可在 Azure Active Directory B2C 中使用的应用程序类型Application types that can be used in Active Directory B2C

Azure Active Directory B2C (Azure AD B2C) 支持各种新式应用程序体系结构的身份验证。Azure Active Directory B2C (Azure AD B2C) supports authentication for a variety of modern application architectures. 所有这些体系结构都以行业标准协议 OAuth 2.0OpenID Connect 为基础。All of them are based on the industry standard protocols OAuth 2.0 or OpenID Connect. 本文介绍可独立于首选语言或平台构建的应用程序类型。This article describes the types of applications that you can build, independent of the language or platform you prefer. 在开始构建应用程序之前,不妨从中了解一些高级方案。It also helps you understand the high-level scenarios before you start building applications.

必须通过 Azure 门户将使用 Azure AD B2C 的每个应用程序注册到 Azure AD B2C 租户中。Every application that uses Azure AD B2C must be registered in your Azure AD B2C tenant by using the Azure portal. 应用程序注册过程将收集和分配一些值,例如:The application registration process collects and assigns values, such as:

  • 用于唯一标识应用程序的应用程序 ID。An Application ID that uniquely identifies your application.
  • 可用于将响应定向回应用程序的 回复 URLA Reply URL that can be used to direct responses back to your application.

发送到 Azure AD B2C 的每个请求都指定了 用户流(内置策略)或用于控制 Azure AD B2C 行为的 自定义策略Each request that is sent to Azure AD B2C specifies a user flow (a built-in policy) or a custom policy that controls the behavior of Azure AD B2C. 两种策略类型都可以用来创建一系列自定义程度很高的用户体验。Both policy types enable you to create a highly customizable set of user experiences.

每个应用程序的交互遵循类似的高级模式:The interaction of every application follows a similar high-level pattern:

  1. 应用程序将用户定向到 v2.0 终结点以执行策略The application directs the user to the v2.0 endpoint to execute a policy.
  2. 用户根据策略定义完成策略。The user completes the policy according to the policy definition.
  3. 应用程序从 v2.0 终结点接收安全令牌。The application receives a security token from the v2.0 endpoint.
  4. 应用程序使用该安全令牌访问受保护的信息或受保护的资源。The application uses the security token to access protected information or a protected resource.
  5. 资源服务器验证安全令牌,确认是否可以授予访问权限。The resource server validates the security token to verify that access can be granted.
  6. 应用程序定期刷新安全令牌。The application periodically refreshes the security token.

根据要构建的应用程序类型,这些步骤可能稍有不同。These steps can differ slightly based on the type of application you're building.

Web 应用程序Web applications

对于托管在服务器中通过浏览器访问的 Web 应用程序(包括 .NET、PHP、Java、Ruby、Python 和 Node.js),Azure AD B2C 支持使用 OpenID Connect 实现所有用户体验。For web applications (including .NET, PHP, Java, Ruby, Python, and Node.js) that are hosted on a server and accessed through a browser, Azure AD B2C supports OpenID Connect for all user experiences. 在 OpenID Connect 的 Azure AD B2C 实现中,Web 应用程序通过向 Azure AD 发出身份验证请求,来发起用户体验。In the Azure AD B2C implementation of OpenID Connect, your web application initiates user experiences by issuing authentication requests to Azure AD. 请求的结果是 id_tokenThe result of the request is an id_token. 此安全令牌代表用户的标识。This security token represents the user's identity. 它还以声明形式提供用户的相关信息:It also provides information about the user in the form of claims:

// Partial raw id_token
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cd...

// Partial content of a decoded id_token
{
    "name": "John Smith",
    "email": "john.smith@gmail.com",
    "oid": "d9674823-dffc-4e3f-a6eb-62fe4bd48a58"
    ...
}

请参阅 Azure AD B2C 令牌参考,详细了解应用程序可用的令牌和声明类型。Learn more about the types of tokens and claims available to an application in the Azure AD B2C token reference.

