帐户和租户配置文件 (Android)Accounts & tenant profiles (Android)

本文概述 Microsoft 标识平台中的 accountThis article provides an overview of what an account is in the Microsoft identity platform.

Microsoft 身份验证库 (MSAL) API 将术语“用户”替换成了术语“帐户”。 The Microsoft Authentication Library (MSAL) API replaces the term user with the term account. 原因之一在于,一个用户(人或软件代理)可能具有或者使用多个帐户。One reason is that a user (human or software agent) may have, or can use, multiple accounts. 这些帐户可能位于用户自己的组织中,和/或位于用户所属的其他组织中。These accounts may be in the user's own organization, and/or in other organizations that the user is a member of.

Microsoft 标识平台中的帐户包括:An account in the Microsoft identity platform consists of:

  • 唯一标识符。A unique identifier.
  • 用于演示帐户所有权/控制权的一个或多个凭据。One or more credentials used to demonstrate ownership/control of the account.
  • 一个或多个配置文件,其中包括如下所述的属性:One or more profiles consisting of attributes such as:
    • 图片、名字、姓氏、职务、办公地点Picture, Given Name, Family Name, Title, Office Location
  • 帐户具有颁发机构源或记录系统。An account has a source of authority or system of record. 帐户在此系统中创建,与该帐户关联的凭据在此系统中存储。This is the system where the account is created and where the credentials associated with that account are stored. 在多租户系统(例如 Microsoft 标识平台)中,记录系统是创建帐户的 tenantIn multi-tenant systems like the Microsoft identity platform, the system of record is the tenant where the account was created. 此租户也称为 home tenantThis tenant is also referred as the home tenant.
  • Microsoft 标识平台中的帐户具有以下记录系统:Accounts in the Microsoft identity platform have the following systems of record:
    • Azure Active Directory,包括 Azure Active Directory B2C。Azure Active Directory, including Azure Active Directory B2C.
    • Microsoft 帐户 (Live)。Microsoft account (Live).
  • Microsoft 标识平台外部的记录系统中的帐户将在 Microsoft 标识平台中表示,这些帐户包括:Accounts from systems of record outside of the Microsoft identity platform are represented within the Microsoft identity platform including:
    • 来自连接的本地目录 (Windows Server Active Directory) 的标识。identities from connected on-premises directories (Windows Server Active Directory)
    • 来自 LinkedIn、GitHub 等的外部标识。external identities from LinkedIn, GitHub, and so on. 在这种情况下,帐户同时具有来源记录系统和 Microsoft 标识平台中的记录系统。In these cases, an account has both an origin system of record and a system of record within the Microsoft identity platform.
  • Microsoft 标识平台允许使用一个帐户访问属于多个组织(Azure Active Directory 租户)的资源。The Microsoft identity platform allows one account to be used to access resources belonging to multiple organizations (Azure Active Directory tenants).
    • 若要指出来自某个记录系统(AAD 租户 A)的帐户有权访问另一个记录系统(AAD 租户 B)中的资源,必须在定义该资源的租户中表示该帐户。To record that an account from one system of record (AAD Tenant A) has access to a resource in another system of record (AAD Tenant B), the account must be represented in the tenant where the resource is defined. 为此,可以在系统 B 中创建系统 A 中帐户的本地记录。This is done by creating a local record of the account from system A in system B.
    • 此本地记录(帐户的表示形式)将绑定到原始帐户。This local record, that is the representation of the account, is bound to the original account.
    • MSAL 将此本地记录公开为 Tenant ProfileMSAL exposes this local record as a Tenant Profile.
    • 租户配置文件可以包含适用于本地上下文的不同属性,例如职务、办公地点、联系信息等。Tenant Profile can have different attributes that are appropriate to the local context, such as Job Title, Office Location, Contact Information, etc.
  • 由于一个帐户可能存在于一个或多个租户中,因此一个帐户可以有多个配置文件。Because an account may be present in one or more tenants, an account may have more than one profile.

