应用程序模型Application model

应用程序可以自行将用户登录,或者委托标识提供者登录。Applications can sign in users themselves or delegate sign-in to an identity provider. 本主题讨论在 Microsoft 标识平台中注册应用程序所需的步骤。This topic discusses the steps that are required to register an application with Microsoft identity platform.

注册应用程序Registering an application

要使标识提供者知道某个用户有权访问特定的应用,必须同时将该用户和应用程序注册到标识提供者。For an identity provider to know that a user has access to a particular app, both the user and the application must be registered with the identity provider. 将应用程序注册到 Azure AD 时,需要提供应用程序的标识配置,使其能够与 Microsoft 标识平台集成。When you register your application with Azure AD, you are providing an identity configuration for your application that allows it to integrate with Microsoft identity platform. 注册应用还可以:Registering the app also allows you to:

  • 在登录对话框中自定义应用程序的品牌。Customize the branding of your application in the sign-in dialog. 这一点很重要,因为这是用户首次体验你的应用。This is important because this is the first experience a user will have with your app.
  • 确定是否只允许属于你的组织的用户登录。Decide if you want to let users sign in only if they belong to your organization. 这是一个单租户应用程序。This is a single tenant application. 或者允许用户使用任何工作或学校帐户登录。Or allow users to sign in using any work or school account. 这是一个多租户应用程序。This is a multi-tenant application.
  • 请求范围权限。Request scope permissions. 例如,可以请求“user.read”范围,该授予读取已登录用户的个人资料的权限。For example, you can request the "user.read" scope, which grants permission to read the profile of the signed-in user.
  • 定义范围,以便定义对 Web API 的访问权限。Define scopes that define access to your web API. 通常,当某个应用想要访问你的 API 时,它需要请求对你所定义的范围的权限。Typically, when an app wants to access your API, it will need to request permissions to the scopes you define.
  • 与 Microsoft 标识平台共享机密,以证明应用的标识。Share a secret with Microsoft identity platform that proves the app's identity. 这适用于应用是机密客户端应用程序的情况。This is relevant in the case where the app is a confidential client application. 机密客户端应用程序是可以安全保存凭据的应用程序。A confidential client application is an application that can hold credentials securely. 它们需要使用受信任的后端服务器来存储凭据。They require a trusted backend server to store the credentials.

注册后,将为应用程序提供一个唯一标识符,应用在请求令牌时将与 Microsoft 标识平台共享该标识符。Once registered, the application will be given a unique identifier that the app shares with Microsoft identity platform when it requests tokens. 如果应用是机密客户端应用程序,它还会根据使用的是证书还是机密,来共享机密或公钥。If the app is a confidential client application, it will also share the secret or the public key-depending on whether certificates or secrets were used.

Microsoft 标识平台使用实现以下两项主要功能的模型来表示应用程序:Microsoft identity platform represents applications using a model that fulfills two main functions:

  • 根据应用所支持的身份验证协议来标识应用Identify the app by the authentication protocols it supports
  • 提供进行身份验证所需的所有标识符、URL、机密和相关信息Provide all the identifiers, URLs, secrets, and related information that are needed to authenticate

Microsoft 标识平台:Microsoft identity platform:

  • 保存在运行时支持身份验证所需的所有数据Holds all the data required to support authentication at runtime
  • 保存所有数据,以确定应用可能需要访问的资源,以及在哪些情况下应满足给定的请求Holds all the data for deciding what resources an app might need to access, and under what circumstances a given request should be fulfilled
  • 提供用于在应用开发人员的租户和任何其他 Azure AD 租户中实现应用配置的基础设施Provides infrastructure for implementing app provisioning within the app developer's tenant, and to any other Azure AD tenant
  • 在令牌请求期间处理用户同意并帮助跨租户动态预配应用Handles user consent during token request time and facilitate the dynamic provisioning of apps across tenants

“同意”是资源所有者授权客户端应用程序代表资源所有者在特定权限下访问受保护资源的过程。Consent is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. Microsoft 标识平台:Microsoft identity platform:

  • 使用户和管理员能够动态地同意或拒绝应用以他们的名义访问资源。Enables users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
  • 使管理员能够最终决定允许执行哪些应用、哪些用户可以使用特定的应用,以及如何访问目录资源。Enables administrators to ultimately decide what apps are allowed to do and which users can use specific apps, and how the directory resources are accessed.

多租户应用Multi-tenant apps

在 Microsoft 标识平台中,应用程序对象对应用程序进行描述。In Microsoft identity platform, an application object describes an application. 在部署时,Microsoft 标识平台使用应用程序对象作为蓝图来创建服务主体,它表示目录或租户中应用程序的具体实例。At deployment time, Microsoft identity platform uses the application object as a blueprint to create a service principal, which represents a concrete instance of an application within a directory or tenant. 该服务主体定义应用在特定目标目录中可以实际执行的操作、使用者是谁、以及可以访问哪些资源等。The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. Microsoft 标识平台通过许可使用应用程序对象创建服务主体。Microsoft identity platform creates a service principal from an application object through consent.

下图显示了征得同意后经过简化的 Microsoft 标识平台预配流程。The following diagram shows a simplified Microsoft identity platform provisioning flow driven by consent. 它显示了两个租户:A 和 B 。It shows two tenants: A and B.

  • 租户 A 拥有该应用程序。Tenant A owns the application.
  • 租户 B 通过服务主体实例化该应用程序。Tenant B is instantiating the application via a service principal.

征得同意后经过简化的预配流程

在此预配流程中:In this provisioning flow:

  1. 来自租户 B 的某个用户尝试使用该应用登录,授权终结点请求应用程序的令牌。A user from tenant B attempts to sign in with the app, the authorization endpoint requests a token for the application.
  2. 获取并验证用于身份验证的用户凭据。The user credentials are acquired and verified for authentication.
  3. 系统提示用户许可该应用访问租户 B。The user is prompted to provide consent for the app to gain access to tenant B.
  4. Microsoft 标识平台使用租户 A 中的应用程序对象作为在租户 B 中创建服务主体的蓝图。Microsoft identity platform uses the application object in tenant A as a blueprint for creating a service principal in tenant B.
  5. 用户接收请求的令牌。The user receives the requested token.

可对其他租户重复此过程。You can repeat this process for additional tenants. 租户 A 保留了应用(应用程序对象)的蓝图。Tenant A retains the blueprint for the app (application object). 应用获得许可的所有其他租户中的用户和管理员通过每个租户中的相应服务主体对象保留对应用程序允许执行的操作的控制权。Users and admins of all the other tenants where the app is given consent keep control over what the application is allowed to do via the corresponding service principal object in each tenant. 有关详细信息,请参阅 Microsoft 标识平台中的应用程序和服务主体对象For more information, see Application and service principal objects in Microsoft identity platform.

后续步骤Next steps

有关涉及身份验证和授权基础知识的其他主题,请参阅以下资源:For other topics covering authentication and authorization basics:

  • 参阅身份验证与授权,了解 Microsoft 标识平台中身份验证和授权的基本概念。See Authentication vs. authorization to learn about the basic concepts of authentication and authorization in Microsoft identity platform.
  • 参阅安全令牌,了解如何在身份验证和授权中使用访问令牌、刷新令牌和 ID 令牌。See Security tokens to learn how access tokens, refresh tokens, and ID tokens are used in authentication and authorization.
  • 参阅应用登录流,了解 Microsoft 标识平台中 Web、桌面和移动应用的登录流。See App sign-in flow to learn about the sign-in flow of web, desktop, and mobile apps in Microsoft identity platform.

要详细了解应用程序模型,请参阅以下资源:To learn more about the application model: