身份验证流和应用程序方案Authentication flows and application scenarios

Microsoft 标识平台 (v2.0) 终结点支持各种现代应用体系结构的身份验证,所有这些体系结构都基于行业标准协议 OAuth 2.0 或 OpenID ConnectThe Microsoft identity platform (v2.0) endpoint supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols OAuth 2.0 or OpenID Connect. 使用身份验证库、应用程序身份验证标识并获得令牌来访问受保护的 API。Using the authentication libraries, applications authenticate identities and acquire tokens to access protected APIs. 本文介绍了不同的身份验证流和它们使用的应用程序方案。This article describes the different authentication flows and the application scenarios that they're used in. 本文还提供了应用程序方案和受支持的身份验证流以及应用程序方案和受支持的平台和语言列表。This article also provides lists of application scenarios and supported authentication flows and application scenarios and supported platforms and languages.

应用程序类别Application categories

可以从多个应用程序类型中获取令牌:Web 应用程序、移动和桌面应用程序、Web API 以及在没有浏览器(或 iOT)的设备上运行的应用程序。Tokens can be acquired from a number of application types: Web applications, Mobile or Desktop applications, Web APIs, and application running on devices that don't have a browser (or iOT). 可以按以下方式对应用程序进行分类:Applications can be categorized by the following:

受保护的资源与客户端应用程序Protected resources vs client applications

身份验证方案涉及两个活动:Authentication scenarios involve two activities:

  • “获取安全令牌”,用于受保护的 Web API 。Acquiring security tokens for a protected Web API. Microsoft 建议使用身份验证库来获取令牌,特别是使用 Microsoft 身份验证库系列 (MSAL)Microsoft recommends that you use authentication libraries to acquire tokens, in particular the Microsoft Authentication Libraries family (MSAL)
  • “保护 Web API”(或 Web 应用) 。Protecting a Web API (or a Web App). 保护资源(Web 应用或 Web API)的一大难题是验证安全令牌。One of the challenges of protecting a resource (Web app or Web API) is to validate the security token. Microsoft 在某些平台上提供了中间件库Microsoft offers, on some platforms, middleware libraries.

涉及或不涉及用户With users or without users

大多数身份验证方案代表(已登录)用户获取令牌 。Most authentication scenarios acquire tokens on behalf of a (signed-in) user.

涉及用户的方案

不过,也存在应用程序将代表自己获取令牌(无用户)的方案(守护程序应用)。However there are also scenarios (daemon apps), where applications will acquire tokens on behalf of themselves (with no user).

守护程序应用

单页应用程序、公共客户端应用程序和机密客户端应用程序Single page applications, Public client applications, and confidential client applications

可以从多个应用程序类型中获取安全令牌。The security tokens can be acquired from a number of application types. 应用程序通常分为三类:Applications tend to be separated into three categories:

  • 单页应用程序 (SPA) ,这是 Web 应用程序的一种形式,其中令牌是从浏览器中运行的应用获取的,该应用是使用 JavaScript 或 Typescript 编写的。Single page applications (SPA) are a form of Web applications where tokens are acquired from the app running in the browser (written in JavaScript or Typescript). 许多新式应用都有一个单页应用前端(主要以 JavaScript 编写)。Many modern apps have a single-page app front end that primarily is written in JavaScript. 通常,该应用可使用 Angular、React 或 Vue 等框架进行编写。Often, the app is written by using a framework like Angular, React, or Vue. MSAL 是唯一支持单页面应用程序的 Microsoft 身份验证库。MSAL.js is the only Microsoft authentication library supporting Single Page applications.

  • 公共客户端应用程序,始终可使用户登录。Public client applications always sign in users. 这些应用包括:These apps are:

    • 代表已登录用户调用 Web API 的桌面应用程序。Desktop applications calling Web APIs on behalf of the signed-in user.
    • 移动应用程序。Mobile applications.
    • 第三种类型的应用程序,在没有浏览器的设备上运行(例如在 iOT 上运行的无浏览器应用)。A third category of applications, running on devices that don't have a browser (Browserless apps, running on iOT for instance).

    它们由名为 PublicClientApplication的 MSAL 类表示。They're represented by the MSAL class named PublicClientApplication.

  • 机密客户端应用程序Confidential client applications

    • 调用 Web API 的 Web 应用程序Web applications calling a Web API
    • 调用 Web API 的 Web APIWeb APIs calling a Web API
    • 守护程序应用程序(即使作为类似 Linux 上的守护程序或 Windows 服务实现)Daemon applications (even when implemented as a console service like a daemon on linux, or a Windows service)

    这些类型的应用使用 ConfidentialClientApplicationThese types of apps use the ConfidentialClientApplication

应用程序方案Application scenarios

Microsoft 标识平台终结点支持多种应用体系结构的身份验证:单页应用、Web 应用、Web API、移动和本机应用以及守护程序和服务器端应用。The Microsoft identity platform endpoint supports authentication for a variety of app architectures: single-page apps, web apps, web APIs, mobile and native apps, and daemons and server-side apps. 应用程序使用各种身份验证流来登录用户并获取令牌,以调用受保护的 API。Applications use the various authentication flows to sign in users and get tokens to call protected APIs.

单页应用程序Single-page application

许多现代 Web 应用程序是作为客户端单页应用程序构建的,此类应用程序使用 JavaScript 或 SPA 框架(例如 Angular、Vue.js 和 React.js)编写。Many modern web applications are built as client-side single-page applications written using JavaScript or a SPA framework such as Angular, Vue.js, and React.js. 这些应用程序在 Web 浏览器中运行,其身份验证特征不同于传统的服务器端 Web 应用程序。These applications run in a web browser and have different authentication characteristics than traditional server-side web applications. Microsoft 标识平台允许单页应用程序登录用户并获取用于访问后端服务或 Web API 的令牌。The Microsoft identity platform enables single-page applications to sign in users and get tokens to access backend services or web APIs.

单页应用程序

有关详细信息,请阅读单页应用程序For more information, read Single-page applications.

使用户登录的 Web 应用程序Web Application signing-in a user

通过 Web 应用让用户登录

可使用以下内容保护 Web 应用(使用户登录): To protect a Web App (signing in the user), you'll use:

  • 在 .NET 中,使用 ASP.NET 或带 ASP.NET Open ID Connect 中间件的 ASP.NET Core。In the .NET world, ASP.NET or ASP.NET Core with the ASP.NET Open ID Connect middleware. 在内部,保护涉及验证安全令牌的资源由适用于 .NET 的 IdentityModel 扩展库而非 MSAL 库完成Under the hood, protecting a resource involves validating the security token, which is done by the IdentityModel extensions for .NET library, not MSAL libraries

  • 如果在 node.js 中进行开发,将使用 Passport.js。If you develop in Node.js, you'll use Passport.js.

有关详细信息,请阅读用于登录用户的 Web 应用For more information, read Web App that signs-in users.

让用户登录并代表用户调用 Web API 的 Web 应用程序Web Application signing-in a user and calling a Web API on behalf of the user

调用 Web API 的 Web 应用

在 Web 应用中,若要代表用户调用 Web API,请使用 MSAL ConfidentialClientApplicationFrom the Web App, to call the Web API on behalf of the user, use MSAL ConfidentialClientApplication. 可使用授权代码流,在令牌缓存中存储获取的令牌。You'll use the Authorization code flow, storing the acquired token in the token cache. 然后,控制器在需要时将以无提示方式从缓存中获取令牌。Then the controller will acquire tokens silently from the cache when needed. MSAL 根据需要刷新该令牌。MSAL refreshes the token if needed.

有关详细信息,请阅读用于调用 Web API 的 Web 应用For more information, read Web App calls Web APIs.

代表已登录用户调用 Web API 的桌面应用程序Desktop application calling a Web API on behalf of the signed-in user

若要从登录用户的桌面应用程序调用 Web API,请使用 MSAL 的 PublicClientApplication 的交互式令牌获取方法。To call a Web API from a desktop application that signs in users, use MSAL's PublicClientApplication's interactive token acquisition methods. 利用这些交互方法可以控制登录 UI 体验。These interactive methods enable you to control the sign in UI experience. 为了实现这种交互,MSAL 利用了 Web 浏览器。To enable this interaction, MSAL leverages a web browser.

桌面型

对于在加入 Windows 域或联接 AAD 的计算机上运行的 Windows 托管应用程序,则有另一种可能性。For Windows hosted applications running on computers joined to a Windows domain or AAD joined, there's another possibility. 这些应用程序可以通过使用集成 Windows 身份验证以无提示方式获取令牌。These applications can acquire a token silently by using Integrated Windows Authentication.

