教程:在 Azure Active Directory B2C 中注册 Web 应用Tutorial: Register a web application in Azure Active Directory B2C

必须在你管理的租户中注册应用程序,然后这些应用程序才能与 Azure Active Directory B2C (Azure AD B2C) 交互。Before your applications can interact with Azure Active Directory B2C (Azure AD B2C), they must be registered in a tenant that you manage. 本教程介绍如何使用 Azure 门户注册 Web 应用程序。This tutorial shows you how to register a web application using the Azure portal.

“Web 应用”是指在服务器上执行大多数应用程序逻辑的传统 Web 应用。A "web application" refers to a traditional web application that performs most of the application logic on the server. 它们可能是使用 ASP.NET Core、Maven (Java)、Flask (Python) 和 Express (Node.js) 等框架生成的。They may be built using frameworks like ASP.NET Core, Maven (Java), Flask (Python), and Express (Node.js).

重要

如果改用单页应用程序(“SPA”)(例如,使用 Angular、Vue 或 React),请了解如何注册单页应用程序If you're using a single-page application ("SPA") instead (e.g. using Angular, Vue, or React), learn how to register a single-page application.

但如果你使用的是本机应用(例如 iOS、Android、移动和桌面),请参阅如何注册本机客户端应用程序If you're using a native app instead (e.g. iOS, Android, mobile & desktop), learn how to register a native client application.

先决条件Prerequisites

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

如果尚未创建自己的 Azure AD B2C 租户,请立即创建一个。If you haven't already created your own Azure AD B2C Tenant, create one now. 可以使用现有的 Azure AD B2C 租户。You can use an existing Azure AD B2C tenant.

注册 Web 应用程序Register a web application

要在 Azure AD B2C 租户中注册 Web 应用程序,可以使用新的统一“应用注册”体验或旧版“应用程序(旧版)”体验 。To register a web application in your Azure AD B2C tenant, you can use our new unified App registrations experience or our legacy Applications (Legacy) experience. 详细了解此新体验Learn more about the new experience.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在门户工具栏中选择“目录 + 订阅”图标,然后选择包含 Azure AD B2C 租户的目录。Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.

  3. 在 Azure 门户中,搜索并选择“Azure AD B2C”。In the Azure portal, search for and select Azure AD B2C.

  4. 选择“应用注册”,然后选择“新建注册” 。Select App registrations , and then select New registration.

  5. 输入应用程序的“名称”。Enter a Name for the application. 例如,“webapp1”。For example, webapp1.

  6. 在“支持的帐户类型”下,选择“任何标识提供者或组织目录中的帐户(用于通过用户流对用户进行身份验证)” 。Under Supported account types , select Accounts in any identity provider or organizational directory (for authenticating users with user flows).

  7. 在“重定向 URI”下,选择“Web”,然后在 URL 文本框中输入 https://jwt.msUnder Redirect URI , select Web , and then enter https://jwt.ms in the URL text box.

    “重定向 URI”是授权服务器(在本例中为 Azure AD B2C)在完成与用户的交互后将用户定向到的终结点,也是在成功授权后向其发送访问令牌或授权代码的终结点。The redirect URI is the endpoint to which the user is sent by the authorization server (Azure AD B2C, in this case) after completing its interaction with the user, and to which an access token or authorization code is sent upon successful authorization. 在生产应用程序中,它通常是运行应用的公共可访问终结点,如 https://contoso.com/auth-responseIn a production application, it's typically a publicly accessible endpoint where your app is running, like https://contoso.com/auth-response. 出于类似本教程的测试目的,你可以将它设置为 https://jwt.ms,这是一个 Microsoft 拥有的 Web 应用程序,用于显示已解码的令牌内容(令牌内容始终保留在浏览器中)。For testing purposes like this tutorial, you can set it to https://jwt.ms, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). 在应用开发期间,你可以添加应用程序本地侦听的终结点,如 https://localhost:5000During app development, you might add the endpoint where your application listens locally, like https://localhost:5000. 可以随时在注册的应用程序中添加和修改重定向 URI。You can add and modify redirect URIs in your registered applications at any time.

    重定向 URI 存在以下限制:The following restrictions apply to redirect URIs:

    • 回复 URL 必须以方案 https 开头。The reply URL must begin with the scheme https.
    • 回复 URL 区分大小写。The reply URL is case-sensitive. 其大小写必须与正在运行的应用程序的 URL 路径的大小写匹配。Its case must match the case of the URL path of your running application. 例如,如果应用程序在其路径中包括 .../abc/response-oidc,请不要在回复 URL 中指定 .../ABC/response-oidcFor example, if your application includes as part of its path .../abc/response-oidc, do not specify .../ABC/response-oidc in the reply URL. 由于 Web 浏览器将路径视为区分大小写,因此在重定向到大小写不匹配的 .../ABC/response-oidc URL 时,可能会排除与 .../abc/response-oidc 关联的 cookie。Because the web browser treats paths as case-sensitive, cookies associated with .../abc/response-oidc may be excluded if redirected to the case-mismatched .../ABC/response-oidc URL.
  8. 在“权限”下,选择“授予对 openid 和 office_access 权限的管理员许可”复选框。Under Permissions , select the Grant admin consent to openid and offline_access permissions check box.

  9. 选择“注册”。Select Register.

创建客户端机密Create a client secret

对于 Web 应用程序,需要创建应用程序机密。For a web application, you need to create an application secret. 应用程序将使用此机密来交换访问令牌的授权代码。This secret will be used by your application to exchange an authorization code for an access token.

  1. 在“Azure AD B2C - 应用注册”页中,选择已创建的应用程序,例如 webapp1。In the Azure AD B2C - App registrations page, select the application you created, for example webapp1.
  2. 在左侧菜单中“管理”下,选择“证书和机密”。 In the left menu, under Manage , select Certificates & secrets.
  3. 选择“新建客户端机密”。Select New client secret.
  4. 在“说明”框中输入客户端机密的说明。Enter a description for the client secret in the Description box. 例如, clientsecret1For example, clientsecret1.
  5. 在“过期时间”下,选择机密持续生效的时间,然后选择“添加”。Under Expires , select a duration for which the secret is valid, and then select Add.
  6. 记下机密的“值”。Record the secret's Value. 在应用程序的代码中将此值用作应用程序机密。You use this value as the application secret in your application's code.

后续步骤Next steps

本文介绍了如何执行以下操作:In this article, you learned how to:

  • 注册 Web 应用程序Register a web application
  • 创建客户端机密Create a client secret

接下来,了解如何创建用户流以使用户能够注册、登录和管理其个人资料。Next, learn how to create user flows to enable your users to sign up, sign in, and manage their profiles.