使用 Microsoft 标识平台的应用登录流App sign-in flow with the Microsoft identity platform

本主题介绍使用 Microsoft 标识平台的 Web、桌面和移动应用的基本登录流。This topic discusses the basic sign-in flow for web, desktop, and mobile apps using Microsoft identity platform. 请参阅身份验证流和应用方案,了解 Microsoft 标识平台支持的登录方案。See Authentication flows and app scenarios to learn about sign-in scenarios supported by Microsoft identity platform.

Web 应用登录流Web app sign-in flow

当用户在浏览器中导航到 Web 应用时,会发生以下情况:When a user navigates in the browser to a web app, the following happens:

  • Web 应用确定用户是否进行了身份验证。The web app determines whether the user is authenticated.
  • 如果用户未进行身份验证,则 Web 应用将委托 Azure AD 登录该用户。If the user isn't authenticated, the web app delegates to Azure AD to sign in the user. 该登录将符合组织的策略,这可能意味着要求用户输入其凭据,使用多重身份验证(有时称为双因素身份验证或 2FA),或者根本不使用密码(例如使用 Windows Hello)。That sign in will be compliant with the policy of the organization, which may mean asking the user to enter their credentials, using multi-factor authentication (sometimes referred to as two-factor authentication or 2FA), or not using a password at all (for example using Windows Hello).
  • 要求用户同意该客户端应用所需的访问。The user is asked to consent to the access that the client app needs. 正因如此,需要在 Azure AD 中注册客户端应用,这样 Microsoft 标识平台就能够传送代表用户许可的访问权限的令牌。This is why client apps need to be registered with Azure AD, so that the Microsoft identity platform can deliver tokens representing the access that the user has consented to.

成功对用户进行身份验证以后,请执行以下操作:When the user has successfully authenticated:

  • Microsoft 标识平台会发送令牌到 Web 应用。The Microsoft identity platform sends a token to the web app.
  • 将保存与 Azure AD 的域相关联的 cookie,其中包含浏览器 cookie jar 中用户的标识。A cookie is saved, associated with Azure AD's domain, that contains the identity of the user in the browser's cookie jar. 应用下次使用浏览器导航到 Microsoft 标识平台授权终结点时,浏览器会提供 Cookie,这样用户就无需再次登录。The next time an app uses the browser to navigate to the the Microsoft identity platform authorization endpoint, the browser presents the cookie so that the user doesn't have to sign in again. 这也是实现 SSO 的方式。This is also the way that SSO is achieved. Cookie 由 Azure AD 生成,只能通过 Azure AD 理解。The cookie is produced by Azure AD and can only be understood by Azure AD.
  • 然后,Web 应用对令牌进行验证。The web app then validates the token. 如果验证成功,Web 应用将显示受保护的页面并将会话 cookie 保存在浏览器的 cookie jar 中。If the validation succeeds, the web app displays the protected page and saves a session cookie in the browser's cookie jar. 当用户导航到另一个页面时,Web 应用知道用户是基于会话 cookie 进行身份验证。When the user navigates to another page, the web app knows that the user is authenticated based on the session cookie.

下面的序列图概述了这种交互:The following sequence diagram summarizes this interaction:

Web 应用身份验证过程

web 应用如何确定用户是否进行了身份验证How a web app determines if the user is authenticated

Web 应用开发人员可以指示是否所有或仅某些页面需要身份验证。Web app developers can indicate whether all or only certain pages require authentication. 例如,在 ASP.NET/ASP.NET Core 中,则将 [Authorize] 属性添加到控制器操作来完成此操作。For example, in ASP.NET/ASP.NET Core, this is done by adding the [Authorize] attribute to the controller actions.

此属性可让 ASP.NET 检查是否存在包含用户标识的会话 cookie。This attribute causes ASP.NET to check for the presence of a session cookie containing the identity of the user. 如果 cookie 不存在,ASP.NET 将身份验证重定向到指定的标识提供者。If a cookie isn't present, ASP.NET redirects authentication to the specified identity provider. 如果标识提供者是 Azure AD,则 Web 应用将身份验证重定向到 https://login.partner.microsoftonline.cn,后者将显示登录对话框。If the identity provider is Azure AD, the web app redirects authentication to https://login.partner.microsoftonline.cn, which displays a sign-in dialog.