在无浏览器的设备上运行的应用程序仍将能代表用户调用 API。Applications running on a device without a browser will still be able to call an API on behalf of a user. 若要进行身份验证,用户必须登录具有 Web 浏览器的另一台设备。To authenticate, the user will have to sign in on another device that has a Web browser. 若要启用这种方案,将需要使用设备代码流To enable this scenario, you'll need to use the Device Code flow

设备代码流

最后,可以在公共客户端应用程序中使用用户名/密码,虽然我们并不推荐这种方式。Finally, though it's not recommended, you can use Username/Password in public client applications. 在某些情况下,此流仍然是必需的,但请注意,使用它会对应用程序施加约束。This flow is still needed in some scenarios, but beware that using it will impose constraints on your application. 例如,使用此流的应用不能让需要运行多重身份验证的用户登录。For instance, apps using this flow won't be able to sign in a user who needs to perform multi-factor authentication. 使用用户名/密码进行身份验证这种方式违反新式身份验证原则,仅出于遗留原因提供。Authentication with username/password goes against the principles of modern authentication and is only provided for legacy reasons.

在“桌面应用程序”中,如果希望令牌缓存能持久,应自定义令牌缓存序列化In desktop applications, if you want the token cache to be persistent, you should customize the token cache serialization. 你甚至可以通过双重令牌缓存序列化来启用身份验证库(ADAL.NET 3.x 和 4.x)前一代向后和向前兼容的令牌缓存。You can even enable backward and forward compatible token caches with previous generations of authentication libraries (ADAL.NET 3.x and 4.x) by implementing dual token cache serialization.

有关详细信息,请阅读用于调用 Web API 的桌面应用For more information, read Desktop app that calls web APIs.

代表以交互方式登录的用户调用 Web API 的移动应用程序Mobile application calling a Web API on behalf of the user who's signed-in interactively

类似于桌面应用程序,移动应用程序将使用 MSAL 的 PublicClientApplication 的交互式令牌获取方法来获取调用 Web API 所需的令牌。Similar to desktop applications, a mobile application will use MSAL's PublicClientApplication's interactive token acquisition methods to acquire a token to call a Web API.

移动

MSAL iOS 和 MSAL Android 默认使用系统 Web 浏览器。MSAL iOS and MSAL Android, by default, use the system web browser. 但是,你也可以指示它使用嵌入式 Web 视图。However, you can also direct it to use the embedded Web View. 也有一些特殊情况,具体取决于移动平台:(UWP、iOS、Android)。There are specificities depending on the mobile platform: (UWP, iOS, Android).

某些方案要求在设备上安装中转站Some scenarios require a broker to be installed on a device. 代理的示例包括 Microsoft 公司门户(Android 上)、Microsoft Authenticator(Android 和 iOS)。Examples of brokers are Microsoft Company portal (on Android), Microsoft Authenticator (Android and iOS). MSAL 现在能够与代理交互。MSAL is now capable of interacting with brokers.

Note

移动应用(使用 MSAL.iOS、MSAL.Android 或 MSAL.NET/Xamarin)可以应用应用保护策略(例如,阻止用户复制某些受保护的文本)。Your mobile app (using MSAL.iOS, MSAL.Android, or MSAL.NET/Xamarin) can have app protection policies applied to it (for instance prevent the user to copy some protected text). 由 Intune 管理并被 Intune 识别为托管应用。This is managed by Intune and recognized by Intune as a managed app. Intune SDK独立于 MSAL 库,并单独与 AAD 交流。The Intune SDK is separate from MSAL libraries, and it talks to AAD on its own.

有关详细信息,请阅读用于调用 Web API 的移动应用For more information, read Mobile app that calls web APIs.

