Merge pull request #294672 from DominikMe/domessin/identity-service-architecture

Merge previous client - server architecture snippet into Identity Overview article

Author: ttorble

articles/communication-services/.openpublishing.redirection.communication-services.json

@@ -2,7 +2,7 @@
     "redirections": [
         {
             "source_path_from_root": "/articles/communication-services/concepts/client-and-server-architecture.md",
-            "redirect_url": "https://learn.microsoft.com/azure/architecture/guide/mobile/azure-communication-services-architecture",
+            "redirect_url": "/azure/communication-services/concepts/identity-model#client-server-architecture",
             "redirect_document_id": false
         },
         {

articles/communication-services/concepts/authentication.md

@@ -99,4 +99,4 @@ The user identity is intended to act as a primary key for logs and metrics colle
 > [Trusted authentication service hero sample](../samples/trusted-auth-sample.md)
 
 For more information, see the following articles:
-- [Learn about client and server architecture](../concepts/client-and-server-architecture.md)
+- [Learn about client and server architecture](../concepts/identity-model.md#client-server-architecture)

articles/communication-services/concepts/identity-model.md

@@ -16,31 +16,31 @@ ms.subservice: identity
 # Identity model
 Azure Communication Services is an identity-agnostic service, which offers multiple benefits:
 
-- Reuse existing identities from your identity management system and simply map them with Azure Communication Services identities. 
-- Provides integration flexibility as identity-agnostic model works well with your existing identity system.
-- You can Keep your user's data, such as their name, private as you don't need to duplicate it in Azure Communication Services.
+- Reuse existing identities from your identity management system and map them with Azure Communication Services identities. 
+- Works well with any existing identity system and has no dependency on a specific identity provider.
+- Keep your user's data, such as their name, private as you don't need to duplicate it in Azure Communication Services.
 
 Azure Communication Services identity model works with two key concepts.
 
 ## User identity / mapping
-Uniquely identifies a user through a user-identifier, which is generated by Azure Communication Services when a user is created. External identifiers such as phone numbers, users, devices, applications, and GUIDs can't be used for identity in Azure Communication Services. You can create Azure Communication Service user identities for free. Charges are only incurred when the user consumes communications modalities such as a chat or a call. Your users identity can be mapped to Azure Communication Services user Identity in 1:1, 1:N, N:1, N:N configurations. A user can participate in multiple communication sessions, using multiple devices, simultaneously. Mapping between Azure Communication Services user identity and customer's private user identity is kept and maintained by the customer. For example, customers can add a `CommunicationServicesId` column in their user table to store the associated Azure Communication Services identity.
+When you create a user identity via SDK or REST API, Azure Communication Services creates a unique user identifier. External identifiers such as phone numbers, user/device/application IDs, or user names can't be used directly in Azure Communication Services. Instead you have to use the Communication Services identities and maintain a mapping to your own user ID system as needed. Creating Azure Communication Service user identities is free and charges are only incurred when the user consumes communication modalities such as a chat or a call. How you use your generated Communication Services identity depends on your scenario. For example, you can map an identity 1:1, 1:N, N:1, or N:N, and you can use it for human users or applications. A user can participate in multiple communication sessions, using multiple devices, simultaneously. Managing a mapping between Azure Communication Services user identities and your own identity system is your responsibility as a developer, and doesn't come built-in. For example, you can add a `CommunicationServicesId` column in your existing user table to store the associated Azure Communication Services identity. A mapping design is described in more detail under [Client-server architecture](#client-server-architecture).
 
 ## Access tokens 
-After a user identity is created, a user is granted with the capability to participate in communications using chat or calls, using access tokens. For example, only a user with chat token can participate in chat and user with VoIP token can participate in a VoIP call. A user can have multiple tokens simultaneously. Azure Communication Services supports multiple types of tokens to account for users who require full access vs limited access. Access tokens have the following properties.
+After a user identity is created, a user then needs an access token with specific scopes to participate in communications using chat or calls. For example, only a user with a token with the `chat` scope can participate in chat and a user with a token with `voip` scope can participate in a VoIP call. A user can have multiple tokens simultaneously. Azure Communication Services supports multiple token scopes to account for users who require full access vs limited access. Access tokens have the following properties.
 
