应用程序模型Application model

应用程序可以自行将用户登录,或者委托标识提供者登录。Applications can sign in users themselves or delegate sign-in to an identity provider. 本文讨论在 Microsoft 标识平台中注册应用程序所需的步骤。This article discusses the steps that are required to register an application with the Microsoft identity platform.

注册应用程序Register an application

要使标识提供者知道某个用户有权访问特定的应用,必须同时将该用户和应用程序注册到标识提供者。For an identity provider to know that a user has access to a particular app, both the user and the application must be registered with the identity provider. 将应用程序注册到 Azure Active Directory (Azure AD) 时,需要提供应用程序的标识配置,使其能够与 Microsoft 标识平台集成。When you register your application with Azure Active Directory (Azure AD), you're providing an identity configuration for your application that allows it to integrate with the Microsoft identity platform. 注册应用还可以:Registering the app also allows you to:

  • 在登录对话框中自定义应用程序的品牌。Customize the branding of your application in the sign-in dialog box. 这一品牌很重要,因为登录是用户对你的应用的初体验。This branding is important because signing in is the first experience a user will have with your app.
  • 确定是否只允许属于你的组织的用户登录。Decide if you want to allow users to sign in only if they belong to your organization. 这种体系结构称为单租户应用程序。This architecture is known as a single-tenant application. 或者,你可以允许用户使用任何工作或学校帐户(称为多租户应用程序)登录。Or, you can allow users to sign in by using any work or school account, which is known as a multi-tenant application.
  • 请求范围权限。Request scope permissions. 例如,可以请求“user.read”范围,该授予读取已登录用户的个人资料的权限。For example, you can request the "user.read" scope, which grants permission to read the profile of the signed-in user.
  • 定义范围,以便定义对 Web API 的访问权限。Define scopes that define access to your web API. 通常,当某个应用想要访问你的 API 时,它需要请求对你所定义的范围的权限。Typically, when an app wants to access your API, it will need to request permissions to the scopes you define.
  • 与 Microsoft 标识平台共享机密,以证明应用的标识。Share a secret with the Microsoft identity platform that proves the app's identity. 使用机密适用于应用是机密客户端应用程序的情况。Using a secret is relevant in the case where the app is a confidential client application. 机密客户端应用程序是可以安全保存凭据的应用程序。A confidential client application is an application that can hold credentials securely. 需要受信任的后端服务器来存储凭据。A trusted back-end server is required to store the credentials.

注册应用后,将为应用提供一个唯一标识符,在应用请求令牌时将与 Microsoft 标识平台共享该标识符。After the app is registered, it's given a unique identifier that it shares with the Microsoft identity platform when it requests tokens. 如果应用是机密客户端应用程序,它还会根据使用的是证书还是机密,来共享机密或公钥。If the app is a confidential client application, it will also share the secret or the public key depending on whether certificates or secrets were used.

Microsoft 标识平台使用实现以下两项主要功能的模型来表示应用程序:The Microsoft identity platform represents applications by using a model that fulfills two main functions:

  • 根据应用所支持的身份验证协议来标识应用。Identify the app by the authentication protocols it supports.
  • 提供进行身份验证所需的所有标识符、URL、机密和相关信息。Provide all the identifiers, URLs, secrets, and related information that are needed to authenticate.

Microsoft 标识平台:The Microsoft identity platform:

  • 保存运行时支持身份验证所需的所有数据。Holds all the data required to support authentication at runtime.
  • 保存所有数据,以确定应用可能需要访问的资源,以及在哪些情况下应满足给定的请求。Holds all the data for deciding what resources an app might need to access, and under what circumstances a given request should be fulfilled.
  • 提供用于在应用开发人员的租户和任何其他 Azure AD 租户中实现应用配置的基础设施。Provides infrastructure for implementing app provisioning within the app developer's tenant, and to any other Azure AD tenant.
  • 在令牌请求期间处理用户同意并帮助跨租户动态预配应用。Handles user consent during token request time and facilitates the dynamic provisioning of apps across tenants.

