使用 Azure Active Directory B2C 设置通过 OpenID Connect 注册与登录Set up sign-up and sign-in with OpenID Connect using Azure Active Directory B2C

OpenID Connect 是构建在 OAuth 2.0 基础之上的身份验证协议,可用于安全的用户登录。OpenID Connect is an authentication protocol built on top of OAuth 2.0 that can be used for secure user sign-in. Azure AD B2C 支持大多数使用此协议的标识提供者。Most identity providers that use this protocol are supported in Azure AD B2C. 本文介绍如何将自定义 OpenID Connect 标识提供者添加到用户流。This article explains how you can add custom OpenID Connect identity providers into your user flows.

添加标识提供者Add the identity provider

  1. 以 Azure AD B2C 租户的全局管理员身份登录 Azure 门户Sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.
  2. 请确保使用包含 Azure AD B2C 租户的目录,方法是:单击顶部菜单中的“目录 + 订阅”筛选器,然后选择包含租户的目录 。Make sure you're using the directory that contains your Azure AD B2C tenant by clicking the Directory + subscription filter in the top menu and choosing the directory that contains your tenant.
  3. 选择 Azure 门户左上角的“所有服务” ,搜索并选择 Azure AD B2CChoose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
  4. 选择“标识提供者” ,然后选择“新建 OpenID Connect 提供程序” 。Select Identity providers, and then select New OpenID Connect provider.

配置标识提供者Configure the identity provider

每个 OpenID Connect 标识提供者都描述一个元数据文档,该文档包含了登录所需的大部分信息。Every OpenID Connect identity provider describes a metadata document that contains most of the information required to perform sign-in. 这些信息包括要使用的 URL 以及服务公共签名密钥的位置。This includes information such as the URLs to use and the location of the service's public signing keys. OpenID Connect 元数据文档始终位于以 .well-known/openid-configuration 结尾的的终结点上。The OpenID Connect metadata document is always located at an endpoint that ends in .well-known/openid-configuration. 输入想要添加的 OpenID Connect 标识提供者的元数据 URL。For the OpenID Connect identity provider you are looking to add, enter its metadata URL.

客户端 ID 和密码Client ID and secret

为了允许用户登录,标识提供者将要求开发人员在其服务中注册应用程序。To allow users to sign in, the identity provider requires developers to register an application in their service. 此应用程序具备 ID(也就是“客户端 ID”)和客户端密码 。This application has an ID that is referred to as the client ID and a client secret. 从标识提供者中复制这些值,并将其输入到相应的字段中。Copy these values from the identity provider and enter them into the corresponding fields.

备注

客户端密码是可选项。The client secret is optional. 但是,如果想使用授权代码流(它使用客户端机密来交换令牌代码),则必须输入该机密。However, you must enter a client secret if you'd like to use the authorization code flow, which uses the secret to exchange the code for the token.

作用域Scope

范围定义你希望从自定义标识提供者收集的信息和权限。Scope defines the information and permissions you are looking to gather from your custom identity provider. OpenID Connect 请求必须包含 openid 范围值,以便从标识提供者接收 ID 令牌。OpenID Connect requests must contain the openid scope value in order to receive the ID token from the identity provider. 如果没有 ID 令牌,用户就无法使用自定义标识提供者登录到 Azure AD B2C。Without the ID token, users are not able to sign in to Azure AD B2C using the custom identity provider. 可以追加其他范围(以空格分隔)。Other scopes can be appended separated by space. 请参阅自定义标识提供者的文档,查看其他可用范围。Refer to the custom identity provider's documentation to see what other scopes may be available.

响应类型Response type

响应类型描述在首次调用自定义标识提供者的 authorization_endpoint 时发回的信息类型。The response type describes what kind of information is sent back in the initial call to the authorization_endpoint of the custom identity provider. 可以使用以下响应类型:The following response types can be used:

  • code:根据授权代码流,会将一个代码返回到 Azure AD B2C。code: As per the authorization code flow, a code will be returned back to Azure AD B2C. Azure AD B2C 将继续调用 token_endpoint,以交换令牌代码。Azure AD B2C proceeds to call the token_endpoint to exchange the code for the token.
  • id_token:ID 令牌将从自定义标识提供者返回到 Azure AD B2C。id_token: An ID token is returned back to Azure AD B2C from the custom identity provider.

响应模式Response mode

响应模式定义将数据从自定义标识提供者发送回 Azure AD B2C 时采用的方法。The response mode defines the method that should be used to send the data back from the custom identity provider to Azure AD B2C. 可以使用以下响应模式:The following response modes can be used:

  • form_post:建议使用此响应模式以获得最佳安全性。form_post: This response mode is recommended for best security. 响应通过 HTTP POST 方法传输,并使用 application/x-www-form-urlencoded 格式将代码或令牌编码在正文中。The response is transmitted via the HTTP POST method, with the code or token being encoded in the body using the application/x-www-form-urlencoded format.
  • query:代码或令牌将作为查询参数返回。query: The code or token is returned as a query parameter.

域提示Domain hint

域提示可用于直接跳转至指定标识提供者的登录页面,用户无需在可用标识提供者列表中进行选择。The domain hint can be used to skip directly to the sign in page of the specified identity provider, instead of having the user make a selection among the list of available identity providers. 若要允许这类行为,请输入域提示值。To allow this kind of behavior, enter a value for the domain hint. 若要跳转至自定义标识提供者,请在调用 Azure AD B2C 进行登录时将参数 domain_hint=<domain hint value> 追加至请求末尾。To jump to the custom identity provider, append the parameter domain_hint=<domain hint value> to the end of your request when calling Azure AD B2C for sign in.

声明映射Claims mapping

在自定义标识提供者将 ID 令牌发送回 Azure AD B2C 之后,Azure AD B2C 需将接收到的令牌中的声明映射到 Azure AD B2C 识别并使用的声明。After the custom identity provider sends an ID token back to Azure AD B2C, Azure AD B2C needs to be able to map the claims from the received token to the claims that Azure AD B2C recognizes and uses. 对于以下每个映射,请参阅自定义标识提供者的文档,以了解标识提供者的令牌中返回的声明:For each of the following mappings, refer to the documentation of the custom identity provider to understand the claims that are returned back in the identity provider's tokens:

  • 用户 ID:输入提供已登录用户唯一标识符的声明。 User ID: Enter the claim that provides the unique identifier for the signed-in user.
  • 显示名称:输入提供用户显示名称或全名的声明。 Display Name: Enter the claim that provides the display name or full name for the user.
  • 名字:输入提供用户名字的声明。 Given Name: Enter the claim that provides the first name of the user.
  • 姓氏:输入提供用户姓氏的声明。 Surname: Enter the claim that provides the last name of the user.
  • 电子邮件:输入提供用户电子邮件地址的声明。 Email: Enter the claim that provides the email address of the user.