 |Property|Description|
 |---|----|
-|Identity|Uniquely identifies a token|
-|Expiration|An access token is valid for a period of time between 1 and 24 hours. After it expires, the access token is invalidated and can't be used to access any primitive. To generate a token with a custom validity, specify the desired validity period when generating the token. If no custom validity is specified, the token will be valid for 24 hours. We recommend using short lifetime tokens for one-off meetings and longer lifetime tokens for agents using the application for longer periods of time|
-|Scope|The scope parameter defines a nonempty set of primitives (Chat/VoIP) that can be used. 
+|Subject|The user identity which is represented by the token.|
+|Expiration|An access token is valid for at least 1 hour and up to 24 hours. After it expires, the access token is invalid and can't be used to access the service. To create a token with a custom expiration time, specify the desired validity in minutes (>=60, <1440). By default, the token is valid for 24 hours. We recommend using short lifetime tokens for one-off meetings and longer lifetime tokens for users who use your application for longer periods of time.|
+|Scopes|The scopes define which communication primitives (Chat/VoIP) can be accessed with the token.|
 
-An access token is a JSON Web Token (JWT) and has integrity protection. That is, its claims can't be changed after it's issued. So a manual change of properties such as identity, expiration, or scopes will invalidate the access token. If primitives are used with invalidated tokens, then access will be denied to the primitives. Azure Communication Services supports the following scopes for access tokens.
+An access token is a JSON Web Token (JWT) and has integrity protection. That is, its claims can't be changed without invalidating the access token because then the token signature no longer matches. If communication primitives are used with invalid tokens, access is denied. Even though tokens aren't encrypted or obfuscated, your application shouldn't depend on the token format or its claims. The token format can change and isn't part of the official API contract. Azure Communication Services supports the following scopes for access tokens.
 
-## Chat token scopes
-Three types of chat token scopes are supported. Permissions for each token are described below.
-- chat
-- chat.join
-- chat.join.limited
+### Chat token scopes
+Three different chat token scopes are supported. Permissions for each scope are described in the following table.
+- `chat`
+- `chat.join`
+- `chat.join.limited`
 
 |Capability / Token scope| chat | chat.join | chat.join.limited |
 |---|---|---|---|
@@ -60,35 +60,53 @@ Three types of chat token scopes are supported. Permissions for each token are d
 |Send typing indicator | Y | Y | Y |
 |Get participant for thread ID | Y | Y | Y |
 
-## VoIP token scopes
-Two types of VoIP token scopes are supported. Permissions for each token are described below.
-- voip
-- voip.join
+### VoIP token scopes
+Two VoIP token scopes are supported. Permissions for each scope are described in the following table.
+- `voip`
+- `voip.join`
 
 |Capability / Token scope| voip | voip.join |
 |---|---|---|
 |Start a VoIP call | Y | N |
 |Start a VoIP call in Virtual Rooms, when the user is already invited to the Room| Y | Y |
 |Join an InProgress VoIP call | Y | Y |
 |Join an InProgress VoIP call in Virtual Rooms, when the user is already invited to the Room| Y | Y |
-|All other in-call operations such as mute/unmute, screen share etc. | Y | Y |
-|All other in-call operations such as mute/unmute, screen share etc. in Virtual Rooms| Determined by user role | Determined by user role |
+|All other in-call operations such as mute/unmute, screen share, etc. | Y | Y |
+|All other in-call operations such as mute/unmute, screen share, etc. in Virtual Rooms| Determined by user role | Determined by user role |
 
