Azure AD B2C:身份验证协议Azure AD B2C: Authentication protocols

通过支持两种行业标准协议(OpenID Connect 和 OAuth 2.0),Azure Active Directory B2C (Azure AD B2C) 为应用提供标识即服务。Azure Active Directory B2C (Azure AD B2C) provides identity as a service for your apps by supporting two industry standard protocols: OpenID Connect and OAuth 2.0. 这是符合标的服务,但这些协议的任意两个实现之间仍然存在微妙的差异。The service is standards-compliant, but any two implementations of these protocols can have subtle differences.

如果是通过直接发送和处理 HTTP 请求而不是使用开放源库来编写代码,本指南中的信息才有所帮助。The information in this guide is useful if you write your code by directly sending and handling HTTP requests, rather than by using an open source library. 建议先阅读此页面,再深入了解每个特定协议的详细信息。We recommend that you read this page before you dive into the details of each specific protocol. 但如果已熟悉 Azure AD B2C,则可以直接转到协议参考指南But if you're already familiar with Azure AD B2C, you can go straight to the protocol reference guides.

基础知识The basics

每个使用 Azure AD B2C 的应用都需要在 Azure 门户的 B2C 目录中注册。Every app that uses Azure AD B2C needs to be registered in your B2C directory in the Azure portal. 应用注册过程将收集一些值并将其分配给应用:The app registration process collects and assigns a few values to your app:

  • 用于唯一标识应用的 应用程序 IDAn Application ID that uniquely identifies your app.
  • 用于将响应定向回应用的重定向 URI包标识符A Redirect URI or package identifier that can be used to direct responses back to your app.
  • 其他一些特定于方案的值。A few other scenario-specific values. 有关详细信息,请了解如何注册应用程序For more information, learn how to register your application.

注册应用后,应用将通过向终结点发送请求来与 Azure Active Directory (Azure AD) 通信:After you register your app, it communicates with Azure Active Directory (Azure AD) by sending requests to the endpoint:

https://{tenant}.b2clogin.cn/{tenant}.partner.onmschina.cn/oauth2/v2.0/authorize
https://{tenant}.b2clogin.cn/{tenant}.partner.onmschina.cn/oauth2/v2.0/token

几乎在所有的 OAuth 和 OpenID Connect 流中,都有四个参与交换的对象:In nearly all OAuth and OpenID Connect flows, four parties are involved in the exchange:

显示四个 OAuth 2.0 角色的示意图

  • 授权服务器 是 Azure AD 终结点。The authorization server is the Azure AD endpoint. 它可安全处理与用户信息和访问相关的任何内容。It securely handles anything related to user information and access. 还可以处理流中参与方之间的信任关系。It also handles the trust relationships between the parties in a flow. 它负责验证用户的标识、授予和吊销对资源的访问权限,以及颁发令牌。It is responsible for verifying the user's identity, granting and revoking access to resources, and issuing tokens. 也被称作标识提供者。It is also known as the identity provider.

  • 资源所有者通常是最终用户。The resource owner is typically the end user. 它是拥有数据的一方,并且有权允许第三方访问该数据或资源。It is the party that owns the data, and it has the power to allow third parties to access that data or resource.

  • OAuth 客户端是应用。The OAuth client is your app. 它由其应用程序 ID 标识。It's identified by its Application ID. 通常作为最终用户与之交互的一方。It's usually the party that end users interact with. 还会从授权服务器请求令牌。It also requests tokens from the authorization server. 资源所有者必须授予客户端授权才能访问资源。The resource owner must grant the client permission to access the resource.

  • 资源服务器是资源或数据所在的位置。The resource server is where the resource or data resides. 它信任授权服务器,以安全地对 OAuth 客户端进行验证和授权。It trusts the authorization server to securely authenticate and authorize the OAuth client. 它还会使用持有者访问令牌,确保可以授予对资源的访问权限。It also uses bearer access tokens to ensure that access to a resource can be granted.

策略和用户流Policies and user flows

可以说,Azure AD B2C 策略是服务最重要的功能。Arguably, Azure AD B2C policies are the most important features of the service. Azure AD B2C 通过引入策略来扩展标准 OAuth 2.0 和 OpenID Connect 协议。Azure AD B2C extends the standard OAuth 2.0 and OpenID Connect protocols by introducing policies. 这些协议允许 Azure AD B2C 执行简单身份验证和授权以外的更多功能。These allow Azure AD B2C to perform much more than simple authentication and authorization.

若要帮助设置最常见的标识任务,Azure AD B2C 门户应包括名为“用户流” 的预定义且可配置的策略。To help you set up the most common identity tasks, the Azure AD B2C portal includes predefined, configurable policies called user flows. 用户流充分描述了使用者标识体验,包括注册、登录和配置文件编辑。User flows fully describe consumer identity experiences, including sign-up, sign-in, and profile editing. 可以在管理 UI 中定义用户流。User flows can be defined in an administrative UI. 通过在 HTTP 认证请求中使用特殊的查询参数来执行策略。They can be executed by using a special query parameter in HTTP authentication requests.

策略和用户流不是 OAuth 2.0 和 OpenID Connect 的标准功能,因此应该花时间去了解它们。Policies and user flows are not standard features of OAuth 2.0 and OpenID Connect, so you should take the time to understand them. 有关详细信息,请参阅 Azure AD B2C 用户流参考指南For more information, see the Azure AD B2C user flow reference guide.

令牌Tokens

OAuth 2.0 和 OpenID Connect 的 Azure AD B2C 实现广泛使用了持有者令牌,包括表示为 JSON Web 令牌 (JWT) 的持有者令牌。The Azure AD B2C implementation of OAuth 2.0 and OpenID Connect makes extensive use of bearer tokens, including bearer tokens that are represented as JSON web tokens (JWTs). 持有者令牌是一种轻型安全令牌,它授予对受保护资源的“持有者”访问权限。A bearer token is a lightweight security token that grants the "bearer" access to a protected resource.

持有者是可以提供令牌的任何一方。The bearer is any party that can present the token. 参与方必须先经 Azure AD 验证才能接收持有者令牌。Azure AD must first authenticate a party before it can receive a bearer token. 但如果不采取必要的步骤在传输过程和存储中对令牌进行保护,令牌可能会被意外的某一方拦截并使用。But if the required steps are not taken to secure the token in transmission and storage, it can be intercepted and used by an unintended party.

某些安全令牌具有防止未授权方使用令牌的内置机制,但持有者令牌不具有这种机制。Some security tokens have built-in mechanisms that prevent unauthorized parties from using them, but bearer tokens do not have this mechanism. 它们必须在安全通道中传输,例如传输层安全性 (HTTPS)。They must be transported in a secure channel, such as a transport layer security (HTTPS).

如果持有者令牌在安全通道外传输,则恶意方就可以利用中间人攻击来获得令牌,并使用它对受保护资源进行未经授权的访问。If a bearer token is transmitted outside a secure channel, a malicious party can use a man-in-the-middle attack to acquire the token and use it to gain unauthorized access to a protected resource. 存储或缓存持有者令牌以供以后使用时,也应遵循同样的安全原则。The same security principles apply when bearer tokens are stored or cached for later use. 请始终确保应用以安全的方式传输和存储持有者令牌。Always ensure that your app transmits and stores bearer tokens in a secure manner.

有关持有者令牌的更多安全注意事项,请参阅 RFC 6750 第 5 部分For additional bearer token security considerations, see RFC 6750 Section 5.

若要深入了解 Azure AD B2C 中使用的不同类型令牌,请参阅 Azure AD 令牌参考More information about the different types of tokens that are used in Azure AD B2C are available in the Azure AD token reference.

协议Protocols

准备好查看一些示例请求时,可以从以下教程中的其中一篇开始。When you're ready to review some example requests, you can start with one of the following tutorials. 每篇教程对应于特定的身份验证方案。Each corresponds to a particular authentication scenario. 如果在确定适当的流时需要帮助,请查看使用 Azure AD B2C 可以构建的应用类型If you need help determining which flow is right for you, check out the types of apps you can build by using Azure AD B2C.