Azure Active Directory B2C 中的 OAuth 2.0 授权代码流OAuth 2.0 authorization code flow in Azure Active Directory B2C

可使用 OAuth 2.0 授权代码向设备上安装的应用授权,获取访问受保护资源(例如 Web API)的权限。You can use the OAuth 2.0 authorization code grant in apps installed on a device to gain access to protected resources, such as web APIs. 通过使用 OAuth 2.0 的 Azure Active Directory B2C (Azure AD B2C) 实现,可向单页应用、移动应用和桌面应用添加注册、登录和其他标识管理任务。By using the Azure Active Directory B2C (Azure AD B2C) implementation of OAuth 2.0, you can add sign-up, sign-in, and other identity management tasks to your single-page, mobile, and desktop apps. 本文与语言无关。This article is language-independent. 本文介绍在不使用任何开放源代码库的情况下,如何发送和接收 HTTP 消息。In the article, we describe how to send and receive HTTP messages without using any open-source libraries. 如果可能,建议使用受支持的 Microsoft 身份验证库 (MSAL)。查看使用 MSAL 的示例应用When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL).Take a look at the sample apps that use MSAL.

OAuth 2.0 规范第 4.1 部分描述了 OAuth 2.0 授权代码流。The OAuth 2.0 authorization code flow is described in section 4.1 of the OAuth 2.0 specification. 可在大多数应用程序类型中将其用于身份验证和授权,包括 Web 应用、单页应用程序和本机安装的应用程序。You can use it for authentication and authorization in most application types, including web applications, single-page applications, and natively installed applications. 可使用 OAuth 2.0 授权代码流安全地获取应用程序的访问令牌和刷新令牌,这些令牌可用于访问受到授权服务器保护的资源。You can use the OAuth 2.0 authorization code flow to securely acquire access tokens and refresh tokens for your applications, which can be used to access resources that are secured by an authorization server. 刷新令牌允许客户端在访问令牌到期后(通常在一小时后)获取新的访问(和刷新)令牌。The refresh token allows the client to acquire new access (and refresh) tokens once the access token expires, typically after one hour.

本文重点介绍 公共客户端 OAuth 2.0 授权代码流。This article focuses on the public clients OAuth 2.0 authorization code flow. 公共客户端是那些不能被信任以安全维护机密密码完整性的任何客户端应用程序。A public client is any client application that cannot be trusted to securely maintain the integrity of a secret password. 这包括单页应用程序、移动应用、桌面应用程序,以及不在服务器上运行的几乎所有应用程序。This includes single-page applications, mobile apps, desktop applications, and essentially any application that doesn't run on a server.

备注

若要使用 Azure AD B2C 向 Web 应用添加标识管理,请使用 OpenID Connect,而不要使用 OAuth 2.0。To add identity management to a web app by using Azure AD B2C, use OpenID Connect instead of OAuth 2.0.

Azure AD B2C 扩展了标准 OAuth 2.0 流,使其功能远远超出了简单的身份验证和授权。Azure AD B2C extends the standard OAuth 2.0 flows to do more than simple authentication and authorization. 它引入了用户流It introduces the user flow. 借助用户流,可使用 OAuth 2.0 向应用程序添加用户体验,例如注册、登录和配置文件管理。With user flows, you can use OAuth 2.0 to add user experiences to your application, such as sign-up, sign-in, and profile management. 使用 OAuth 2.0 协议的标识提供者包括 Azure Active DirectoryQQWechatWeiboIdentity providers that use the OAuth 2.0 protocol include Azure Active Directory, QQ, Wechat and Weibo.

若要尝试本文中的 HTTP 请求,请执行以下操作:To try the HTTP requests in this article:

  1. {tenant} 替换为 Azure AD B2C 租户的名称。Replace {tenant} with the name of your Azure AD B2C tenant.
  2. 90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 替换为之前在 Azure AD B2C 租户中注册的应用程序的应用程序 ID。Replace 90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 with the app ID of an application you've previously registered in your Azure AD B2C tenant.
  3. {policy} 替换为在租户中创建的策略的名称,例如 b2c_1_sign_inReplace {policy} with the name of a policy you've created in your tenant, for example b2c_1_sign_in.