-## Revoke or update access token
+You can use the `voip.join` scope together with [Rooms](./rooms/room-concept.md) to create a scheduled call where only invited users get access and where users are prohibited from creating any other calls.
+
+### Revoke or update access token
 - Azure Communication Services Identity library can be used to revoke an access token before its expiration time. Token revocation isn't immediate. It can take up to 15 minutes to propagate.
-- The removal of an identity, resource, or subscription revokes all access tokens.
-- If you want to remove a user's ability to access specific functionality, revoke all access tokens. Then issue a new access token that has a more limited set of scopes.
-- Rotation of access keys revokes all active access tokens that were created by using a former access key. In this case all identities lose access to Azure Communication Services, and they must issue new access tokens.
+- The deletion of an identity, resource, or subscription revokes all access tokens.
+- If you want to remove a user's ability to access specific functionality, revoke all access tokens for the user. Then issue a new access token that has a more limited set of scopes.
+- Rotation of access keys revokes all active access tokens that were created by using a former access key. Consequently, all identities lose access to Azure Communication Services and need new access tokens.
+
+## Client-server architecture
+
+You should create and manage user access tokens through a trusted service and not create tokens in your client application. The connection string or Microsoft Entra credentials that are necessary to create user access tokens need to be protected, passing them to a client would risk leaking the secret. Failure to properly manage access tokens can result in extra charges on your resource when tokens are dispensed freely and get misused by somebody else.
+
+If you cache access tokens to a backing store, we recommend encrypting the tokens. An access token gives access to sensitive data and can be used for malicious activity if it isn't protected. Anyone with a user's access token can access that user's chat data or participate in calls impersonating the user.
+
+Make sure to include only those scopes in the token that your client application needs in order to follow the security principle of least privilege.
+
+:::image type="content" source="./media/architecture-identity.png" alt-text="Diagram that shows the user access token architecture." border="false":::
+
+1. A user starts the client application.
+1. The client application contacts your identity management service.
+1. The identity management service authenticates the application user. You can skip authentication for scenarios where the user is anonymous, but be careful to then add other protective measures such as throttling and CORS to your service to mitigate token abuse.
+1. Create or find a Communication Services identity for the user.
+   1. _Stable identity scenario:_ Your identity management service maintains a mapping between application identities and Communication Services identities. (Application identities include your users and other addressable objects, like services or bots.) If the application identity is new, a new Communication identity is created and a mapping is stored.
+   1. _Ephemeral identity scenario:_ The identity management service creates a new Communication identity. In this scenario, the same user ends up with a different Communication identity for each session.
+1. The identity management service issues a user access token for the applicable identity and returns it to the client application.
 
-## Considerations
-- We recommend issuing access tokens in your server-side service and not in the client's application. The reasoning is that issuing requires an access key or Microsoft Entra authentication. Sharing secrets with the client's application isn't recommended for security reasons.
-- Client application should use a trusted service endpoint that can authenticate clients. The endpoint should issue access tokens on their behalf. For more information, see [Client and server architecture](./client-and-server-architecture.md).
-- If you cache access tokens to a backing store, we recommend using encryption. An access token is sensitive data. It can be used for malicious activity if it's not protected. Someone who has an access token can start the SDK and access the API. The accessible API is restricted only based on the scopes that the access token has.
-- We recommend issuing access tokens that have only the required scopes.
+Azure App Service or Azure Functions are two alternatives for operating the identity management service. These services scale easily and have built-in features to [authenticate](../../app-service/overview-authentication-authorization.md) users. They're integrated with [OpenID](../../app-service/configure-authentication-provider-openid-connect.md) and third-party identity providers like [Facebook](../../app-service/configure-authentication-provider-facebook.md).
 
 ## Next steps
 
-* For an introduction to access token management, see [Create and manage access tokens](../quickstarts/identity/access-tokens.md).
+* To learn how to issue tokens, see [Create and manage access tokens](../quickstarts/identity/access-tokens.md).
 * For an introduction to authentication, see [Authenticate to Azure Communication Services](./authentication.md).
-* For an introduction to data residency and privacy, see [Region availability and data residency](./privacy.md).
-* To learn how to quickly create identities for testing, see the [quick-create identity quickstart](../quickstarts/identity/quick-create-identity.md).
+* To read about data residency and privacy, see [Region availability and data residency](./privacy.md).
+* To learn how to quickly create identities and tokens for testing, see the [quick-create identity quickstart](../quickstarts/identity/quick-create-identity.md).
+* For a full sample of a simple identity management service, visit the [Trusted service tutorial](../tutorials/trusted-service-tutorial.md).
+* For a more advanced identity management sample which integrates with Entra ID and Microsoft Graph, head over to [Authentication service hero sample](../samples/trusted-auth-sample.md).

articles/communication-services/concepts/media/architecture-identity.png

@@ -18,7 +18,7 @@ ms.custom: mode-other, devx-track-azurecli, devx-track-extended-java, devx-track
 
 Access tokens enable Azure Communication Services SDKs to [authenticate](../../concepts/authentication.md) directly against Azure Communication Services as a particular identity. You need to create access tokens if you want your users to join a call or chat thread within your application. 
 
