shape or its claims as they can change and aren't part of the official API contract. Azure Communication Services supports the following scopes for access tokens.
38
38
39
39
### Chat token scopes
40
-
Three types of chat token scopes are supported. Permissions for each token are described below.
40
+
Three different chat token scopes are supported. Permissions for each scope are described below.
41
41
-`chat`
42
42
-`chat.join`
43
43
-`chat.join.limited`
@@ -61,7 +61,7 @@ Three types of chat token scopes are supported. Permissions for each token are d
61
61
|Get participant for thread ID | Y | Y | Y |
62
62
63
63
### VoIP token scopes
64
-
Two types of VoIP token scopes are supported. Permissions for each token are described below.
64
+
Two VoIP token scopes are supported. Permissions for each scope are described below.
65
65
-`voip`
66
66
-`voip.join`
67
67
@@ -80,13 +80,13 @@ You can the use `voip.join` scope together with [Rooms](./rooms/room-concept.md)
80
80
- Azure Communication Services Identity library can be used to revoke an access token before its expiration time. Token revocation isn't immediate. It can take up to 15 minutes to propagate.
81
81
- The deletion of an identity, resource, or subscription revokes all access tokens.
82
82
- If you want to remove a user's ability to access specific functionality, revoke all access tokens for the user. Then issue a new access token that has a more limited set of scopes.
83
-
- Rotation of access keys revokes all active access tokens that were created by using a former access key. In this case all identities lose access to Azure Communication Services, and they must issue new access tokens.
83
+
- Rotation of access keys revokes all active access tokens that were created by using a former access key. In this case all identities lose access to Azure Communication Services, and they need new access tokens.
84
84
85
85
## Client-server architecture
86
86
87
87
You should generate and manage user access tokens by using a trusted service and not from your client application. The connection string or Microsoft Entra credentials that are necessary to generate user access tokens need to be protected and passing them to a client would risk leaking the secret. Failure to properly manage access tokens can result in additional charges on your resource when discovered and misused by somebody else.
88
88
89
-
If you cache access tokens to a backing store, we recommend encrypting the tokens. An access token gives access to sensitive data and can be used for malicious activity if it's not protected. Someone who has an access token can access a user's chat data or participate in calls impersonating the user.
89
+
If you cache access tokens to a backing store, we recommend encrypting the tokens. An access token gives access to sensitive data and can be used for malicious activity if it isn't protected. Anyone with an user's access token can access that user's chat data or participate in calls impersonating the user.
90
90
91
91
Make sure to only include those scopes in the token that your client application really needs in order to follow the security principle of least privilege.
92
92
@@ -97,7 +97,7 @@ Make sure to only include those scopes in the token that your client application
97
97
1. The identity management service authenticates the application user. Skip authentication for anonymous user scenarios, but be careful to then add other measures such as throttling and CORS to avoid abuse of your service.
98
98
1. Create or find a Communication Services identity for the user.
99
99
1._Stable identity scenario:_ Your identity management service maintains a mapping between application identities and Communication Services identities. (Application identities include your users and other addressable objects, like services or bots.) If the application identity is new, a new Communication identity is created and a mapping is stored.
100
-
1._Ephemeral identity scenario:_ The identity management service creates a new Communication identity. In this scenario the same user will end up with a different Communication identity for each session.
100
+
1._Ephemeral identity scenario:_ The identity management service creates a new Communication identity. In this scenario, the same user ends up with a different Communication identity for each session.
101
101
1. The identity management service issues a user access token for the applicable identity and returns it to the client application.
102
102
103
103
Azure App Service or Azure Functions are two alternatives for operating the identity management service. These services scale easily and have built-in features to [authenticate](/../../app-service/overview-authentication-authorization.md) users. They're integrated with [OpenID](../../app-service/configure-authentication-provider-openid-connect.md) and third-party identity providers like [Facebook](/../../app-service/configure-authentication-provider-facebook.md).
0 commit comments