v1.0 中的应用程序类型Application types in v1.0

Azure Active Directory (Azure AD) 支持各种新型应用体系结构的身份验证,所有这些体系结构都基于行业标准协议 OAuth 2.0 或 OpenID Connect。Azure Active Directory (Azure AD) supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols OAuth 2.0 or OpenID Connect.

下图说明了这些方案和应用程序类型,以及如何添加各种组件:The following diagram illustrates the scenarios and application types, and how different components can be added:

应用程序类型和方案

下面是 Azure AD 支持的五种主要应用程序方案:These are the five primary application scenarios supported by Azure AD:

在开始使用代码之前,请打开链接详细了解每种类型应用并了解高级方案。Follow the links to learn more about each type of app and understand the high-level scenarios before you start working with the code. 还可以了解在编写适用于 v1.0 终结点或 v2.0 终结点的特定应用时需要了解的差异。You can also learn about the differences you need to know when writing a particular app that works with the v1.0 endpoint or v2.0 endpoint.

Note

v2.0 终结点并非支持所有 Azure AD 方案和功能。The v2.0 endpoint doesn't support all Azure AD scenarios and features. 若要确定是否应使用 v2.0 终结点,请阅读 v2.0 限制To determine whether you should use the v2.0 endpoint, read about v2.0 limitations.

你可以使用各种语言和平台开发此处所述的任何应用和方案。You can develop any of the apps and scenarios described here using various languages and platforms. 它们都受到代码示例指南中提供的完整代码示例的支持:按方案分类的 v1.0 代码示例按方案分类的 v2.0 代码示例They are all backed by complete code samples available in the code samples guide: v1.0 code samples by scenario and v2.0 code samples by scenario. 也可以直接从相应的 GitHub 示例存储库下载代码示例。You can also download the code samples directly from the corresponding GitHub sample repositories.

此外,如果应用程序需要某个端到端方案的特定片段,在大多数情况下都可以独立添加该功能。In addition, if your application needs a specific piece or segment of an end-to-end scenario, in most cases that functionality can be added independently. 例如,如果有一个调用某个 Web API 的本机应用程序,可以轻松添加也调用该 Web API 的 Web 应用程序。For example, if you have a native application that calls a web API, you can easily add a web application that also calls the web API.

应用注册App registration

注册使用 Azure AD v1.0 终结点的应用程序Registering an app that uses the Azure AD v1.0 endpoint

将身份验证外包给 Azure AD 的任何应用程序都必须在目录中进行注册。Any application that outsources authentication to Azure AD must be registered in a directory. 此步骤需要告诉 Azure AD 关于应用程序的情况,包括应用程序所在的 URL、在进行身份验证后要将回复发送到的 URL、用以标识应用程序的 URI,以及其他信息。This step involves telling Azure AD about your application, including the URL where it’s located, the URL to send replies after authentication, the URI to identify your application, and more. 该信息是必需的,有以下几个重要原因:This information is required for a few key reasons:

  • 在处理登录或者交换令牌时,Azure AD 需要与应用程序进行通信。Azure AD needs to communicate with the application when handling sign-on or exchanging tokens. Azure AD 和应用程序之间传递的信息包括以下内容:The information passed between Azure AD and the application includes the following:

    • 应用程序 ID URI - 应用程序的标识符。Application ID URI - The identifier for an application. 此值在身份验证期间发送给 Azure AD 以指明调用方想要哪个应用程序的令牌。This value is sent to Azure AD during authentication to indicate which application the caller wants a token for. 另外,此值还包括在令牌中以便应用程序知道它是预定目标。Additionally, this value is included in the token so that the application knows it was the intended target.
    • 回复 URL重定向 URI - 对于 Web API 或 Web 应用程序,回复 URL 是当身份验证成功时 Azure AD 要将身份验证响应(包括令牌)发送到的位置。Reply URL and Redirect URI - For a web API or web application, the Reply URL is the location where Azure AD will send the authentication response, including a token if authentication was successful. 对于本机应用程序,重定向 URI 是一个唯一标识符,Azure AD 会将 OAuth 2.0 请求中的用户代理重定向到该标识符。For a native application, the Redirect URI is a unique identifier to which Azure AD will redirect the user-agent in an OAuth 2.0 request.
    • 应用程序 ID - 应用程序的 ID,这是在注册应用程序时由 Azure AD 生成的。Application ID - The ID for an application, which is generated by Azure AD when the application is registered. 当请求授权代码或令牌时,在身份验证期间会将应用程序 ID 和密钥发送到 Azure AD。When requesting an authorization code or token, the Application ID and Key are sent to Azure AD during authentication.
    • 密钥 - 向 Azure AD 进行身份验证以调用 Web API 时会随应用程序 ID 一起发送的密钥。Key - The key that is sent along with an Application ID when authenticating to Azure AD to call a web API.
  • Azure AD 需要确保应用程序具有访问目录数据、组织中的其他应用程序等内容所需的权限。Azure AD needs to ensure the application has the required permissions to access your directory data, other applications in your organization, and so on.

有关详细信息,请了解如何注册应用For details, learn how to register an app.