受保护的 Web APIProtected Web API

可以使用 Microsoft 标识平台终结点来保护 Web 服务,例如应用的 RESTful Web API。You can use the Microsoft identity platform endpoint to secure web services, such as your app's RESTful Web API. 受保护的 Web API 通过访问令牌进行调用,以保护其数据并对传入的请求进行身份验证。A protected Web API is called with an access token to secure its data and to authenticate incoming requests. Web API 调用方会在 HTTP 请求的授权标头中附加一个访问令牌。The caller of a Web API appends an access token in the authorization header of an HTTP request. 如果希望保护 ASP.NET 或 ASP.NET Core Web API,则需要验证访问令牌。If you want to protect your ASP.NET or ASP.NET Core Web API, you will need to validate the access token. 为此,将使用 ASP.NET JWT 中间件。For this, you'll use the ASP.NET JWT middleware. 在后台,验证是由适用于.Net 的 IdentityModel 扩展库(而非 MSAL.NET)完成的Under the hood, the validation is done by the IdentityModel extensions for .NET library, not MSAL.NET

有关详细信息,请阅读受保护的 Web APIFor more information, read Protected Web API.

Web API 代表调用它的用户调用其他下游 Web APIWeb API calling another downstream Web API on behalf of the user for whom it was called

此外,如果你希望 ASP.NET 或受 ASP.NET Core 保护的 Web API 代表用户调用另一个 Web API,则应用将需要使用 ConfidentialClientApplication 的方法“代表用户获取令牌”来获取下游 Web API 的令牌。If, moreover, you want your ASP.NET or ASP.NET Core protected Web API to call another Web API on behalf of the user, the app will need to acquire a token for the downstream Web API by using the ConfidentialClientApplication's method Acquiring a token on behalf of a user. 这也称为服务到服务调用。This is also named service to services calls. 调用其他 Web API 的 Web API 还需要提供自定义缓存序列化The Web APIs calling other web API will also need to provide a custom cache serialization

Web API

有关详细信息,请阅读用于调用 Web API 的 Web APIFor more information, read Web API that calls web APIs.

调用 Web API 但其名称中不涉及用户的桌面/服务或 Web 守护程序应用程序Desktop/service or Web daemon application calling Web API without a user (in its own name)

包含长时运行进程或无需用户交互便可操作的应用还需要通过其他方法访问受保护的 Web API。Apps that have long-running processes or that operate without user interaction also need a way to access secured Web APIs. 这些应用可以使用应用的标识(而不是用户的委派标识)来进行身份验证和获取令牌。These apps can authenticate and get tokens by using the app's identity, rather than a user's delegated identity. 可以使用客户端机密或证书证明其身份。They prove their identity using a client secret or certificate. 可以使用 MSAL 的 ConfidentialClientApplication 的客户端凭据获取方法,编写此类获取顶层应用令牌的应用(守护程序应用)。You can write such apps (daemon app) acquiring a token for the app on top using MSAL's ConfidentialClientApplication's client credentials acquisition methods. 这些操作假设应用以前已使用 Azure AD 注册了机密(应用程序密码、证书或客户端断言),而该机密随后与此调用进行了共享。These suppose that the app has previously registered a secret (application password or certificate or client assertion) with Azure AD, which it then shares with this call.

守护程序应用

有关详细信息,请阅读用于调用 Web API 的守护程序应用程序For more information, read Daemon application that calls web APIs.

方案和受支持的身份验证流Scenarios and supported authentication flows

涉及获取令牌的方案还会映射到 Microsoft 标识平台协议的详细信息中所述的 OAuth 2.0 身份验证流Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flows described in details in Microsoft identity platform protocols

方案Scenario 详细的方案演练Detailed Scenario walk-through OAuth 2.0 Flow/GrantOAuth 2.0 Flow/Grant 目标受众Audience
单页应用Single Page App 单页应用Single-page app 隐式Implicit 工作或学校帐户、B2CWork or School accounts, B2C
用于让用户登录的 Web 应用Web App that signs-in users 用于让用户登录的 Web 应用Web App that signs in users 授权代码Authorization Code 工作或学校帐户、B2CWork or School accounts, B2C
用于调用 Web API 的 Web 应用Web App that calls Web APIs 用于调用 Web API 的 Web 应用Web App that calls web APIs 授权代码Authorization Code 工作或学校帐户、B2CWork or School accounts, B2C
用于调用 Web API 的桌面应用Desktop app that calls web APIs 用于调用 Web API 的 桌面应用Desktop app that calls web APIs 交互式(授权代码与 PKCE)Interactive (Authorization Code with PKCE) 工作或学校帐户、B2CWork or School accounts, B2C
集成的 WindowsIntegrated Windows 工作或学校帐户Work or School accounts
资源所有者密码Resource Owner Password 工作或学校帐户、B2CWork or School accounts, B2C
设备代码流 用于调用 Web API 的 桌面应用Desktop app that calls web APIs 设备代码Device Code 工作或学校帐户*Work or School accounts*
用于调用 Web API 的移动应用Mobile app that calls web APIs 用于调用 Web API 的移动应用Mobile app that calls web APIs 交互式(代码与 PKCE)Interactive (Authorization Code with PKCE) 工作或学校帐户、B2CWork or School accounts, B2C
资源所有者密码Resource Owner Password 工作或学校帐户、B2CWork or School accounts, B2C
守护程序应用Daemon app 守护程序应用Daemon app 客户端凭据Client credentials 仅限 AAD 组织上的应用程序权限(无用户)App only permissions (no user) only on AAD Organizations
用于调用 Web API 的 Web APIWeb API that calls web APIs 用于调用 Web API 的 Web APIWeb API that calls web APIs 代表On Behalf Of 工作或学校帐户Work or School accounts