“同意”是资源所有者授权客户端应用程序代表资源所有者在特定权限下访问受保护资源的过程。Consent is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. Microsoft 标识平台:The Microsoft identity platform enables:

  • 使用户和管理员能够动态地同意或拒绝应用以他们的名义访问资源。Users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
  • 使管理员能够最终决定允许执行哪些应用、哪些用户可以使用特定的应用,以及如何访问目录资源。Administrators to ultimately decide what apps are allowed to do and which users can use specific apps, and how the directory resources are accessed.

多租户应用Multi-tenant apps

在 Microsoft 标识平台中,应用程序对象对应用程序进行描述。In the Microsoft identity platform, an application object describes an application. 在部署时,Microsoft 标识平台使用应用程序对象作为蓝图来创建服务主体,它表示目录或租户中的应用程序的具体实例。At deployment time, the Microsoft identity platform uses the application object as a blueprint to create a service principal, which represents a concrete instance of an application within a directory or tenant. 该服务主体定义应用在特定目标目录中可以实际执行的操作、使用者是谁、以及可以访问哪些资源等。The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. Microsoft 标识平台通过许可使用应用程序对象创建服务主体。The Microsoft identity platform creates a service principal from an application object through consent.

下图显示了征得同意后经过简化的 Microsoft 标识平台预配流程。The following diagram shows a simplified Microsoft identity platform provisioning flow driven by consent. 它显示了两个租户:A 和 B 。It shows two tenants: A and B.

  • 租户 A 拥有该应用程序。Tenant A owns the application.
  • 租户 B 通过服务主体实例化该应用程序。Tenant B is instantiating the application via a service principal.


在此预配流程中:In this provisioning flow:

  1. 来自租户 B 的用户尝试使用该应用登录。A user from tenant B attempts to sign in with the app. 授权终结点请求应用程序的令牌。The authorization endpoint requests a token for the application.
  2. 获取并验证用于身份验证的用户凭据。The user credentials are acquired and verified for authentication.
  3. 系统提示用户许可该应用访问租户 B。The user is prompted to provide consent for the app to gain access to tenant B.
  4. Microsoft 标识平台使用租户 A 中的应用程序对象作为在租户 B 中创建服务主体的蓝图。The Microsoft identity platform uses the application object in tenant A as a blueprint for creating a service principal in tenant B.
  5. 用户接收请求的令牌。The user receives the requested token.

可对其他租户重复此过程。You can repeat this process for more tenants. 租户 A 保留了应用(应用程序对象)的蓝图。Tenant A retains the blueprint for the app (application object). 应用获得许可的所有其他租户中的用户和管理员通过每个租户中的相应服务主体对象保留对应用程序允许执行的操作的控制权。Users and admins of all the other tenants where the app is given consent keep control over what the application is allowed to do via the corresponding service principal object in each tenant. 有关详细信息,请参阅 Microsoft 标识平台中的应用程序和服务主体对象For more information, see Application and service principal objects in the Microsoft identity platform.

后续步骤Next steps

有关 Microsoft 标识平台中的身份验证和授权的详细信息,请参阅以下文章:For more information about authentication and authorization in the Microsoft identity platform, see the following articles:

  • 参阅身份验证与授权,了解身份验证和授权的基本概念。To learn about the basic concepts of authentication and authorization, see Authentication vs. authorization.
  • 若要了解如何在身份验证和授权中使用访问令牌、刷新令牌和 ID 令牌,请参阅安全令牌To learn how access tokens, refresh tokens, and ID tokens are used in authentication and authorization, see Security tokens.
  • 若要了解 web、桌面和移动应用的登录流,请参阅应用登录流To learn about the sign-in flow of web, desktop, and mobile apps, see App sign-in flow.

有关应用程序模型的详细信息,请参阅以下文章:For more information about the application model, see the following articles: