Azure Active Directory 身份验证库Azure Active Directory Authentication Libraries

通过 Azure Active Directory 身份验证库 (ADAL) v1.0,应用程序开发人员可以利用云或本地 Active Directory (AD) 对用户进行身份验证,并获取令牌来保护 API 调用。The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls. ADAL 通过以下功能使开发者更轻松地进行身份验证:ADAL makes authentication easier for developers through features such as:

  • 存储访问令牌和刷新令牌的可配置令牌缓存Configurable token cache that stores access tokens and refresh tokens
  • 当访问令牌过期且刷新令牌可用时,自动刷新令牌Automatic token refresh when an access token expires and a refresh token is available
  • 支持异步方法调用Support for asynchronous method calls

Note

在找 Azure AD v2.0 库 (MSAL) 吗?Looking for the Azure AD v2.0 libraries (MSAL)? 请参阅 MSAL 库指南Checkout the MSAL library guide.

Microsoft 支持的客户端库Microsoft-supported Client Libraries

平台Platform Library 下载Download 源代码Source Code 示例Sample 参考Reference
.NET 客户端、Windows 应用商店、UWP、Xamarin iOS 和 Android.NET Client, Windows Store, UWP, Xamarin iOS and Android ADAL .NET v3ADAL .NET v3 NuGetNuGet GitHubGitHub 桌面应用Desktop app 引用Reference
.NET 客户端、Windows 应用商店、Windows Phone 8.1.NET Client, Windows Store, Windows Phone 8.1 ADAL .NET v2ADAL .NET v2 NuGetNuGet GitHubGitHub 桌面应用Desktop app
JavascriptJavaScript ADAL.jsADAL.js GitHubGitHub GitHubGitHub 单页应用Single-page app
iOS、macOSiOS, macOS ADALADAL GitHubGitHub GitHubGitHub iOS 应用iOS app 引用Reference
AndroidAndroid ADALADAL MavenMaven GitHubGitHub Android 应用Android app JavaDocsJavaDocs
Node.jsNode.js ADALADAL npmnpm GitHubGitHub Node.js Web 应用Node.js web app 引用Reference
JavaJava ADAL4JADAL4J MavenMaven GitHubGitHub Java Web 应用Java web app 引用Reference
PythonPython ADALADAL GitHubGitHub GitHubGitHub Python Web 应用Python web app 引用Reference

Microsoft 支持的服务器库Microsoft-supported Server Libraries

平台Platform Library 下载Download 源代码Source Code 示例Sample 参考Reference
.NET.NET OWIN for AzureADOWIN for AzureAD NuGetNuGet GitHubGitHub MVC 应用MVC App
.NET.NET OWIN for OpenIDConnectOWIN for OpenIDConnect NuGetNuGet GitHubGitHub Web 应用Web App
.NET.NET 用于 WS 联合身份验证的 OWINOWIN for WS-Federation NuGetNuGet GitHubGitHub MVC Web 应用MVC Web App
.NET.NET 适用于 .NET 4.5 的标识协议扩展Identity Protocol Extensions for .NET 4.5 NuGetNuGet GitHubGitHub
.NET.NET 适用于 .NET 4.5 的 JWT 处理程序JWT Handler for .NET 4.5 NuGetNuGet GitHubGitHub
Node.jsNode.js Azure AD PassportAzure AD Passport npmnpm GitHubGitHub Web APIWeb API

方案Scenarios

以下是在访问远程资源的客户端中使用 ADAL 的三种常见方案:Here are three common scenarios for using ADAL in a client that accesses a remote resource:

对设备上运行的本机客户端应用程序的用户进行身份验证Authenticating users of a native client application running on a device

在此方案中,开发人员有一个移动客户端或桌面应用程序需要访问远程资源(如 Web API)。In this scenario, a developer has a mobile client or desktop application that needs to access a remote resource, such as a web API. 该 Web API 不允许匿名调用,并且必须在经过身份验证的用户的上下文中调用。The web API does not allow anonymous calls and must be called in the context of an authenticated user. 该 Web API 已预先配置为信任由特定 Azure AD 租户颁发的访问令牌。The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD 已预先配置为颁发该资源的访问令牌。Azure AD is pre-configured to issue access tokens for that resource. 若要从客户端调用 Web API,开发人员可使用 ADAL 来简化 Azure AD 的身份验证。To invoke the web API from the client, the developer uses ADAL to facilitate authentication with Azure AD. 使用 ADAL 最安全的方法是使其呈现用于收集用户凭据的用户界面(呈现为浏览器窗口)。The most secure way to use ADAL is to have it render the user interface for collecting user credentials (rendered as browser window).