在 Web 应用程序中,每次执行策略都要采用以下高级步骤:In a web application, each execution of a policy takes these high-level steps:

  1. 用户浏览到 Web 应用程序。The user browses to the web application.
  2. Web 应用程序将用户重定向到指示要执行的策略的 Azure AD B2C。The web application redirects the user to Azure AD B2C indicating the policy to execute.
  3. 用户完成策略。The user completes policy.
  4. Azure AD B2C 将 id_token 返回到浏览器。Azure AD B2C returns an id_token to the browser.
  5. id_token 发布到重定向 URI。The id_token is posted to the redirect URI.
  6. 验证 id_token 并设置会话 Cookie。The id_token is validated and a session cookie is set.
  7. 安全页返回至用户。A secure page is returned to the user.

使用从 Azure AD 收到的公共签名密钥来验证 id_token ,就足以验证用户的标识。Validation of the id_token by using a public signing key that is received from Azure AD is sufficient to verify the identity of the user. 此进程也会设置可在后续页面请求中用于识别用户的会话 Cookie。This process also sets a session cookie that can be used to identify the user on subsequent page requests.

若要查看此方案的实际运行情况,请尝试运行 入门部分中提供的 Web 应用程序登录代码示例之一。To see this scenario in action, try one of the web application sign-in code samples in our Getting started section.

除了简化登录,Web 服务器应用程序可能还需要访问后端 Web 服务。In addition to facilitating simple sign-in, a web server application might also need to access a back-end web service. 在此情况下,Web 应用程序可以执行稍有不同的 OpenID Connect 流,使用授权代码和刷新令牌来获取令牌。In this case, the web application can perform a slightly different OpenID Connect flow and acquire tokens by using authorization codes and refresh tokens. 以下 Web API 部分描述了此方案。This scenario is depicted in the following Web APIs section.

单页应用程序Single-page applications

许多新式 Web 应用程序都构建为客户端单页应用程序 (SPA)。Many modern web applications are built as client-side single-page applications ("SPAs"). 开发人员使用 JavaScript 或 SPA 框架(例如 Angular、Vue 和 React)来编写它们。Developers write them by using JavaScript or a SPA framework such as Angular, Vue, and React. 这些应用程序在 Web 浏览器上运行,与传统的服务器端 Web 应用程序相比,它们具有不同的身份验证特征。These applications run on a web browser and have different authentication characteristics than traditional server-side web applications.

Azure AD B2C 提供了两个选项,用于允许单页应用程序让用户登录并获取用于访问后端服务或 Web API 的令牌:Azure AD B2C provides two options to enable single-page applications to sign in users and get tokens to access back-end services or web APIs:

授权代码流(带有 PKCE)Authorization code flow (with PKCE)

  • OAuth 2.0 授权代码流(使用 PKCE)OAuth 2.0 Authorization code flow (with PKCE). 授权代码流允许应用程序用授权代码来交换 ID 令牌(表示已经过身份验证的用户),以及交换调用受保护 API 所需的 访问 令牌。The authorization code flow allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. 此外,它还返回 刷新 令牌,这类令牌提供以用户身份长期访问资源而无需与这些用户交互的权限。In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users.

这是 建议的 做法。This is the recommended approach. 拥有使用期有限的刷新令牌可以帮助你的应用适应 Safari ITP 之类的新式浏览器 cookie 隐私限制Having limited-lifetime refresh tokens helps your application adapt to modern browser cookie privacy limitations, like Safari ITP.

若要利用此流,应用程序可以使用支持它的身份验证库,如 MSAL.js 2.xTo take advantage of this flow, your application can use an authentication library that supports it, like MSAL.js 2.x.

单页应用程序 - 授权Single-page applications-auth

隐式授予流Implicit grant flow

  • OAuth 2.0 隐式流OAuth 2.0 implicit flow. 某些框架(如 MSAL.js 1.x)仅支持隐式授权流。Some frameworks, like MSAL.js 1.x, only support the implicit grant flow. 隐式授权流允许应用程序获取 ID访问 令牌。The implicit grant flow allows the application to get ID and Access tokens. 与授权代码流不同,隐式授权流不会返回 刷新令牌Unlike the authorization code flow, implicit grant flow does not return a Refresh token.

此身份验证流不包括使用 Electron 和 React-Native 之类的跨平台 JavaScript 框架的应用程序方案。This authentication flow does not include application scenarios that use cross-platform JavaScript frameworks such as Electron and React-Native. 这些方案需要更多功能才能与本机平台进行交互。Those scenarios require further capabilities for interaction with the native platforms.