Note

MSAL 将 Microsoft 帐户系统(Live、MSA)视为 Microsoft 标识平台中的另一个租户。MSAL treats the Microsoft account system (Live, MSA) as another tenant within the Microsoft identity platform. Microsoft 帐户租户的租户 ID 为:9188040d-6c67-4c5b-b112-36a304b66dadThe tenant id of the Microsoft account tenant is: 9188040d-6c67-4c5b-b112-36a304b66dad

帐户概述示意图Account overview diagram

帐户概述示意图

在上图中:In the above diagram:

  • 帐户 bob@contoso.com 在本地 Windows Server Active Directory(来源本地记录系统)中创建。The account bob@contoso.com is created in the on-premises Windows Server Active Directory (origin on-premises system of record).
  • 帐户 tom@live.com 在 Microsoft 帐户租户中创建。The account tom@live.com is created in the Microsoft account tenant.
  • bob@contoso.com 有权访问以下 Azure Active Directory 租户中的至少一个资源:bob@contoso.com has access to at least one resource in the following Azure Active Directory tenants:
    • contoso.com(云记录系统 - 已链接到本地记录系统)contoso.com (cloud system of record - linked to on-premises system of record)
    • fabrikam.comfabrikam.com
    • woodgrovebank.comwoodgrovebank.com
    • bob@contoso.com 的租户配置文件在上述每个租户中存在。A tenant profile for bob@contoso.com exists in each of these tenants.
  • tom@live.com 有权访问以下 Microsoft 租户中的资源:tom@live.com has access to resources in the following Microsoft tenants:
    • contoso.comcontoso.com
    • fabrikam.comfabrikam.com
    • tom@live.com 的租户配置文件在上述每个租户中存在。A tenant profile for tom@live.com exists in each of these tenants.
  • 其他租户中有关 Tom 和 Bob 的信息可能与记录系统中的信息不同。Information about Tom and Bob in other tenants may differ from that in the system of record. 他们在职务、办公地点等属性方面可能不同。They may differ by attributes such as Job title, Office Location, and so on. 他们可能是每个组织(Azure Active Directory 租户)中的组和/或角色的成员。They may be members of groups and/or roles within each organization (Azure Active Directory Tenant). 我们将此信息称为 bob@contoso.com 租户配置文件。We refer to this information as bob@contoso.com tenant profile.

在示意图中,bob@contoso.com 和 tom@live.com 有权访问不同 Azure Active Directory 租户中的资源。In the diagram, bob@contoso.com and tom@live.com have access to resources in different Azure Active Directory tenants.

帐户和单一登录 (SSO)Accounts and single sign-on (SSO)

MSAL 令牌缓存为每个帐户存储单个刷新令牌。 The MSAL token cache stores a single refresh token per account. 该刷新令牌可用于以静默方式从多个 Microsoft 标识平台租户请求访问令牌。That refresh token can be used to silently request access tokens from multiple Microsoft identity platform tenants. 在设备上安装中介后,帐户将由该中介管理,并可能会实现设备范围的单一登录。When a broker is installed on a device, the account is managed by the broker, and device-wide single sign-on becomes possible.

Important

企业到消费者 (B2C) 帐户和刷新令牌的行为与 Microsoft 标识平台中其他帐户和令牌不同。Business to Consumer (B2C) account and refresh token behavior differs from the rest of the Microsoft identity platform. 有关详细信息,请参阅 B2C 策略和帐户For more information, see B2C Policies & Accounts.

帐户标识符Account identifiers

MSAL 帐户 ID 并非帐户对象 ID。The MSAL account ID isn't an account object ID. 帐户 ID 旨在用于分析,和/或传达相应帐户在 Microsoft 标识平台中具有唯一性这一概念,此外没有其他作用。It isn't meant to be parsed and/or relied upon to convey anything other than uniqueness within the Microsoft identity platform.

为了与 Azure AD 身份验证库 (ADAL) 兼容并简化从 ADAL 到 MSAL 的迁移,MSAL 可以使用 MSAL 缓存中提供的帐户的任何有效标识符查找帐户。For compatibility with the Azure AD Authentication Library (ADAL), and to ease Migration from ADAL to MSAL, MSAL can look up accounts using any valid identifier for the account available in the MSAL cache. 例如,以下代码始终检索 tom@live.com 的同一帐户对象,因为每个标识符都是有效的:For example, the following will always retrieve the same account object for tom@live.com because each of the identifiers is valid:

// The following would always retrieve the same account object for tom@live.com because each identifier is valid

IAccount account = app.getAccount("<tome@live.com msal account id>");
IAccount account = app.getAccount("<tom@live.com contoso user object id>");
IAccount account = app.getAccount("<tom@live.com woodgrovebank user object id>");

访问有关帐户的声明Accessing claims about an account

除了请求访问令牌以外,MSAL 还始终从每个租户请求 ID 令牌。Besides requesting an access token, MSAL also always requests an ID token from each tenant. 为此,它始终请求以下范围:It does this by always requesting the following scopes:

  • openidopenid
  • 个人资料profile

ID 令牌包含声明列表。The ID token contains a list of claims. Claims 是有关帐户的名称/值对,用于发出请求。Claims are name/value pairs about the account, and are used to make the request.

