Web 应用Web apps


本内容适用于较旧版本的 Azure AD v1.0 终结点。This content is for the older Azure AD v1.0 endpoint. 为新项目使用 Microsoft 标识平台Use the Microsoft identity platform for new projects.

Web 应用是在 Web 浏览器到 Web 应用方案中对用户进行身份验证的应用程序。Web apps are applications that authenticate a user in a web browser to a web application. 在此方案中,Web 应用程序指示用户的浏览器将用户登录到 Azure AD 中。In this scenario, the web application directs the user's browser to sign them in to Azure AD. Azure AD 通过用户的浏览器返回一个登录响应,该响应在一个安全令牌中包含了关于用户的声明。Azure AD returns a sign-in response through the user's browser, which contains claims about the user in a security token. 此方案支持使用 OpenID Connect 和 WS 联合身份验证协议进行登录。This scenario supports sign-on using the OpenID Connect and WS-Federation protocols.


浏览器到 Web 应用程序的身份验证流

协议流Protocol flow

  1. 当用户访问应用程序并需要登录时,系统会通过一个登录请求将其重定向到 Azure AD 中的身份验证终结点。When a user visits the application and needs to sign in, they are redirected via a sign-in request to the authentication endpoint in Azure AD.
  2. 用户在登录页面上进行登录。The user signs in on the sign-in page.
  3. 如果身份验证成功,则 Azure AD 将创建一个身份验证令牌并将登录响应返回到应用程序的回复 URL(已在 Azure 门户中配置)。If authentication is successful, Azure AD creates an authentication token and returns a sign-in response to the application's Reply URL that was configured in the Azure portal. 对于生产应用程序,此回复 URL 应当采用 HTTPS 格式。For a production application, this Reply URL should be HTTPS. 返回的令牌包括应用程序对该令牌进行验证所需的关于用户和 Azure AD 的声明。The returned token includes claims about the user and Azure AD that are required by the application to validate the token.
  4. 应用程序使用 Azure AD 的联合元数据文档中提供的公用签名密钥和颁发者信息对令牌进行验证。The application validates the token by using a public signing key and issuer information available at the federation metadata document for Azure AD. 验证令牌后,应用程序会启动与用户的新会话。After the application validates the token, it starts a new session with the user. 该会话允许用户访问应用程序,直到会话过期。This session allows the user to access the application until it expires.

代码示例Code samples

请参阅 Web 浏览器到 Web 应用程序方案的代码示例。See the code samples for web browser to web application scenarios. 另外,请经常回来查看,因为我们会经常添加新示例。And, check back frequently as new samples are added frequently.

应用注册App registration

若要注册 Web 应用,请参阅注册应用To register a web app, see Register an app.

  • 单租户 - 如果要构建仅供你组织使用的应用程序,则必须使用 Azure 门户在公司的目录中注册该应用程序。Single tenant - If you are building an application just for your organization, it must be registered in your company's directory by using the Azure portal.
  • 多租户 - 如果在构建可由组织外部用户使用的应用程序,则必须在公司的目录中注册该应用程序,并且还必须在要使用该应用程序的每个组织的目录中注册该应用程序。Multi-tenant - If you are building an application that can be used by users outside your organization, it must be registered in your company's directory, but also must be registered in each organization's directory that will be using the application. 要使应用程序在客户的目录中可用,可以提供一个供客户使用的注册流程,让客户许可应用程序的要求。To make your application available in their directory, you can include a sign-up process for your customers that enables them to consent to your application. 当他们针对用户的应用程序进行注册时,系统会向他们显示一个对话框,其中显示了应用程序要求的权限,然后是要许可的选项。When they sign up for your application, they will be presented with a dialog that shows the permissions the application requires, and then the option to consent. 可能会要求其他组织中的管理员许可,具体取决于所需的权限。Depending on the required permissions, an administrator in the other organization may be required to give consent. 当用户或管理员许可后,该应用程序在其目录中注册。When the user or administrator consents, the application is registered in their directory.

令牌过期Token expiration

当 Azure AD 颁发的令牌的生存期过期时,用户的会话便过期。The user's session expires when the lifetime of the token issued by Azure AD expires. 如果需要,应用程序可以缩短此时段,例如,根据用户处于不活动状态的时长注销用户。Your application can shorten this time period if desired, such as signing out users based on a period of inactivity. 当会话过期时,系统会提示用户重新登录。When the session expires, the user will be prompted to sign in again.

后续步骤Next steps