什么是身份验证?What is authentication?


Microsoft 标识平台 (v2.0) 由 Azure Active Directory (Azure AD) 开发人员平台 (v1.0) 演变而来。Microsoft identity platform (v2.0) is an evolution of the Azure Active Directory (Azure AD) developer platform (v1.0). 开发人员可以通过它来生成应用程序,从而可以采用所有 Microsoft 标识登录,以及获取令牌来调用 Microsoft Graph 等 Microsoft API 或开发人员生成的 API。It allows developers to build applications that sign in all Microsoft identities and get tokens to call Microsoft APIs such as Microsoft Graph or APIs that developers have built. 此内容适用于较旧的 Azure AD v1.0 终结点。This content is for the older, Azure AD v1.0 endpoint. 我们建议对新项目使用 v2.0 终结点。We recommend that you use the v2.0 endpoint for new projects. 有关详细信息,请阅读为什么更新到 Microsoft 标识平台 (v2.0)?For more info, read Why update to Microsoft identity platform (v2.0)? 以及 Microsoft 标识平台限制as well as Microsoft identity platform limitations.

身份验证是向访问方质询合法凭据的措施,提供创建用于标识和访问控制的安全主体的基础 。Authentication is the act of challenging a party for legitimate credentials, providing the basis for creation of a security principal to be used for identity and access control. 简单来说,身份验证就是证明你是你自己的过程。In simpler terms, it's the process of proving you are who you say you are. 身份验证有时缩写为 AuthN。Authentication is sometimes shortened to AuthN.

授权是指授予经过身份验证的安全主体执行某项操作权力的措施。 Authorization is the act of granting an authenticated security principal permission to do something. 它指定了可以访问的数据以及使用其可执行的操作。It specifies what data you're allowed to access and what you can do with it. 授权有时缩写为 AuthZ。Authorization is sometimes shortened to AuthZ.

面向开发人员的 Azure Active Directory (v1.0) (Azure AD) 通过提供标识即服务、支持 OAuth 2.0 和 OpenID Connect 等行业标准协议以及适用于不同平台的开源库来帮助你快速开始编码,从而简化了应用程序开发人员的身份验证。Azure Active Directory for developers (v1.0) (Azure AD) simplifies authentication for application developers by providing identity as a service, with support for industry-standard protocols such as OAuth 2.0 and OpenID Connect, as well as open-source libraries for different platforms to help you start coding quickly.

在 Azure AD 编程模型中有两个主要用例:There are two primary use cases in the Azure AD programming model:

  • 在 OAuth 2.0 授权流程中 - 资源所有者向客户端应用程序授权时,允许客户端访问资源所有者的资源。During an OAuth 2.0 authorization grant flow - when the resource owner grants authorization to the client application, allowing the client to access the resource owner's resources.
  • 在客户端访问资源期间 - 与资源服务器实现的机制一样,使用访问令牌中提供的声明值作为依据做出访问控制决策。During resource access by the client - as implemented by the resource server, using the claims values present in the access token to make access control decisions based upon them.

Azure AD 中的身份验证基础知识Authentication basics in Azure AD

思考一下需要标识的最基本方案:Web 浏览器中的用户需要通过 Web 应用程序进行身份验证。Consider the most basic scenario where identity is required: a user in a web browser needs to authenticate to a web application. 下图显示了此方案:The following diagram shows this scenario:

Web 应用程序登录概述

下面是你需要了解的示意图中显示的各种组件的相关信息:Here's what you need to know about the various components shown in the diagram:

  • Azure AD 是标识提供程序。Azure AD is the identity provider. 标识提供程序负责对组织的目录中存在的用户和应用程序的标识进行验证,并在这些用户和应用程序成功通过身份验证时颁发安全令牌。The identity provider is responsible for verifying the identity of users and applications that exist in an organization's directory, and issues security tokens upon successful authentication of those users and applications.
  • 要将身份验证外包给 Azure AD 的应用程序必须在 Azure Active Directory (Azure AD) 中进行注册。An application that wants to outsource authentication to Azure AD must be registered in Azure Active Directory (Azure AD). Azure AD 在目录中注册并唯一标识应用。Azure AD registers and uniquely identifies the app in the directory.
  • 开发人员可以使用开源 Azure AD 身份验证库处理协议细节,方便你进行身份验证。Developers can use the open-source Azure AD authentication libraries to make authentication easy by handling the protocol details for you. 有关详细信息,请参阅 Microsoft 标识平台 v2.0 身份验证库v1.0 身份验证库For more info, see Microsoft identity platform v2.0 authentication libraries and v1.0 authentication libraries.
  • 在用户通过身份验证后,应用程序必须对用户的安全令牌进行验证以确保身份验证是成功的。Once a user has been authenticated, the application must validate the user's security token to ensure that authentication was successful. 可查找各种语言和框架的快速入门、教程和代码示例,了解应用程序必须执行的操作。You can find quickstarts, tutorials, and code samples in a variety of languages and frameworks which show what the application must do.
    • 要快速构建应用并添加功能(如获取令牌、刷新令牌、进行用户登录、显示某些用户信息),请参阅文档的“快速入门”部分 。To quickly build an app and add functionality like getting tokens, refreshing tokens, signing in a user, displaying some user info, and more, see the Quickstarts section of the documentation.
    • 要深入了解顶级身份验证开发人员任务的案例过程,例如获取访问令牌并在调用 Microsoft Graph API 和其他 API 时使用它们,使用 OpenID Connect 通过传统的基于 Web 浏览器的应用实现 Microsoft 登录等,请参阅文档的“教程”部分 。To get in-depth, scenario-based procedures for top auth developer tasks like obtaining access tokens and using them in calls to the Microsoft Graph API and other APIs, implementing sign-in with Microsoft with a traditional web browser-based app using OpenID Connect, and more, see the Tutorials section of the documentation.
    • 要下载代码示例,请转到 GitHubTo download code samples, go to GitHub.
  • 身份验证过程的请求和响应流由所使用的身份验证协议(例如 OAuth 2.0、OpenID Connect 或 WS 联合身份验证)确定。The flow of requests and responses for the authentication process is determined by the authentication protocol that you used, such as OAuth 2.0, OpenID Connect or WS-Federation. 有关协议的详细信息,请参阅文档中的“概念”>“身份验证协议”部分 。For more info about protocols, see the Concepts > Authentication protocol section of the documentation.

在上面的示例方案中,你可以根据以下两个角色对应用进行分类:In the example scenario above, you can classify the apps according to these two roles:

  • 需要安全地访问资源的应用Apps that need to securely access resources
  • 扮演资源本身角色的应用Apps that play the role of the resource itself

每个流如何发出令牌和代码How each flow emits tokens and codes

根据客户端的生成方式,客户端可以使用 Azure AD 支持的一种(或几种)身份验证流。Depending on how your client is built, it can use one (or several) of the authentication flows supported by Azure AD. 这些流可以生成各种令牌(id_tokens、刷新令牌、访问令牌)以及授权代码,并需要不同的令牌使其正常工作。These flows can produce a variety of tokens (id_tokens, refresh tokens, access tokens) as well as authorization codes, and require different tokens to make them work. 此图表提供概述:This chart provides an overview:

流向Flow 需要Requires id_tokenid_token 访问令牌access token 刷新令牌refresh token 授权代码authorization code
授权代码流Authorization code flow xx xx xx xx
隐式流Implicit flow xx xx
混合 OIDC 流Hybrid OIDC flow xx xx
刷新令牌兑换Refresh token redemption 刷新令牌refresh token xx xx xx
代理流On-behalf-of flow 访问令牌access token xx xx xx
客户端凭据Client credentials x(仅限应用)x (app-only)

通过隐式模式颁发的令牌由于通过 URL(其中 response_modequeryfragment)传回浏览器而具有长度限制。Tokens issued via the implicit mode have a length limitation due to being passed back to the browser via the URL (where response_mode is query or fragment). 有些浏览器对可以放在浏览器栏中的 URL 的大小有限制,当 URL 太长时会失败。Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it is too long. 因此,这些令牌没有 groupswids 声明。Thus, these tokens do not have groups or wids claims.

现在你已大致了解了基础知识,请继续阅读以了解身份应用模型和 API,如何在 Azure AD 中进行预配,以及指向 Azure AD 支持的常见方案的详细信息的链接。Now that you have an overview of the basics, read on to understand the identity app model and API, how provisioning works in Azure AD, and links to detailed info about the common scenarios that Azure AD supports.

应用程序模型Application model

Azure AD 表示遵循特定模型的应用程序,该模型旨在实现两个主要功能:Azure AD represents applications following a specific model that's designed to fulfill two main functions:

  • 根据应用支持的身份验证协议识别应用 - 这涉及枚举身份验证时所需的所有标识符、URL、机密和相关信息。Identify the app according to the authentication protocols it supports - This involves enumerating all the identifiers, URLs, secrets, and related information that are needed at authentication time. 此处,Azure AD 可以:Here, Azure AD:

    • 保存运行时支持身份验证所需的所有数据。Holds all the data required to support authentication at run time.
    • 保存所有数据,以确定应用可能需要访问的资源类型、是否应满足给定请求以及适用的条件。Holds all the data for deciding what resources an app might need to access and whether a given request should be fulfilled and under what circumstances.
    • 提供用于在应用开发人员的租户和任何其他 Azure AD 租户中实现应用配置的基础设施。Provides the infrastructure for implementing app provisioning within the app developer's tenant and to any other Azure AD tenant.
  • 在令牌请求期间处理用户许可并帮助跨租户动态配置应用 - 此处,Azure AD 可以:Handle user consent during token request time and facilitate the dynamic provisioning of apps across tenants - Here, Azure AD:

    • 使用户和管理员能够动态地同意或拒绝应用以他们的名义访问资源。Enables users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
    • 使管理员能够最终决定允许执行哪些应用、哪些用户可以使用特定的应用,以及如何访问目录资源。Enables administrators to ultimately decide what apps are allowed to do and which users can use specific apps, and how the directory resources are accessed.

在 Azure AD 中,应用程序对象将应用程序描述为抽象实体 。In Azure AD, an application object describes an application as an abstract entity. 开发人员使用应用程序。Developers work with applications. 在部署时,Azure AD 使用给定的应用程序对象作为蓝图来创建服务主体,它表示目录或租户中的应用程序的具体实例 。At deployment time, Azure AD uses a given application object as a blueprint to create a service principal, which represents a concrete instance of an application within a directory or tenant. 该服务主体用于定义应用在特定目标目录中可以实际执行的操作、使用者是谁、以及可以访问哪些资源等。It's the service principal that defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. Azure AD 通过“同意”使用应用程序对象创建服务主体 。Azure AD creates a service principal from an application object through consent.

下图显示了征得同意后经过简化的 Azure AD 预配流程。The following diagram shows a simplified Azure AD provisioning flow driven by consent. 其中存在两个租户(A 和 B),租户 A 拥有应用程序,租户 B 通过服务主体实例化应用程序。In it, two tenants exist (A and B), where tenant A owns the application, and tenant B is instantiating the application via a service principal.


在此预配流程中:In this provisioning flow:

  1. 来自租户 B 的某个用户尝试使用该应用登录,授权终结点请求应用程序的令牌。A user from tenant B attempts to sign in with the app, the authorization endpoint requests a token for the application.
  2. 获取并验证用于身份验证的用户凭据The user credentials are acquired and verified for authentication
  3. 系统提示用户许可该应用访问租户 BThe user is prompted to provide consent for the app to gain access to tenant B
  4. Azure AD 使用租户 A 中的应用程序对象作为在租户 B 中创建服务主体的蓝图Azure AD uses the application object in tenant A as a blueprint for creating a service principal in tenant B
  5. 用户收到请求的令牌The user receives the requested token

你可以根据需要对其他租户(C、D 等)重复此过程。You can repeat this process as many times as you want for other tenants (C, D, and so on). 租户 A 保留了应用(应用程序对象)的蓝图。Tenant A retains the blueprint for the app (application object). 应用获得许可的所有其他租户中的用户和管理员通过每个租户中的相应服务主体对象保留对应用程序允许执行的操作的控制权。Users and admins of all the other tenants where the app is given consent retain control over what the application is allowed to do through the corresponding service principal object in each tenant. 有关详细信息,请参阅 Microsoft 标识平台中的应用程序和服务主体对象For more information, see Application and service principal objects in Microsoft identity platform.

Azure AD 安全令牌中的声明Claims in Azure AD security tokens

Azure AD 颁发的安全令牌(访问令牌和 ID 令牌)包含与经过身份验证的使用者有关的信息的声明或断言。Security tokens (access and ID tokens) issued by Azure AD contain claims, or assertions of information about the subject that has been authenticated. 应用程序可以使用各种任务的声明,包括:Applications can use claims for various tasks, including:

  • 验证令牌Validate the token
  • 标识使用者的目录租户Identify the subject's directory tenant
  • 显示用户信息Display user information
  • 确定使用者的授权Determine the subject's authorization

任何给定安全令牌中存在的声明都依赖于令牌的类型、用于验证用户身份的凭据的类型和应用程序配置。The claims present in any given security token are dependent upon the type of token, the type of credential used to authenticate the user, and the application configuration.

下表提供了由 Azure AD 发出的每种声明的简要说明。A brief description of each type of claim emitted by Azure AD is provided in the table below. 有关详细信息,请参阅 Azure AD 颁发的访问令牌ID 令牌For more detailed information, see the access tokens and ID tokens issued by the Azure AD.

声明Claim 说明Description
应用程序 IDApplication ID 标识正在使用令牌的应用程序。Identifies the application that is using the token.
目标受众Audience 标识令牌所针对的接收方资源。Identifies the recipient resource the token is intended for.
应用程序身份验证上下文类引用Application Authentication Context Class Reference 指示客户端的身份验证方式(公共客户端与机密客户端)。Indicates how the client was authenticated (public client vs. confidential client).
身份验证即时Authentication Instant 记录身份验证发生的日期和时间。Records the date and time when the authentication occurred.
身份验证方法Authentication Method 指示令牌使用者的身份验证方式(密码、证书等)。Indicates how the subject of the token was authenticated (password, certificate, etc.).
名字First Name 按照 Azure AD 中的设置提供用户的名称。Provides the given name of the user as set in Azure AD.
Groups 包含用户所属 Azure AD 组的对象 ID。Contains object IDs of Azure AD groups that the user is a member of.
标识提供者Identity Provider 记录对令牌使用者进行身份验证的标识提供者。Records the identity provider that authenticated the subject of the token.
颁发时间Issued At 记录令牌的颁发时间,通常用于计算令牌新鲜度。Records the time at which the token was issued, often used for token freshness.
颁发者Issuer 标识发出令牌以及 Azure AD 租户的 STS。Identifies the STS that emitted the token as well as the Azure AD tenant.
姓氏Last Name 按照 Azure AD 中的设置提供用户的姓氏。Provides the surname of the user as set in Azure AD.
名称Name 提供一个用户可读值,用于标识令牌使用者。Provides a human readable value that identifies the subject of the token.
对象 IDObject ID 包含 Azure AD 中的使用者的不可变、唯一标识符。Contains an immutable, unique identifier of the subject in Azure AD.
角色Roles 包含授予用户的 Azure AD 应用程序角色的友好名称。Contains friendly names of Azure AD Application Roles that the user has been granted.
作用域Scope 指示授予客户端应用程序的权限。Indicates the permissions granted to the client application.
使用者Subject 指示令牌断言信息的主体。Indicates the principal about which the token asserts information.
租户 IDTenant ID 包含已颁发令牌的目录租户的不可变、唯一标识符。Contains an immutable, unique identifier of the directory tenant that issued the token.
令牌生存期Token Lifetime 定义令牌保持有效状态的时间间隔。Defines the time interval within which a token is valid.
用户主体名称User Principal Name 包含使用者的用户主体名称。Contains the user principal name of the subject.
版本Version 包含令牌的版本号。Contains the version number of the token.

后续步骤Next steps