使用 ADAL 可以轻松地对用户进行身份验证,从 Azure AD 获取访问令牌和刷新令牌,然后使用访问令牌调用 Web API。ADAL makes it easy to authenticate the user, obtain an access token and refresh token from Azure AD, and then call the web API using the access token.

有关使用 Azure AD 身份验证演示此方案的代码示例,请参阅 本机客户端 WPF 应用程序到 Web APIFor a code sample that demonstrates this scenario using authentication to Azure AD, see Native Client WPF Application to Web API.

对 Web 服务器上运行的机密客户端应用程序进行身份验证Authenticating a confidential client application running on a web server

在此方案中,开发人员在服务器上有一个正在运行的应用程序需要访问远程资源(如 Web API)。In this scenario, a developer has an application running on a server that needs to access a remote resource, such as a web API. 该 Web API 不允许匿名调用,因此必须从授权服务中调用它。The web API does not allow anonymous calls, so it must be called from an authorized service. 该 Web API 已预先配置为信任由特定 Azure AD 租户颁发的访问令牌。The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD 已预先配置为向具有客户端凭据(客户端 ID 和密码)的服务颁发该资源的访问令牌。Azure AD is pre-configured to issue access tokens for that resource to a service with client credentials (client ID and secret). ADAL 可简化 Azure AD 对服务的身份验证,并返回可用于调用该 Web API 的访问令牌。ADAL facilitates authentication of the service with Azure AD returning an access token that can be used to call the web API. ADAL 还通过缓存访问令牌并在必要时续订,来处理对访问令牌生存期的管理。ADAL also handles managing the lifetime of the access token by caching it and renewing it as necessary. 有关演示此方案的代码示例,请参阅守护程序控制台应用程序到 Web APIFor a code sample that demonstrates this scenario, see Daemon console Application to Web API.

代表用户对服务器上运行的机密客户端应用程序进行身份验证Authenticating a confidential client application running on a server, on behalf of a user

在此方案中,开发人员在服务器上有一个正在运行的 Web 应用程序需要访问远程资源(如 Web API)。In this scenario, a developer has a web application running on a server that needs to access a remote resource, such as a web API. 该 Web API 不允许匿名调用,因此必须以经过身份验证的用户身份从授权服务中调用它。The web API does not allow anonymous calls, so it must be called from an authorized service on behalf of an authenticated user. 该 Web API 已预先配置为信任由特定 Azure AD 租户颁发的访问令牌,而 Azure AD 已预先配置为向具有客户端凭据的服务颁发该资源的访问令牌。The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant, and Azure AD is pre-configured to issue access tokens for that resource to a service with client credentials. 用户在 Web 应用程序中进行身份验证后,应用程序可以从 Azure AD 获取该用户的授权代码。Once the user is authenticated in the web application, the application can get an authorization code for the user from Azure AD. 然后,Web 应用程序可以使用该授权代码以及与应用程序关联的客户端凭据,代表用户通过 ADAL 从 Azure AD 中获取访问令牌和刷新令牌。The web application can then use ADAL to obtain an access token and refresh token on behalf of a user using the authorization code and client credentials associated with the application from Azure AD. Web 应用程序拥有访问令牌后,就可以调用 Web API,直到该令牌过期。Once the web application is in possession of the access token, it can call the web API until the token expires. 令牌过期后,Web 应用程序可以使用前面收到的刷新令牌,通过 ADAL 获取新的访问令牌。When the token expires, the web application can use ADAL to get a new access token by using the refresh token that was previously received. 有关演示此方案的代码示例,请参阅本机客户端到 Web API 到 Web APIFor a code sample that demonstrates this scenario, see Native client to Web API to Web API.

另请参阅See Also