Microsoft 标识平台上的 OAuth 2.0 和 OpenID 连接协议OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform

用于“标识即服务”的 Microsoft 标识平台终结点分别使用行业标准协议 OpenID Connect (OIDC) 和 OAuth 2.0 实施身份验证和授权。The Microsoft identity platform endpoint for identity-as-a-service implements authentication and authorization with the industry standard protocols OpenID Connect (OIDC) and OAuth 2.0, respectively. 尽管此服务与标准兼容,但这些协议的两个实现之间仍然存在微妙的差异。While the service is standards-compliant, there can be subtle differences between any two implementations of these protocols. 如果选择通过直接发送和处理 HTTP 请求,或使用第三方开放源代码库来编写代码,而不是使用我们的其中一个开放源代码库,则可以参考此处提供的有用信息。The information here will be useful if you choose to write your code by directly sending and handling HTTP requests or use a third-party open-source library, rather than using one of our open-source libraries.

基础知识The basics

几乎在所有的 OAuth 2.0 和 OpenID Connect 流中,都有四个参与交换的对象:In nearly all OAuth 2.0 and OpenID Connect flows, there are four parties involved in the exchange:

显示 OAuth 2.0 角色的关系图

  • “授权服务器”是 Microsoft 标识平台终结点,它负责确保用户的标识、授予和吊销对资源的访问权限,以及颁发令牌。The Authorization Server is the Microsoft identity platform endpoint and responsible for ensuring the user's identity, granting and revoking access to resources, and issuing tokens. 授权服务器也称为标识提供者 - 它可以安全地处理与用户信息、用户访问权限以及流中各方彼此间的信任关系有关的任何项目。The authorization server is also known as the identity provider - it securely handles anything to do with the user's information, their access, and the trust relationships between parties in a flow.
  • 资源所有者通常是最终用户。The Resource Owner is typically the end user. 它是拥有数据的一方,并且有权允许客户端访问该数据或资源。It's the party that owns the data and has the power to allow clients to access that data or resource.
  • OAuth 客户端是应用,按照其应用程序 ID 进行标识。The OAuth Client is your app, identified by its application ID. OAuth 客户端通常是与最终用户交互的对象,并向授权服务器请求令牌。The OAuth client is usually the party that the end user interacts with, and it requests tokens from the authorization server. 客户端必须获得资源所有者授权才能访问资源。The client must be granted permission to access the resource by the resource owner.
  • 资源服务器是资源或数据所在的位置。The Resource Server is where the resource or data resides. 它信任授权服务器安全验证和授权 OAuth 客户端,并使用持有者访问令牌来确保可以授予对资源的访问权限。It trusts the Authorization Server to securely authenticate and authorize the OAuth Client, and uses Bearer access tokens to ensure that access to a resource can be granted.

应用注册App registration

要接受工作或学校帐户的每个应用必须已通过 Azure 门户中的应用注册体验进行注册,才能使用 OAuth 2.0 或 OpenID Connect 将这些用户登录。Every app that wants to accept work or school accounts must be registered through the App registrations experience in the Azure portal before it can sign these users in using OAuth 2.0 or OpenID Connect. 应用注册进程会收集一些值并将其分配到应用:The app registration process will collect and assign a few values to your app:

  • 用于唯一标识应用的应用程序 IDAn Application ID that uniquely identifies your app
  • 用于将响应定向回到应用的“重定向 URI”(可选)A Redirect URI (optional) that can be used to direct responses back to your app
  • 其他一些特定于方案的值。A few other scenario-specific values.

请了解如何 注册应用获取详细信息。For more details, learn how to register an app.

终结点Endpoints

注册后,应用将通过向终结点发送请求来与 Microsoft 标识平台通信:Once registered, the app communicates with Microsoft identity platform by sending requests to the endpoint:

https://login.partner.microsoftonline.cn/{tenant}/oauth2/v2.0/authorize
https://login.partner.microsoftonline.cn/{tenant}/oauth2/v2.0/token

其中 {tenant} 可以接受以下四个不同值之一:Where the {tenant} can take one of four different values:

Value 说明Description
common 允许用户使用工作/学校帐户从 Azure AD 登录应用程序。Allows users with work/school accounts from Azure AD to sign into the application.
organizations 仅允许用户使用工作/学校帐户从 Azure AD 登录应用程序。Allows only users with work/school accounts from Azure AD to sign into the application.
8eaef023-2b34-4da1-9baa-8bc8c9d6a490contoso.partner.onmschina.cn8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.partner.onmschina.cn 仅允许用户使用工作/学校帐户从特定的 Azure AD 租户登录应用程序。Allows only users with work/school accounts from a particular Azure AD tenant to sign into the application. 可以使用 Azure AD 租户的友好域名或租户的 GUID 标识符。Either the friendly domain name of the Azure AD tenant or the tenant's GUID identifier can be used.

要了解如何与这些终结点进行交互,请在协议部分中选择特定的应用类型,然后通过访问链接获取更多信息。To learn how to interact with these endpoints, choose a particular app type in the Protocols section and follow the links for more info.

提示

已在 Azure AD 中注册的任何应用都可以使用 Microsoft 标识平台终结点。Any app registered in Azure AD can use the Microsoft identity platform endpoint. 这样,你便可以将现有的应用程序迁移到 Microsoft 标识平台和 MSAL,而无需重新创建应用程序。This way, you can migrate existing applications to Microsoft identity platform and MSAL without re-creating your application.

令牌Tokens

OAuth 2.0 和 OpenID Connect 广泛使用持有者令牌,此类令牌通常表示为 JWT(JSON Web 令牌)OAuth 2.0 and OpenID Connect make extensive use of bearer tokens, generally represented as JWTs (JSON Web Tokens). 持有者令牌是一种轻型安全令牌,它授予对受保护资源的“持有者”访问权限。A bearer token is a lightweight security token that grants the “bearer” access to a protected resource. 从这个意义上说,“持有者”是指获得令牌副本的任何人。In this sense, the “bearer” is anyone that gets a copy of the token. 虽然某一方必须首先通过 Microsoft 标识平台的身份验证才能收到持有者令牌,但如果不采取必要的步骤在传输过程和存储中对令牌进行保护,令牌可能会被意外的某一方拦截并使用。Though a party must first authenticate with Microsoft identity platform to receive the bearer token, if the required steps are not taken to secure the token in transmission and storage, it can be intercepted and used by an unintended party. 虽然某些安全令牌具有内置机制来防止未经授权方使用它们,但是持有者令牌没有这一机制,因此必须在安全的通道(例如传输层安全 (HTTPS))中进行传输。While some security tokens have a built-in mechanism for preventing unauthorized parties from using them, bearer tokens do not have this mechanism and must be transported in a secure channel such as transport layer security (HTTPS). 如果持有者令牌以明文形式传输,则恶意方可以使用中间人攻击来获取令牌并将其用于对受保护资源进行未经授权的访问。If a bearer token is transmitted in the clear, a malicious party can use a man-in-the-middle attack to acquire the token and use it for unauthorized access to a protected resource. 当存储或缓存持有者令牌供以后使用时,也应遵循同样的安全原则。The same security principles apply when storing or caching bearer tokens for later use. 请始终确保应用以安全的方式传输和存储持有者令牌。Always ensure that your app transmits and stores bearer tokens in a secure manner. 有关持有者令牌的更多安全注意事项,请参阅 RFC 6750 第 5 部分For more security considerations on bearer tokens, see RFC 6750 Section 5.

在 OAuth 2.0/OIDC 中使用的令牌主要有 3 种:There are primarily 3 types of tokens used in OAuth 2.0 / OIDC:

  • 访问令牌 - 资源服务器从客户端接收的令牌,包含已授予客户端的权限。Access tokens - tokens that a resource server receives from a client, containing permissions the client has been granted.
  • ID 令牌 - 客户端从授权服务器接收的令牌,用于将用户登录并获取有关用户的基本信息。ID tokens - tokens that a client receives from the authorization server, used to sign in a user and get basic information about them.
  • 刷新令牌 - 客户端会在一段时间过后使用刷新令牌来获取新的访问令牌和 ID 令牌。Refresh tokens - used by a client to get new access and ID tokens over time. 这些令牌是不透明字符串,只有授权服务器才能理解。These are opaque strings, and are only understandable by the authorization server.

协议Protocols

如果已准备好查看部分示例请求,请从下列协议文档之一开始。If you're ready to see some example requests, get started with one of the below protocol documents. 每个教程对应于特定的身份验证方案。Each one corresponds to a particular authentication scenario. 如果在确定适当的流时需要帮助,请查看可使用 Microsoft 标识平台构建的应用类型If you need help with determining which is the right flow for you, check out the types of apps you can build with Microsoft identity platform.