向 Azure Active Directory B2C 租户添加 Web API 应用程序Add a web API application to your Azure Active Directory B2C tenant

在租户中注册 Web API 资源,以便他们可以接受并响应提供访问令牌的客户端应用程序的请求。Register web API resources in your tenant so that they can accept and respond to requests by client applications that present an access token. 本文介绍如何在 Azure Active Directory B2C (Azure AD B2C) 中注册 Web API。This article shows you how to register a web API in Azure Active Directory B2C (Azure AD B2C).

若要在 Azure AD B2C 租户中注册应用程序,可以使用当前“应用程序”体验 。To register an application in your Azure AD B2C tenant, you can use the current Applications experience.

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 请确保使用的是包含 Azure AD B2C 租户的目录。Make sure you're using the directory that contains your Azure AD B2C tenant. 选择顶部菜单中的“目录 + 订阅”筛选器,然后选择包含租户的目录 。Select the Directory + subscription filter in the top menu and choose the directory that contains your tenant.
  3. 选择 Azure 门户左上角的“所有服务”,然后搜索并选择“Azure AD B2C” 。Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. 选择“应用程序”,然后选择“添加” 。Select Applications, and then select Add.
  5. 输入应用程序的名称。Enter a name for the application. 例如,“webapi1” 。For example, webapi1.
  6. 对于“包括 Web 应用/Web API”和“允许隐式流”,请选择“是”。 For Include web app/ web API and Allow implicit flow, select Yes.
  7. 对于“回复 URL”,请输入 Azure AD B2C 要将应用程序请求的任何令牌返回到的终结点 。For Reply URL, enter an endpoint where Azure AD B2C should return any tokens that your application requests. 在生产应用程序中,可以将回复 URL 设置为 https://localhost:44332 之类的值。In your production application, you might set the reply URL to a value such as https://localhost:44332. 出于测试目的,将回复 URL 设置为 https://jwt.msFor testing purposes, set the reply URL to https://jwt.ms.
  8. 对于“应用 ID URI”,请输入 Web API 使用的标识符。 For App ID URI, enter the identifier used for your web API. 包括域在内的完整标识符 URI 是为你生成的。The full identifier URI including the domain is generated for you. 例如,https://contosotenant.partner.onmschina.cn/apiFor example, https://contosotenant.partner.onmschina.cn/api.
  9. 单击创建Click Create.
  10. 在属性页上,记录在配置 Web 应用程序时要使用的应用程序 ID。On the properties page, record the application ID that you'll use when you configure the web application.

配置范围Configure scopes

可通过范围控制对受保护资源的访问。Scopes provide a way to govern access to protected resources. Web API 使用作用域实施基于作用域的访问控制。Scopes are used by the web API to implement scope-based access control. 例如,可以让 Web API 用户拥有读取和写入访问权限,或者只拥有读取访问权限。For example, users of the web API could have both read and write access, or users of the web API might have only read access. 在本教程中,请使用作用域为 Web API 定义读取和写入权限。In this tutorial, you use scopes to define read and write permissions for the web API.

  1. 选择“应用程序”。 Select Applications.
  2. 选择“webapi1” 应用程序以打开其属性页。 Select the webapi1 application to open its Properties page.
  3. 选择“已发布的范围” 。Select Published scopes. 可以使用已发布的范围向客户端应用程序授予访问 Web API 的某些权限。Published scopes can be used to grant a client application certain permissions to the web API.
  4. 在“范围”中输入 demo.read,在“说明”中输入 Read access to the web APIFor SCOPE, enter demo.read, and for DESCRIPTION, enter Read access to the web API.
  5. 在“范围”中输入 demo.write,在“说明”中输入 Write access to the web APIFor SCOPE, enter demo.write, and for DESCRIPTION, enter Write access to the web API.
  6. 选择“保存” 。Select Save.

授予权限Grant permissions

若要从应用程序调用受保护的 Web API,需授予应用程序访问该 API 的权限。To call a protected web API from an application, you need to grant your application permissions to the API. 例如,在教程:在 Azure Active Directory B2C 中注册应用程序中,在 Azure AD B2C 中注册了一个名为 webapp1 的 Web 应用程序。For example, in Tutorial: Register an application in Azure Active Directory B2C, a web application named webapp1 is registered in Azure AD B2C. 可使用此应用程序调用 Web API。You can use this application to call the web API.

  1. 选择“应用程序” ,然后选择应该有权访问 API 的 Web 应用程序。Select Applications, and then select the web application that should have access to the API. 例如,“webapp1” 。For example, webapp1.
  2. 选择“API 访问”,然后选择“添加” 。Select API access, and then select Add.
  3. 在“选择 API” 下拉列表中,选择应授予 Web 应用程序访问权限的 API。In the Select API dropdown, select the API to which web application should be granted access. 例如,“webapi1” 。For example, webapi1.
  4. 在“选择范围” 下拉列表中,选择先前定义的范围。In the Select Scopes dropdown, select the scopes that you defined earlier. 例如,demo.readdemo.writeFor example, demo.read and demo.write.
  5. 选择“确定” 。Select OK.

注册应用程序以调用受保护的 Web API。Your application is registered to call the protected web API. 用户通过 Azure AD B2C 进行身份验证,以便使用该应用程序。A user authenticates with Azure AD B2C to use the application. 应用程序从 Azure AD B2C 获取授权,以访问受保护的 Web API。The application obtains an authorization grant from Azure AD B2C to access the protected web API.