-This article describes how to use the Azure Communication Services SDKs to create identities and manage your access tokens. For production use cases, we recommend that you generate access tokens on a server-side service as described in [Mobile architecture design](../../concepts/client-and-server-architecture.md).
+This article describes how to use the Azure Communication Services SDKs to create identities and manage your access tokens. For production use cases, we recommend that you generate access tokens on a server-side service as described in [Client and server architecture](../../concepts/identity-model.md#client-server-architecture).
 
 ::: zone pivot="platform-azcli"
 [!INCLUDE [Azure CLI](./includes/access-tokens/access-token-az-cli.md)]
@@ -75,5 +75,5 @@ To learn more about how to send an email using the Azure Communication Services
 
  - [Learn about authentication](../../concepts/authentication.md)
  - [Add chat to your app](../chat/get-started.md)
- - [Learn about client and server architecture](../../concepts/client-and-server-architecture.md)
+ - [Learn about client and server architecture](../../concepts/identity-model.md#client-server-architecture)
  - [Deploy trusted authentication service hero sample](../../samples/trusted-auth-sample.md)

articles/communication-services/quickstarts/identity/access-tokens.md

@@ -461,5 +461,5 @@ You might also want to:
 
 - [Add chat to your app](../quickstarts/chat/get-started.md)
 - [Create user access tokens](../quickstarts/identity/access-tokens.md)
-- [Learn about client and server architecture](../concepts/client-and-server-architecture.md)
+- [Learn about client and server architecture](../concepts/identity-model.md#client-server-architecture)
 - [Learn about authentication](../concepts/authentication.md)

articles/communication-services/tutorials/building-app-start.md

@@ -108,7 +108,7 @@ Attendee experience can be directly embedded into an application or platform usi
 
 2.	Before developers dive into using [Azure Communication Services](../overview.md), they must [create a resource](../quickstarts/create-communication-resource.md?pivots=platform-azp&tabs=windows&preserve-view=true).
 
-3.	Once a resource is created, developers must [generate access tokens](../quickstarts/identity/access-tokens.md?pivots=programming-language-javascript&preserve-view=true) for attendees to access Azure Communication Services. We recommend using a [trusted service architecture](../concepts/client-and-server-architecture.md).
+3.	Once a resource is created, developers must [generate access tokens](../quickstarts/identity/access-tokens.md?pivots=programming-language-javascript&preserve-view=true) for attendees to access Azure Communication Services. We recommend using a [trusted service architecture](../concepts/identity-model.md#client-server-architecture).
 
 4.	Developers can leverage [headless SDKs](../concepts/teams-interop.md) or [UI Library](../concepts/ui-library/ui-library-overview.md) using the join link URL to join the Teams meeting through [Teams Interoperability](../concepts/teams-interop.md). Details below:
 

articles/communication-services/tutorials/events-playbook.md

@@ -378,7 +378,7 @@ You may also want to:
 
 - [Add chat to your app](../quickstarts/chat/get-started.md)
 - [Creating user access tokens](../quickstarts/identity/access-tokens.md)
-- [Learn about client and server architecture](../concepts/client-and-server-architecture.md)
+- [Learn about client and server architecture](../concepts/identity-model.md#client-server-architecture)
 - [Learn about authentication](../concepts/authentication.md)
 - [Add file sharing with UI Library in Teams Interoperability Chat](./file-sharing-tutorial-interop-chat.md)
 - [Add file sharing with UI Library in Azure Communication Services Chat](./file-sharing-tutorial-acs-chat.md)

articles/communication-services/tutorials/file-sharing-tutorial-acs-chat.md

@@ -124,7 +124,7 @@ You may also want to:
 - [Check UI Library use cases](../concepts/ui-library/ui-library-use-cases.md)
 - [Add chat to your app](../quickstarts/chat/get-started.md)
 - [Creating user access tokens](../quickstarts/identity/access-tokens.md)
-- [Learn about client and server architecture](../concepts/client-and-server-architecture.md)
+- [Learn about client and server architecture](../concepts/identity-model.md#client-server-architecture)
 - [Learn about authentication](../concepts/authentication.md)
 - [Add file sharing with UI Library in Azure Azure Communication Services end user Service Chat](./file-sharing-tutorial-acs-chat.md)
 - [Add inline image with UI Library in Teams Interoperability Chat](./inline-image-tutorial-interop-chat.md)