Web APIWeb APIs

可使用 Azure AD B2C 保护 Web 服务,例如应用程序的 RESTful Web API。You can use Azure AD B2C to secure web services such as your application's RESTful web API. Web API 可以使用 OAuth 2.0 保护其数据,使用令牌对传入的 HTTP 请求进行身份验证。Web APIs can use OAuth 2.0 to secure their data, by authenticating incoming HTTP requests using tokens. Web API 的调用方在 HTTP 请求的授权标头中附加一个令牌:The caller of a web API appends a token in the authorization header of an HTTP request:

GET /api/items HTTP/1.1
Host: www.mywebapi.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6...
Accept: application/json
...

然后,Web API 就可以使用此令牌来验证 API 调用方的标识,并从令牌中编码的声明里提取调用方的相关信息。The web API can then use the token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the token. 请参阅 Azure AD B2C token reference(Azure AD B2C 令牌参考),详细了解应用可用的令牌和声明类型。Learn more about the types of tokens and claims available to an app in the Azure AD B2C token reference.

Web API 可从许多类型的客户端(包括 Web 应用程序、桌面和移动应用程序、单页应用程序、服务器端守护程序,甚至其他 Web API)接收令牌。A web API can receive tokens from many types of clients, including web applications, desktop and mobile applications, single page applications, server-side daemons, and other web APIs. 下面是 Web 应用程序调用 Web API 的完整流程示例:Here's an example of the complete flow for a web application that calls a web API:

  1. Web 应用程序执行策略,用户完成用户体验。The web application executes a policy and the user completes the user experience.
  2. Azure AD B2C 将 (OpenID Connect) id_token 和授权代码返回到浏览器。Azure AD B2C returns an (OpenID Connect) id_token and an authorization code to the browser.
  3. 浏览器将 id_token 和授权代码发布到重定向 URI。The browser posts the id_token and authorization code to the redirect URI.
  4. Web 服务器验证 id_token 并设置会话 Cookie。The web server validates the id_token and sets a session cookie.
  5. Web 服务器通过提供授权代码、应用程序客户端 ID 和客户端凭据,请求 Azure AD B2C 提供 access_tokenThe web server asks Azure AD B2C for an access_token by providing it with the authorization code, application client ID, and client credentials.
  6. access_tokenrefresh_token 返回到 Web 服务器。The access_token and refresh_token are returned to the web server.
  7. 使用授权标头中的 access_token 调用 Web API。The web API is called with the access_token in an authorization header.
  8. Web API 对令牌进行验证。The web API validates the token.
  9. 安全数据将返回给 Web 应用程序。Secure data is returned to the web application.

有关授权代码、刷新令牌的详细信息和获取令牌的步骤,请参阅 OAuth 2.0 protocol(OAuth 2.0 协议)。To learn more about authorization codes, refresh tokens, and the steps for getting tokens, read about the OAuth 2.0 protocol.

若要了解如何使用 Azure AD B2C 保护 Web API,请查看 入门部分中的 Web API 教程。To learn how to secure a web API by using Azure AD B2C, check out the web API tutorials in our Getting started section.

移动和本机应用程序Mobile and native applications

安装在设备中的应用程序(例如移动和桌面应用程序)通常需要代表用户访问后端服务或 Web API。Applications that are installed on devices, such as mobile and desktop applications, often need to access back-end services or web APIs on behalf of users. 可将自定义的标识管理体验添加到本机应用程序,使用 Azure AD B2C 和 OAuth 2.0 授权代码流安全调用后端服务。You can add customized identity management experiences to your native applications and securely call back-end services by using Azure AD B2C and the OAuth 2.0 authorization code flow.

在此流中,应用程序执行策略,在用户完成策略之后,从 Azure AD 接收 authorization_codeIn this flow, the application executes policies and receives an authorization_code from Azure AD after the user completes the policy. authorization_code 表示应用程序有权代表当前登录的用户调用后端服务。The authorization_code represents the application's permission to call back-end services on behalf of the user who is currently signed in. 然后,该应用程序即可在后台将 authorization_code 交换成 access_tokenrefresh_tokenThe application can then exchange the authorization_code in the background for an access_token and a refresh_token. 应用程序可以在 HTTP 请求中使用 access_token 向后端 Web API 进行身份验证。The application can use the access_token to authenticate to a back-end web API in HTTP requests. 它还可以使用 refresh_token 获取新的 access_token(如果旧令牌已过期)。It can also use the refresh_token to get a new access_token when an older one expires.

当前限制Current limitations

不受支持的应用程序类型Unsupported application types

守护程序/服务器端应用程序Daemons/server-side applications

包含长时运行进程或不需要用户操作的应用程序还需要通过其他方法访问受保护的资源,例如 Web API。Applications that contain long-running processes or that operate without the presence of a user also need a way to access secured resources such as web APIs. 这些应用程序可使用应用程序的标识(而不是用户的委派标识)并使用 OAuth 2.0 客户端凭据流来进行身份验证和获取令牌。These applications can authenticate and get tokens by using the application's identity (rather than a user's delegated identity) and by using the OAuth 2.0 client credentials flow. 客户端凭据流与代表流不同,代表流不会应用于服务器到服务器的身份验证。Client credential flow is not the same as on-behalf-flow and on-behalf-flow should not be used for server-to-server authentication.

尽管 Azure AD B2C 身份验证服务目前不直接支持 OAuth 2.0 客户端凭据授予流,但你可以使用 Azure AD 和 Microsoft 标识平台/令牌终结点为 Azure AD B2C 租户中的应用程序设置客户端凭据流。Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. Azure AD B2C 租户与 Azure AD 企业租户共享某些功能。An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants.

若要设置客户端凭据流,请参阅 Azure Active Directory v2.0 和 OAuth 2.0 客户端凭据流To set up client credential flow, see Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow. Azure AD 令牌参考中所述,身份验证成功后会收到格式化的令牌,以便 Azure AD 可使用它。A successful authentication results in the receipt of a token formatted so that it can be used by Azure AD as described in Azure AD token reference.

有关注册管理应用程序的说明,请参阅使用 Microsoft Graph 管理 Azure AD B2CFor instructions on registering a management application, see Manage Azure AD B2C with Microsoft Graph.

Web API 链(代理流)Web API chains (on-behalf-of flow)

许多体系结构包含需要调用另一个下游 Web API 的 Web API,这两者都受 Azure AD B2C 的保护。Many architectures include a web API that needs to call another downstream web API, where both are secured by Azure AD B2C. 此方案常见于具有 Web API 后端的本机客户端,并调用 Microsoft Graph API 等 Microsoft 联机服务。This scenario is common in native clients that have a Web API back-end and calls a Microsoft online service such as the Microsoft Graph API.

可以使用 OAuth 2.0 JWT 持有者凭据授权(也称为“代理流”)来支持这种链接的 Web API 方案。This chained web API scenario can be supported by using the OAuth 2.0 JWT bearer credential grant, also known as the on-behalf-of flow. 但是,Azure AD B2C 中目前尚未实现代理流。However, the on-behalf-of flow is not currently implemented in the Azure AD B2C.

出错的应用Faulted apps

请勿以这些方式编辑 Azure AD B2C 应用程序:Do not edit Azure AD B2C applications in these ways:

  • 在其他应用程序管理门户(如门户)中。On other application management portals such as the Portal.
  • 使用图形 API 或 PowerShell 编辑。Using Graph API or PowerShell.

如果在 Azure 门户外部编辑 Azure AD B2C 应用程序,它将成为出错的应用程序,并且不再可用于 Azure AD B2C。If you edit the Azure AD B2C application outside of the Azure portal, it becomes a faulted application and is no longer usable with Azure AD B2C. 删除应用程序,然后重新创建它。Delete the application and create it again.

若要删除应用程序,请转到 Azure 门户并在该处删除应用程序。To delete the application, go to the Azure Portal and delete the application there. 若要使应用程序可见,须为该应用程序的所有者(而不仅仅是租户管理员)。In order for the application to be visible, you need to be the owner of the application (and not just an admin of the tenant).

后续步骤Next steps

详细了解 Azure Active Directory B2C 中的用户流提供的内置策略。Find out more about the built-in policies provided by User flows in Azure Active Directory B2C.