单租户应用和多租户应用Single-tenant and multi-tenant apps

当你了解可以开发两类与 Azure AD 集成的应用程序时,设置工作将变得更为清晰:Provisioning becomes clearer when you understand that there are two categories of applications that can be developed and integrated with Azure AD:

  • 单租户应用程序 - 单租户应用程序预定在单个组织中使用。Single tenant application - A single tenant application is intended for use in one organization. 它们通常是由企业开发人员编写的业务线 (LoB) 应用程序。These are typically line-of-business (LoB) applications written by an enterprise developer. 单租户应用程序只需要供单个目录中的用户进行访问,因此,只需要将其设置在单个目录中。A single tenant application only needs to be accessed by users in one directory, and as a result, it only needs to be provisioned in one directory. 这些应用程序通常由组织中的开发人员进行注册。These applications are typically registered by a developer in the organization.
  • 多租户应用程序 - 多租户应用程序预定在许多组织中使用,而不仅是在单个组织中使用。Multi-tenant application - A multi-tenant application is intended for use in many organizations, not just one organization. 它们通常是由独立软件供应商 (ISV) 编写的软件即服务 (SaaS) 应用程序。These are typically software-as-a-service (SaaS) applications written by an independent software vendor (ISV). 多租户应用程序需要设置在它们会被使用的每个目录中,需要经过用户或管理员许可才能注册它们。Multi-tenant applications need to be provisioned in each directory where they will be used, which requires user or administrator consent to register them. 当在目录中注册应用程序并向其授予对 Graph API 或者另一可能的 Web API 的访问权限时,此许可过程即已开始。This consent process starts when an application has been registered in the directory and is given access to the Graph API or perhaps another web API. 当其他组织的用户或管理员注册使用应用程序时,会向他们显示一个对话框,其中显示了应用程序要求的权限。When a user or administrator from a different organization signs up to use the application, they are presented with a dialog that displays the permissions the application requires. 然后,用户或管理员可以许可应用程序的要求,这会向应用程序授予对指定数据的访问权限,并最终在其目录中注册该应用程序。The user or administrator can then consent to the application, which gives the application access to the stated data, and finally registers the application in their directory. 有关详细信息,请参阅 许可框架概述For more information, see Overview of the Consent Framework.

开发单租户应用或多租户应用时的其他注意事项Additional considerations when developing single tenant or multi-tenant apps

与开发单租户应用程序相比,当开发多租户应用程序时,会出现一些额外的注意事项。Some additional considerations arise when developing a multi-tenant application instead of a single tenant application. 例如,如果要使应用程序可供多个目录中的用户使用,需要一种机制来确定用户在哪个租户中。For example, if you are making your application available to users in multiple directories, you need a mechanism to determine which tenant they’re in. 单租户应用程序只需要在自己的目录中查找用户,而多租户应用程序需要从 Azure AD 中的所有目录来识别特定用户。A single tenant application only needs to look in its own directory for a user, while a multi-tenant application needs to identify a specific user from all the directories in Azure AD. 为此,Azure AD 提供了一个通用身份验证终结点而不是特定于租户的终结点,这样任何多租户应用程序都可以在其中对登录请求进行定向。To accomplish this task, Azure AD provides a common authentication endpoint where any multi-tenant application can direct sign-in requests, instead of a tenant-specific endpoint. 对于 Azure AD 中的所有目录,此终结点为 https://login.partner.microsoftonline.cn/common ,而特定于租户的终结点可能为 https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cnThis endpoint is https://login.partner.microsoftonline.cn/common for all directories in Azure AD, whereas a tenant-specific endpoint might be https://login.partner.microsoftonline.cn/contoso.partner.onmschina.cn. 在开发应用程序时考虑通用终结点尤为重要,因为在登录、注销和令牌验证期间需要必要的逻辑来处理多租户。The common endpoint is especially important to consider when developing your application because you’ll need the necessary logic to handle multiple tenants during sign-in, sign-out, and token validation.

如果当前正在开发单租户应用程序,但希望它可供许多组织使用,可以轻松地在 Azure AD 中更改该应用程序及其配置,使其支持多租户。If you are currently developing a single tenant application but want to make it available to many organizations, you can easily make changes to the application and its configuration in Azure AD to make it multi-tenant capable. 此外,无论在单租户应用程序中还是在多租户应用程序中提供身份验证,Azure AD 都会对所有目录中的所有令牌使用相同的签名密钥。In addition, Azure AD uses the same signing key for all tokens in all directories, whether you are providing authentication in a single tenant or multi-tenant application.

本文档中列出的每个方案都包括一个小节,用以介绍其预配要求。Each scenario listed in this document includes a subsection that describes its provisioning requirements. 有关在 Azure AD 中预配应用程序以及单租户应用程序与多租户应用程序之间区别的更深入信息,请参阅将应用程序与 Azure Active Directory 集成了解详细信息。For more in-depth information about provisioning an application in Azure AD and the differences between single and multi-tenant applications, see Integrating applications with Azure Active Directory for more information. 继续阅读,了解 Azure AD 中的常见应用程序方案。Continue reading to understand the common application scenarios in Azure AD.

后续步骤Next steps