向 Azure Active Directory B2C 租户添加 Web API 应用程序Add a web API application to your Azure Active Directory B2C tenant

在租户中注册 Web API 资源,以便他们可以接受并响应提供访问令牌的客户端应用程序的请求。Register web API resources in your tenant so that they can accept and respond to requests by client applications that present an access token. 本文介绍如何在 Azure Active Directory B2C (Azure AD B2C) 中注册 Web API。This article shows you how to register a web API in Azure Active Directory B2C (Azure AD B2C).

要在 Azure AD B2C 租户中注册应用程序,可以使用新的统一“应用注册”体验或旧版“应用程序(旧版)”体验 。To register an application in your Azure AD B2C tenant, you can use our new unified App registrations experience or our legacy Applications (Legacy) experience. 详细了解此新体验Learn more about the new experience.

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 在顶部菜单中选择“目录 + 订阅”筛选器,然后选择包含Azure AD B2C 租户的目录。Select the Directory + subscription filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
  3. 在左侧菜单中,选择“Azure AD B2C”。In the left menu, select Azure AD B2C. 或者,选择“所有服务”并搜索并选择“Azure AD B2C”。Or, select All services and search for and select Azure AD B2C.
  4. 选择“应用注册”,然后选择“新建注册” 。Select App registrations, and then select New registration.
  5. 输入应用程序的“名称”。Enter a Name for the application. 例如,“webapi1”。For example, webapi1.
  6. 在“重定向 URI”下选择“Web”,然后输入 Azure AD B2C 会将应用程序请求的任何令牌返回到其中的终结点。Under Redirect URI, select Web, and then enter an endpoint where Azure AD B2C should return any tokens that your application requests. 在生产应用程序中,可以将重定向 URI 设置为 https://localhost:5000 之类的终结点。In a production application, you might set the redirect URI an endpoint like https://localhost:5000. 开发或测试期间,你可以将它设置为 https://jwt.ms,这是一个 Microsoft 拥有的 Web 应用程序,用于显示已解码的令牌内容(令牌内容始终保留在浏览器中)。During development or testing, you can set it to https://jwt.ms, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). 可以随时在注册的应用程序中添加和修改重定向 URI。You can add and modify redirect URIs in your registered applications at any time.
  7. 选择“注册”。Select Register.
  8. 记录“应用程序(客户端) ID”,以便在 Web API 的代码中使用。Record the Application (client) ID for use in your web API's code.

如果有一个实现隐式授权流的应用程序(例如基于 JavaScript 的单页应用程序 (SPA)),可以通过执行以下步骤来启用此流:If you have an application that implements the implicit grant flow, for example a JavaScript-based single-page application (SPA), you can enable the flow by following these steps:

  1. 在“管理”下,选择“身份验证”。 Under Manage, select Authentication.
  2. 在“隐式授权”下,选中“访问令牌”和“ID 令牌”复选框 。Under Implicit grant, select both the Access tokens and ID tokens check boxes.
  3. 选择“保存” 。Select Save.

配置范围Configure scopes

可通过范围控制对受保护资源的访问。Scopes provide a way to govern access to protected resources. Web API 使用作用域实施基于作用域的访问控制。Scopes are used by the web API to implement scope-based access control. 例如,可以让 Web API 用户拥有读取和写入访问权限,或者只拥有读取访问权限。For example, users of the web API could have both read and write access, or users of the web API might have only read access. 在本教程中,请使用作用域为 Web API 定义读取和写入权限。In this tutorial, you use scopes to define read and write permissions for the web API.

  1. 选择 “应用注册”Select App registrations.
  2. 选择“webapi1”应用程序以打开其“概览”页。Select the webapi1 application to open its Overview page.
  3. 在“管理”下,选择“公开 API” 。Under Manage, select Expose an API.
  4. 选择“应用程序 ID URI”旁边的“设置”链接。 Next to Application ID URI, select the Set link.
  5. 将默认值(一个 GUID)替换为 api,然后选择“保存”。Replace the default value (a GUID) with api, and then select Save. 完整的 URI 已显示,应采用 https://your-tenant-name.partner.onmschina.cn/api 格式。The full URI is shown, and should be in the format https://your-tenant-name.partner.onmschina.cn/api. Web 应用程序在请求 API 的访问令牌时,应将此 URI 添加为你为 API 定义的每个范围的前缀。When your web application requests an access token for the API, it should add this URI as the prefix for each scope that you define for the API.
  6. 在“此 API 定义的范围”下选择“添加范围”。 Under Scopes defined by this API, select Add a scope.
  7. 输入以下值来创建一个定义对 API 的读取访问权限的范围,然后选择“添加范围”:Enter the following values to create a scope that defines read access to the API, then select Add scope:
    1. 范围名称demo.readScope name: demo.read
    2. 管理员许可显示名称Read access to demo APIAdmin consent display name: Read access to demo API
    3. 管理员许可说明Allows read access to the demo APIAdmin consent description: Allows read access to the demo API
  8. 选择“添加范围”,输入以下值来添加一个定义对 API 的写入访问权限的范围,然后选择“添加范围”: Select Add a scope, enter the following values to add a scope that defines write access to the API, and then select Add scope:
    1. 范围名称demo.writeScope name: demo.write
    2. 管理员许可显示名称Write access to demo APIAdmin consent display name: Write access to demo API
    3. 管理员许可说明Allows write access to the demo APIAdmin consent description: Allows write access to the demo API

授予权限Grant permissions

若要从应用程序调用受保护的 Web API,需授予应用程序访问该 API 的权限。To call a protected web API from an application, you need to grant your application permissions to the API. 例如,在教程:在 Azure Active Directory B2C 中注册应用程序中,在 Azure AD B2C 中注册了一个名为 webapp1 的 Web 应用程序。For example, in Tutorial: Register an application in Azure Active Directory B2C, a web application named webapp1 is registered in Azure AD B2C. 可使用此应用程序调用 Web API。You can use this application to call the web API.

  1. 选择“应用注册”,然后选择应该有权访问 API 的 Web 应用程序。Select App registrations, and then select the web application that should have access to the API. 例如,“webapp1”。For example, webapp1.
  2. 在“管理”下选择“API 权限”。Under Manage, select API permissions.
  3. 在“已配置权限”下,选择“添加权限”。Under Configured permissions, select Add a permission.
  4. 选择“我的 API”选项卡。Select the My APIs tab.
  5. 选择应授予 Web 应用程序对其的访问权限的 API。Select the API to which the web application should be granted access. 例如,“webapi1”。For example, webapi1.
  6. 在“权限”下展开“演示”,然后选择前面定义的范围。 Under Permission, expand demo, and then select the scopes that you defined earlier. 例如,demo.readdemo.writeFor example, demo.read and demo.write.
  7. 选择“添加权限”。Select Add permissions.
  8. 选择“向(租户名称)授予管理员许可”。Select Grant admin consent for (your tenant name).
  9. 如果系统提示你选择一个帐户,请选择当前登录的管理员帐户,或者使用至少分配了“云应用程序管理员”角色的 Azure AD B2C 租户中的帐户登录。If you're prompted to select an account, select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.
  10. 请选择“是”。Select Yes.
  11. 选择“刷新”,然后确认两个范围的“状态”下是否均显示“已授予...”。 Select Refresh, and then verify that "Granted for ..." appears under Status for both scopes.

注册应用程序以调用受保护的 Web API。Your application is registered to call the protected web API. 用户通过 Azure AD B2C 进行身份验证,以便使用该应用程序。A user authenticates with Azure AD B2C to use the application. 应用程序从 Azure AD B2C 获取授权,以访问受保护的 Web API。The application obtains an authorization grant from Azure AD B2C to access the protected web API.