方案和受支持的平台和语言Scenarios and supported platforms and languages

并非每个应用程序类型在每个平台上都可用。Not every application type is available on every platform. 你还可以使用多种语言来构建你的应用程序。You can also use various languages to build your applications. Microsoft 身份验证库支持多种“平台”(JavaScript、.NET Framework、.net Core、Windows 10/UWP、Xamarin.iOS、Xamarin.Android、本机 iOS、本机 Android、Java、Python) Microsoft Authentication libraries support a number of platforms (JavaScript, .NET Framework, .NET Core, Windows 10/UWP, Xamarin.iOS, Xamarin.Android, native iOS, native Android, Java, Python)

方案Scenario WindowsWindows LinuxLinux MacMac iOSiOS AndroidAndroid
单页应用Single-page app
单页应用Single Page App
MSAL.js MSAL.jsMSAL.js MSAL.js MSAL.jsMSAL.js MSAL.js MSAL.jsMSAL.js MSAL.js MSAL.jsMSAL.js MSAL.js MSAL.jsMSAL.js
用于让用户登录的 Web 应用Web App that signs in users
用于让用户登录的 Web 应用Web App that signs-in users
ASP.NET
ASP.NETASP.NET ASP.NET CoreASP.NET CoreASP.NET Core
ASP.NET CoreASP.NET CoreASP.NET Core ASP.NET CoreASP.NET CoreASP.NET Core
用于调用 Web API 的 Web 应用Web App that calls web APIs
用于调用 Web API 的 Web 应用Web App that calls Web APIs
ASP.NET
ASP.NET + MSAL.NETASP.NET + MSAL.NET
ASP.NET CoreASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java msal4jmsal4j MSAL Python Flask + MSAL PythonFlask + MSAL Python
ASP.NET CoreASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java msal4jmsal4j MSAL Python Flask + MSAL PythonFlask + MSAL Python ASP.NET CoreASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java msal4jmsal4j MSAL Python Flask + MSAL PythonFlask + MSAL Python
用于调用 Web API 的 桌面应用Desktop app that calls web APIs
用于调用 Web API 的桌面应用设备代码流Desktop app that calls web APIs Device code flow
MSAL.NET MSAL.NETMSAL.NET .NET Core MSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python .NET CoreMSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python .NET Core MSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python
用于调用 Web API 的移动应用Mobile app that calls web APIs
用于调用 Web API 的移动应用Mobile app that calls web APIs
UWP MSAL.NETMSAL.NET Xamarin MSAL.NETMSAL.NET iOS / Objective C 或 swift MSAL.iOSMSAL.iOS Android MSAL.AndroidMSAL.Android
守护程序应用Daemon app
守护程序应用Daemon app
.NET MSAL.NETMSAL.NET .NET CoreMSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python .NET Core MSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python .NET CoreMSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python
用于调用 Web API 的 Web APIWeb API that calls web APIs
用于调用 Web API 的 Web APIWeb API that calls web APIs
.NET MSAL.NETMSAL.NET .NET CoreMSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python .NET Core MSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python .NET CoreMSAL.NETMSAL.NET MSAL Java msal4jmsal4j MSAL Python MSAL PythonMSAL Python

另请参阅按 OS/语言划分的 Microsoft 支持的库See also Microsoft-supported libraries by OS / language

后续步骤Next steps

详细了解身份认证基本信息访问令牌Learn more about authentication basics and access tokens.