单页应用所需的重定向 URI 设置Redirect URI setup required for single-page apps

单页应用程序的授权代码流需要一些其他设置。The authorization code flow for single page applications requires some additional setup. 按照创建单页应用程序的说明将重定向 URI 正确地标记为已为 CORS 启用。Follow the instructions for creating your single-page application to correctly mark your redirect URI as enabled for CORS. 若要更新现有重定向 URI 以启用 CORS,可以在“应用注册”的“身份验证”选项卡的“Web”部分中单击迁移提示 。或者,可以打开“应用注册清单编辑器”,并在 replyUrlsWithType 部分中将重定向 URI 的 type 字段设置为 spaTo update an existing redirect URI to enable CORS, you can click on the migrate prompt in the "Web" section of the App registration's Authentication tab. Alternatively, you can open the App registrations manifest editor and set the type field for your redirect URI to spa in the replyUrlsWithType section.

spa 重定向类型与隐式流向后兼容。The spa redirect type is backwards compatible with the implicit flow. 当前使用隐式流来获取令牌的应用可以移动到 spa 重定向 URI 类型,而不会出现问题,并会继续使用隐式流。Apps currently using the implicit flow to get tokens can move to the spa redirect URI type without issues and continue using the implicit flow.

1.获取授权代码1. Get an authorization code

授权代码流始于客户端将用户定向到 /authorize 终结点。The authorization code flow begins with the client directing the user to the /authorize endpoint. 这是授权代码流中用户会执行操作的交互部分。This is the interactive part of the flow, where the user takes action. 在此请求中,客户端指示在 scope 参数中需要从用户处获取的权限。In this request, the client indicates in the scope parameter the permissions that it needs to acquire from the user. 下面有三个示例(为方便阅读,提供了换行符),每个示例都使用不同的用户流。The following three examples (with line breaks for readability) each use a different user flow.

GET https://{tenant}.b2clogin.cn/{tenant}.partner.onmschina.cn/{policy}/oauth2/v2.0/authorize?
client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
&response_type=code
&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob
&response_mode=query
&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6%20offline_access
&state=arbitrary_data_you_can_receive_in_the_response
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256
参数Parameter 必需?Required? 说明Description
{tenant}{tenant} 必需Required Azure AD B2C 租户的名称Name of your Azure AD B2C tenant
{policy}{policy} 必须Required 要运行的用户流。The user flow to be run. 指定在 Azure AD B2C 租户中创建的用户流的名称。Specify the name of a user flow you've created in your Azure AD B2C tenant. 例如:b2c_1_sign_inb2c_1_sign_upb2c_1_edit_profileFor example: b2c_1_sign_in, b2c_1_sign_up, or b2c_1_edit_profile.
client_idclient_id 必需Required Azure 门户中分配给应用的应用程序 ID。The application ID assigned to your app in the Azure portal.
response_typeresponse_type 必须Required 响应类型,其中必须包括 code 的授权待码流。The response type, which must include code for the authorization code flow.
redirect_uriredirect_uri 必须Required 应用的重定向 URI,应用可通过此 URI 发送和接收身份验证响应。The redirect URI of your app, where authentication responses are sent and received by your app. 它必须完全匹配在门户中注册的其中一个重定向 URI,但必须经 URL 编码。It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded.
scopescope 必须Required 范围的空格分隔列表。A space-separated list of scopes. 一个范围值可向 Azure Active Directory (Azure AD) 指示正在请求的两个权限。A single scope value indicates to Azure Active Directory (Azure AD) both of the permissions that are being requested. 使用客户端 ID 作为范围表示,应用需要可对自己的服务或 Web API(由同一客户端 ID 表示)使用的访问令牌。Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. offline_access 范围表示应用需要刷新令牌才能获取对资源的长生存期访问权限。The offline_access scope indicates that your app needs a refresh token for long-lived access to resources. 还可使用 openid 范围从 Azure AD B2C 请求 ID 令牌。You also can use the openid scope to request an ID token from Azure AD B2C.
response_moderesponse_mode 建议Recommended 用于将生成的授权代码发回应用的方法。The method that you use to send the resulting authorization code back to your app. 可以是 queryform_postfragmentIt can be query, form_post, or fragment.
statestate 建议Recommended 请求中包含的值,可以是要使用的任何内容的字符串。A value included in the request that can be a string of any content that you want to use. 随机生成的唯一值通常用于防止跨网站请求伪造攻击。Usually, a randomly generated unique value is used, to prevent cross-site request forgery attacks. 它还可用于在身份验证请求发生前,对有关用户在应用中的状态信息进行编码。The state also is used to encode information about the user's state in the app before the authentication request occurred. 例如,用户所处的页面或要执行的用户流。For example, the page the user was on, or the user flow that was being executed.
promptprompt 可选Optional 需要的用户交互类型。The type of user interaction that is required. 目前,唯一有效的值为 login,这会强制用户在该请求中输入其凭据。Currently, the only valid value is login, which forces the user to enter their credentials on that request. 单一登录不会生效。Single sign-on will not take effect.
code_challengecode_challenge 建议/必需recommended / required 用于通过 Proof Key for Code Exchange (PKCE) 保护授权代码授权。Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). 如果包含 code_challenge_method,则需要。Required if code_challenge_method is included. 有关详细信息,请参阅 PKCE RFCFor more information, see the PKCE RFC. 现在建议用于所有应用程序类型 - 本机应用、SPA 和机密客户端(如 Web 应用)。This is now recommended for all application types - native apps, SPAs, and confidential clients like web apps.
code_challenge_method 建议/必需recommended / required 用于为 code_challenge 参数编码 code_verifier 的方法。The method used to encode the code_verifier for the code_challenge parameter. 它应该为 S256,但是如果客户端出于某种原因不能支持 SHA256,则该规范允许使用 plainThis SHOULD be S256, but the spec allows the use of plain if for some reason the client cannot support SHA256.

如果已排除在外,且包含了 code_challenge,则假定 code_challenge 为纯文本。If excluded, code_challenge is assumed to be plaintext if code_challenge is included. Microsoft 标识平台支持 plainS256Microsoft identity platform supports both plain and S256. 有关详细信息,请参阅 PKCE RFCFor more information, see the PKCE RFC. 这是使用授权代码流的单页应用所必需的。This is required for single page apps using the authorization code flow.

此时,要求用户完成用户流的工作流。At this point, the user is asked to complete the user flow's workflow. 这可能涉及用户输入其用户名和密码、使用社交标识登录、注册目录,或任何其他步骤。This might involve the user entering their username and password, signing in with a social identity, signing up for the directory, or any other number of steps. 用户操作取决于用户流是如何定义的。User actions depend on how the user flow is defined.

用户完成用户流后,Azure AD 会在你用于 redirect_uri 的值处将响应返回到应用。After the user completes the user flow, Azure AD returns a response to your app at the value you used for redirect_uri. 它使用在 response_mode 参数中指定的方法。It uses the method specified in the response_mode parameter. 对于每种用户操作情况,响应完全相同,与执行的用户流无关。The response is exactly the same for each of the user action scenarios, independent of the user flow that was executed.

使用 response_mode=query 的成功响应如下所示:A successful response that uses response_mode=query looks like this:

GET urn:ietf:wg:oauth:2.0:oob?
code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...        // the authorization_code, truncated
&state=arbitrary_data_you_can_receive_in_the_response                // the value provided in the request
参数Parameter 说明Description
codecode 应用程序请求的授权代码。The authorization code that the app requested. 应用可以使用授权代码请求目标资源的访问令牌。The app can use the authorization code to request an access token for a target resource. 授权代码的生存期非常短。Authorization codes are very short-lived. 通常,它们在约 10 分钟后过期。Typically, they expire after about 10 minutes.
statestate 请参阅上一部分的表中的完整说明。See the full description in the table in the preceding section. 如果请求中包含 state 参数,响应中就应该出现相同的值。If a state parameter is included in the request, the same value should appear in the response. 应用需验证请求和响应中的 state 值是否相同。The app should verify that the state values in the request and response are identical.