Web 应用如何将登录委托给 Microsoft 标识平台并获取令牌How a web app delegates sign-in to the Microsoft identity platform and obtains a token

通过浏览器进行用户身份验证。User authentication happens via the browser. OpenID 协议使用标准 HTTP 协议消息。The OpenID protocol uses standard HTTP protocol messages.

  • Web 应用将 HTTP 302(重定向)发送到浏览器以使用 Microsoft 标识平台。The web app sends an HTTP 302 (redirect) to the browser to use Microsoft identity platform.
  • 用户进行身份验证时,Microsoft 标识平台会通过浏览器使用重定向来发送令牌到 Web 应用。When the user is authenticated, the Microsoft identity platform sends the token to the web app by using a redirect through the browser.
  • Web 应用以重定向 URI 的形式提供重定向。The redirect is provided by the web app in the form of a redirect URI. 此重定向 URI 已注册到 Azure AD 应用程序对象。This redirect URI is registered with the Azure AD application object. 可能有多个重定向 URI,因为应用程序可能部署在多个 URL 上。There can be several redirect URIs because the application may be deployed at several URLs. 因此,Web 应用还需要指定要使用的重定向 URI。So the web app will also need to specify the redirect URI to use.
  • Azure AD 验证 Web 应用发送的重定向 URI 是否是该应用的某个注册重定向 URI。Azure AD verifies that the redirect URI sent by the web app is one of the registered redirect URIs for the app.

桌面和移动应用登录流Desktop and mobile app sign-in flow

上面描述的流仅适用于桌面和移动应用程序,但略有不同。The flow described above applies, with slight differences, to desktop and mobile applications.

桌面和移动应用程序可以使用嵌入式 Web 控件或系统浏览器进行身份验证。Desktop and mobile applications can use an embedded Web control, or a system browser, for authentication. 下图显示了桌面或移动应用程序如何使用 Microsoft 身份验证库 (MSAL) 获取访问令牌并调用 Web API。The following diagram shows how a Desktop or mobile app uses the Microsoft authentication library (MSAL) to acquire access tokens and call web APIs.

桌面应用的外观

MSAL 使用浏览器获取令牌。MSAL uses a browser to get tokens. 与 Web 应用一样,身份验证委托给 Microsoft 标识平台。As with web apps, authentication is delegated to Microsoft identity platform.

由于 Azure AD 在浏览器中保存的标识 cookie 与在 Web 应用中保存的标识 cookie 相同,因此如果本机或移动应用使用系统浏览器,它将立即使用相应的 Web 应用获取 SSO。Because Azure AD saves the same identity cookie in the browser as it does for web apps, if the native or mobile app uses the system browser it will immediately get SSO with the corresponding web app.

默认情况下,MSAL 使用系统浏览器。By default, MSAL uses the system browser. 例外情况是 .NET Framework 桌面应用程序,其中使用嵌入式控件提供更集成的用户体验。The exception is .NET Framework desktop applications where an embedded control is used to provide a more integrated user experience.

后续步骤Next steps

有关其他涉及身份验证和授权基础知识的主题:For other topics covering authentication and authorization basics:

  • 请参阅身份验证和授权,了解 Microsoft 标识平台中身份验证和授权的基本概念。See Authentication vs. authorization to learn about the basic concepts of authentication and authorization in Microsoft identity platform.
  • 请参阅安全令牌,了解如何在身份验证和授权中使用访问令牌、刷新令牌和 ID 令牌。See Security tokens to learn how access tokens, refresh tokens, and ID tokens are used in authentication and authorization.
  • 请参阅应用程序模型,了解注册应用程序的过程,以便它可以与 Microsoft 标识平台集成。See Application model to learn about the process of registering your application so it can integrate with Microsoft identity platform.

若要了解有关应用登录流的详细信息:To learn more about app sign-in flow:

  • 参阅身份验证流和应用方案,详细了解 Microsoft 标识平台支持的其他用户身份验证方案。See Authentication flows and app scenarios to learn more about other scenarios for authenticating users supported by Microsoft identity platform.
  • 请参阅 MSAL 库,了解可以借助哪些 Microsoft 库在单个简化编程模型中开发可以处理 Azure AD 帐户和 Azure AD B2C 用户的应用程序。See MSAL libraries to learn about the Microsoft libraries that help you develop applications that work with Azure AD accounts, and Azure AD B2C users all in a single, streamlined programming model.