如前所述,帐户所在的每个租户可以存储有关该帐户的不同信息,包括但不限于职务、办公地点等属性。As mentioned previously, each tenant where an account exists may store different information about the account, including but not limited to attributes such as: job title, office location, and so on.

尽管一个帐户可以是多个组织中的成员或来宾,但 MSAL 不会查询服务来获取该帐户所属的租户列表,While an account may be a member or guest in multiple organizations, MSAL doesn't query a service to get a list of the tenants the account is a member of. 而是根据发出的令牌请求的结果,构建帐户所在的租户列表。Instead, MSAL builds up a list of tenants that the account is present in, as a result of token requests that have been made.

在帐户对象中公开的声明始终是来自帐户的 'home tenant'/{authority} 的声明。The claims exposed on the account object are always the claims from the 'home tenant'/{authority} for an account. 如果该帐户尚未用于请求其主租户的令牌,则 MSAL 无法通过帐户对象提供声明。If that account hasn't been used to request a token for their home tenant, MSAL can't provide claims via the account object. 例如:For example:

// Psuedo Code
IAccount account = getAccount("accountid");

String username = account.getClaims().get("preferred_username");
String tenantId = account.getClaims().get("tid"); // tenant id
String objectId = account.getClaims().get("oid"); // object id
String issuer = account.getClaims().get("iss"); // The tenant specific authority that issued the id_token

Tip

若要查看帐户对象中提供的声明列表,请参阅 id_token 中的声明To see a list of claims available from the account object, refer to claims in an id_token

Tip

若要在 id_token 中包含其他声明,请参阅可选声明文档:如何:向 Azure AD 应用提供可选声明To include additional claims in your id_token, refer to the optional claims documentation in How to: Provide optional claims to your Azure AD app

访问租户配置文件声明Access tenant profile claims

若要访问显示在其他租户中的有关帐户的声明,首先需要将帐户对象强制转换为 IMultiTenantAccountTo access claims about an account as they appear in other tenants, you first need to cast your account object to IMultiTenantAccount. 所有帐户都可以是多租户帐户,但通过 MSAL 提供的租户配置文件数取决于使用当前帐户从哪些租户请求了令牌。All accounts may be multi-tenant, but the number of tenant profiles available via MSAL is based on which tenants you have requested tokens from using the current account. 例如:For example:

// Psuedo Code
IAccount account = getAccount("accountid");
IMultiTenantAccount multiTenantAccount = (IMultiTenantAccount)account;

multiTenantAccount.getTenantProfiles().get("tenantid for fabrikam").getClaims().get("family_name");
multiTenantAccount.getTenantProfiles().get("tenantid for contoso").getClaims().get("family_name");

B2C 策略和帐户B2C policies & accounts

帐户的刷新令牌不会在 B2C 策略之间共享。Refresh tokens for an account aren't shared across B2C policies. 因此,无法使用令牌进行单一登录。As a result, single sign-on using tokens isn't possible. 但这并不意味着单一登录无法实现。This doesn't mean that single sign-on isn't possible. 而是意味着,单一登录必须使用交互式体验,在其中可以通过 Cookie 实现单一登录。It means single sign-on has to use an interactive experience in which a cookie is available to enable single sign-on.

这也意味着,对于 MSAL,如果使用不同的 B2C 策略获取令牌,则会将这些帐户视为独立的帐户 - 每个帐户具有自身的标识符。This also means that in the case of MSAL, if you acquire tokens using different B2C policies, then these are treated as separate accounts - each with their own identifier. 若要使用某个帐户通过 acquireTokenSilent 请求令牌,需要从帐户列表中,选择与用于请求令牌的策略匹配的帐户。If you want to use an account to request a token using acquireTokenSilent, then you'll need to select the account from the list of accounts that matches the policy that you're using with the token request. 例如:For example:

// Get Account For Policy

String policyId = "SignIn";
IAccount signInPolicyAccount = getAccountForPolicyId(app, policyId);

private IAccount getAccountForPolicy(IPublicClientApplication app, String policyId)
{
    List<IAccount> accounts = app.getAccounts();

    foreach(IAccount account : accounts)
   {
        if (account.getClaims().get("tfp").equals(policyId))
        {
            return account;
        }
    }

    return null;
}