I was wondering for my scenario what would be best. I understand that usually you want only 1 Service Principal (SP) per application. Since I didn't find any clear answer about my scenario, here's the details.
However, let's assume the following:
- I have a small app. installed at every customer I have (let's assume 100)
- Each customer will be sending events to EventHub (send only)
- The small app uses credentials to connect to my service in order to retrieve a key for event hub
- My service connect to azure and when the small app request EventHub credentials I send back either a Secret/Certificate
So basically, should I:
- manage 1 SP per customer ?
- Create/manage many secret/certificate for an SP (1 per customer let's say)
- From my service use 1 SP + 1 certificate and use it to create a new token that would then be served for my small app
- Draw back, from my understanding, we can't invalidate the token once it's being in use until it tries to reconnect
Note: Of course it's not about doing the 3 of them, only 1.
I saw the following on https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature:
If your application needs to grant access to Event Hubs resources based on user or service identities, it should implement a security token service that issues SAS tokens after an authentication and access check.
so my guess would be that option 3 is the way to go