错误响应也可能发送到重定向 URI,让应用能够对其进行适当处理:Error responses also can be sent to the redirect URI so that the app can handle them appropriately:

GET urn:ietf:wg:oauth:2.0:oob?
error=access_denied
&error_description=The+user+has+cancelled+entering+self-asserted+information
&state=arbitrary_data_you_can_receive_in_the_response
参数Parameter 说明Description
errorerror 可用于分类发生的错误类型的错误代码字符串。An error code string that you can use to classify the types of errors that occur. 还可使用该字符串对错误作出响应。You also can use the string to react to errors.
error_descriptionerror_description 帮助识别身份验证错误根本原因的特定错误消息。A specific error message that can help you identify the root cause of an authentication error.
statestate 请参阅上表中的完整说明。See the full description in the preceding table. 如果请求中包含 state 参数,则响应中应显示相同的值。If a state parameter is included in the request, the same value should appear in the response. 应用需验证请求和响应中的 state 值是否相同。The app should verify that the state values in the request and response are identical.

2.获取访问令牌2. Get an access token

现在,已获取授权代码,可将 POST 请求发送到 /token 终结点,兑换 code 来获取所需资源的令牌。Now that you've acquired an authorization code, you can redeem the code for a token to the intended resource by sending a POST request to the /token endpoint. 在 Azure AD B2C 中,可以像往常一样通过在请求中指定其他 API 的范围来为这些 API 请求访问令牌In Azure AD B2C, you can request access tokens for other API's as usual by specifying their scope(s) in the request.

还可以按照将应用的客户端 ID 用作所请求范围(这将导致具有该客户端 ID 的访问令牌作为“受众”)的约定,为应用自己的后端 Web API 请求访问令牌:You can also request an access token for your app's own back-end Web API by convention of using the app's client ID as the requested scope (which will result in an access token with that client ID as the "audience"):

POST https://{tenant}.b2clogin.cn/{tenant}.partner.onmschina.cn/{policy}/oauth2/v2.0/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...&redirect_uri=urn:ietf:wg:oauth:2.0:oob&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong 
参数Parameter 必需?Required? 说明Description
{tenant}{tenant} 必需Required Azure AD B2C 租户的名称Name of your Azure AD B2C tenant
{policy}{policy} 必需Required 用于获取授权代码的用户流。The user flow that was used to acquire the authorization code. 无法在此请求中使用不同的用户流。You cannot use a different user flow in this request.
client_idclient_id 必需Required Azure 门户中分配给应用的应用程序 ID。The application ID assigned to your app in the Azure portal.
client_secretclient_secret 是,在 Web 应用中Yes, in Web Apps Azure 门户中生成的应用程序机密。The application secret that was generated in the Azure portal. 客户端密码在此流中用于 Web 应用场景,在其中客户端可以安全地存储客户端密码。Client secrets are used in this flow for Web App scenarios, where the client can securely store a client secret. 对于本机应用(公共客户端)场景,客户端密码不能安全地存储,因此不能在此调用中使用。For Native App (public client) scenarios, client secrets cannot be securely stored, and therefore are not used in this call. 如果使用客户端密码,请定期更改。If you use a client secret, please change it on a periodic basis.
grant_typegrant_type 必需Required 授权的类型。The type of grant. 对于授权代码流,授权类型必须为 authorization_codeFor the authorization code flow, the grant type must be authorization_code.
scopescope 建议Recommended 范围的空格分隔列表。A space-separated list of scopes. 一个范围值,该值向 Azure AD 指示正在请求的两个权限。A single scope value indicates to Azure AD both of the permissions that are being requested. 使用客户端 ID 作为范围表示,应用需要可对自己的服务或 Web API(由同一客户端 ID 表示)使用的访问令牌。Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. offline_access 范围表示应用需要刷新令牌才能获取对资源的长生存期访问权限。The offline_access scope indicates that your app needs a refresh token for long-lived access to resources. 还可使用 openid 范围从 Azure AD B2C 请求 ID 令牌。You also can use the openid scope to request an ID token from Azure AD B2C.
codecode 必需Required 在流的第一个阶段获取的授权代码。The authorization code that you acquired in the first leg of the flow.
redirect_uriredirect_uri 必需Required 在其中收到授权代码的应用程序的重定向 URI。The redirect URI of the application where you received the authorization code.
code_verifiercode_verifier 建议recommended 即用于获取 authorization_code 的 code_verifier。The same code_verifier that was used to obtain the authorization_code. 如果在授权码授权请求中使用 PKCE,则需要。Required if PKCE was used in the authorization code grant request. 有关详细信息,请参阅 PKCE RFCFor more information, see the PKCE RFC.

成功令牌响应如下所示:A successful token response looks like this:

{
    "not_before": "1442340812",
    "token_type": "Bearer",
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "scope": "90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access",
    "expires_in": "3600",
    "refresh_token": "AAQfQmvuDy8WtUv-sd0TBwWVQs1rC-Lfxa_NDkLqpg50Cxp5Dxj0VPF1mx2Z...",
}
参数Parameter 说明Description
not_beforenot_before epoch 时间中令牌被视为有效的时间。The time at which the token is considered valid, in epoch time.
token_typetoken_type 令牌类型值。The token type value. Azure AD 唯一支持的类型是 Bearer。The only type that Azure AD supports is Bearer.
access_tokenaccess_token 所请求的已签名 JSON Web 令牌 (JWT)。The signed JSON Web Token (JWT) that you requested.
scopescope 令牌的有效范围。The scopes that the token is valid for. 还可使用范围来缓存令牌,以供以后使用。You also can use scopes to cache tokens for later use.
expires_inexpires_in 令牌有效的时间长度(以秒为单位)。The length of time that the token is valid (in seconds).
refresh_tokenrefresh_token OAuth 2.0 刷新令牌。An OAuth 2.0 refresh token. 应用可以使用此令牌,在当前令牌过期之后获取其他令牌。The app can use this token to acquire additional tokens after the current token expires. 刷新令牌的生存期较长。Refresh tokens are long-lived. 可使用它们长期保留对资源的访问权限。You can use them to retain access to resources for extended periods of time. 有关详细信息,请参阅 Azure AD B2C 令牌参考For more information, see the Azure AD B2C token reference.

错误响应如下所示:Error responses look like this:

{
    "error": "access_denied",
    "error_description": "The user revoked access to the app.",
}
参数Parameter 说明Description
errorerror 可用于分类发生的错误类型的错误代码字符串。An error code string that you can use to classify the types of errors that occur. 还可使用该字符串对错误作出响应。You also can use the string to react to errors.
error_descriptionerror_description 帮助识别身份验证错误根本原因的特定错误消息。A specific error message that can help you identify the root cause of an authentication error.

3.使用令牌3. Use the token

现在你已成功获取访问令牌,可通过在 Authorization 标头中加入令牌的方式,在后端 Web API 请求中使用该令牌:Now that you've successfully acquired an access token, you can use the token in requests to your back-end web APIs by including it in the Authorization header:

GET /tasks
Host: mytaskwebapi.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...

4.刷新令牌4. Refresh the token

访问令牌和 ID 令牌的生存期较短。Access tokens and ID tokens are short-lived. 过期后,必须将其刷新才能继续访问资源。After they expire, you must refresh them to continue to access resources. 若要执行此操作,请向 /token 终结点提交另一个 POST 请求。To do this, submit another POST request to the /token endpoint. 这次提供的是 refresh_token 而不是 codeThis time, provide the refresh_token instead of the code:

POST https://{tenant}.b2clogin.cn/{tenant}.partner.onmschina.cn/{policy}/oauth2/v2.0/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access&refresh_token=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...&redirect_uri=urn:ietf:wg:oauth:2.0:oob
参数Parameter 必需?Required? 说明Description
{tenant}{tenant} 必需Required Azure AD B2C 租户的名称Name of your Azure AD B2C tenant
{policy}{policy} 必需Required 用于获取原始刷新令牌的用户流。The user flow that was used to acquire the original refresh token. 无法在此请求中使用不同的用户流。You cannot use a different user flow in this request.
client_idclient_id 必需Required Azure 门户中分配给应用的应用程序 ID。The application ID assigned to your app in the Azure portal.
client_secretclient_secret 是,在 Web 应用中Yes, in Web Apps Azure 门户中生成的应用程序机密。The application secret that was generated in the Azure portal. 客户端密码在此流中用于 Web 应用场景,在其中客户端可以安全地存储客户端密码。Client secrets are used in this flow for Web App scenarios, where the client can securely store a client secret. 对于本机应用(公共客户端)场景,客户端密码不能安全地存储,因此不能在此调用中使用。For Native App (public client) scenarios, client secrets cannot be securely stored, and therefore are not used in this call. 如果使用客户端密码,请定期更改。If you use a client secret, please change it on a periodic basis.
grant_typegrant_type 必需Required 授权的类型。The type of grant. 对于授权代码流的此阶段,授权类型必须为 refresh_tokenFor this leg of the authorization code flow, the grant type must be refresh_token.
scopescope 建议Recommended 范围的空格分隔列表。A space-separated list of scopes. 一个范围值,该值向 Azure AD 指示正在请求的两个权限。A single scope value indicates to Azure AD both of the permissions that are being requested. 使用客户端 ID 作为范围表示,应用需要可对自己的服务或 Web API(由同一客户端 ID 表示)使用的访问令牌。Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. offline_access 作用域表示应用需要刷新令牌才能获得访问资源的长生存期。The offline_access scope indicates that your app will need a refresh token for long-lived access to resources. 还可使用 openid 范围从 Azure AD B2C 请求 ID 令牌。You also can use the openid scope to request an ID token from Azure AD B2C.
redirect_uriredirect_uri 可选Optional 在其中收到授权代码的应用程序的重定向 URI。The redirect URI of the application where you received the authorization code.
refresh_tokenrefresh_token 必需Required 在流的第二个阶段获取的原始刷新令牌。The original refresh token that you acquired in the second leg of the flow.

成功令牌响应如下所示:A successful token response looks like this:

{
    "not_before": "1442340812",
    "token_type": "Bearer",
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "scope": "90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access",
    "expires_in": "3600",
    "refresh_token": "AAQfQmvuDy8WtUv-sd0TBwWVQs1rC-Lfxa_NDkLqpg50Cxp5Dxj0VPF1mx2Z...",
}
参数Parameter 说明Description
not_beforenot_before epoch 时间中令牌被视为有效的时间。The time at which the token is considered valid, in epoch time.
token_typetoken_type 令牌类型值。The token type value. Azure AD 唯一支持的类型是 Bearer。The only type that Azure AD supports is Bearer.
access_tokenaccess_token 所请求的已签名 JWT。The signed JWT that you requested.
scopescope 令牌的有效范围。The scopes that the token is valid for. 还可使用范围缓存令牌以备后用。You also can use the scopes to cache tokens for later use.
expires_inexpires_in 令牌有效的时间长度(以秒为单位)。The length of time that the token is valid (in seconds).
refresh_tokenrefresh_token OAuth 2.0 刷新令牌。An OAuth 2.0 refresh token. 应用可以使用此令牌,在当前令牌过期之后获取其他令牌。The app can use this token to acquire additional tokens after the current token expires. 刷新令牌的生存期很长,而且可以用于延长保留资源访问权限的时间。Refresh tokens are long-lived, and can be used to retain access to resources for extended periods of time. 有关详细信息,请参阅 Azure AD B2C 令牌参考For more information, see the Azure AD B2C token reference.

错误响应如下所示:Error responses look like this:

{
    "error": "access_denied",
    "error_description": "The user revoked access to the app.",
}
参数Parameter 说明Description
errorerror 可用于分类发生的错误类型的错误代码字符串。An error code string that you can use to classify types of errors that occur. 还可使用该字符串对错误作出响应。You also can use the string to react to errors.
error_descriptionerror_description 帮助识别身份验证错误根本原因的特定错误消息。A specific error message that can help you identify the root cause of an authentication error.

使用自己的 Azure AD B2C 目录Use your own Azure AD B2C directory

若要自行尝试这些请求,请完成以下步骤。To try these requests yourself, complete the following steps. 使用自己的值替换本文中使用的示例值。Replace the example values we used in this article with your own values.

  1. 创建 Azure AD B2C 目录Create an Azure AD B2C directory. 在请求中使用目录的名称。Use the name of your directory in the requests.
  2. 创建应用程序,获取应用程序 ID 和重定向 URI。Create an application to obtain an application ID and a redirect URI. 在应用中包含本机客户端。Include a native client in your app.
  3. 创建用户流以获取用户流名称。Create your user flows to obtain your user flow names.