身份验证流和应用程序方案Authentication flows and application scenarios

Microsoft 标识平台 (v2.0) 终结点支持各种新式应用程序体系结构的身份验证。The Microsoft identity platform (v2.0) endpoint supports authentication for different kinds of modern application architectures. 所有这些体系结构基于行业标准协议 OAuth 2.0 和 OpenID ConnectAll of the architectures are based on the industry-standard protocols OAuth 2.0 and OpenID Connect. 使用 Microsoft 标识平台的身份验证库,应用程序可以对标识进行身份验证并获得令牌,以便访问受保护的 API。By using the authentication libraries for the Microsoft identity platform, applications authenticate identities and acquire tokens to access protected APIs.

本文介绍身份验证流及其应用方案。This article describes authentication flows and the application scenarios that they're used in.

应用程序类别Application categories

获取的令牌可以来自多种类型的应用程序,其中包括:Tokens can be acquired from several types of applications, including:

  • Web 应用Web apps
  • 移动应用Mobile apps
  • 桌面应用Desktop apps
  • Web APIWeb APIs

还可以通过设备上运行的应用获取令牌,这些设备没有浏览器或在物联网 (IoT) 上运行。Tokens can also be acquired by apps running on devices that don't have a browser or are running on the Internet of Things (IoT).

以下部分介绍应用程序的类别。The following sections describe the categories of applications.

受保护的资源与客户端应用程序Protected resources vs. client applications

身份验证方案涉及两个活动:Authentication scenarios involve two activities:

  • 获取受保护 Web API 的安全令牌:建议使用 Microsoft 支持的客户端库来获取令牌。Acquiring security tokens for a protected web API: We recommend that you use Microsoft-supported client libraries to acquire tokens. 具体而言,建议使用 Microsoft 身份验证库 (MSAL) 系列。In particular, we recommend the Microsoft Authentication Library (MSAL) family.
  • 保护 Web API 或 Web 应用:保护这些资源的一大难题是验证安全令牌。Protecting a web API or a web app: One challenge of protecting these resources is validating the security token. Microsoft 在某些平台上提供中间件库On some platforms, Microsoft offers middleware libraries.

涉及或不涉及用户With users or without users

大多数身份验证方案代表已登录的用户获取令牌。Most authentication scenarios acquire tokens on behalf of signed-in users.

涉及用户的方案

但是,也有守护程序应用。However, there are also daemon apps. 在这些方案中,应用程序以自身身份获取令牌,而不涉及到用户。In these scenarios, applications acquire tokens on behalf of themselves with no user.

涉及守护程序应用的方案

单页、公共客户端和机密客户端应用程序Single-page, public client, and confidential client applications

可通过多种类型的应用程序获取安全令牌。Security tokens can be acquired by multiple types of applications. 这些应用程序往往划分为以下三种类别。These applications tend to be separated into the following three categories. 每种应用程序配合不同的库和对象使用。Each is used with different libraries and objects.

  • 单页应用程序:简称为 SPA。它们是一些 Web 应用,其中的令牌是通过浏览器中运行的 JavaScript 或 TypeScript 应用获取的。Single-page applications: Also known as SPAs, these are web apps in which tokens are acquired by a JavaScript or TypeScript app running in the browser. 许多新式应用的前端都有一个单页应用程序(主要用 JavaScript 编写)。Many modern apps have a single-page application at the front end that's primarily written in JavaScript. 该应用程序通常使用 Angular、React 或 Vue 等框架。The application often uses a framework like Angular, React, or Vue. MSAL 是唯一支持单页应用程序的 Microsoft 身份验证库。MSAL.js is the only Microsoft authentication library that supports single-page applications.

  • 公共客户端应用程序:此类别中的应用(例如以下类型)始终以用户身份登录:Public client applications: Apps in this category, like the following types, always sign in users:

    • 以登录的用户身份调用 Web API 的桌面应用Desktop apps that call web APIs on behalf of signed-in users
    • 移动应用Mobile apps
    • 在没有浏览器的设备上运行的应用,例如,在 IoT 上运行的应用Apps running on devices that don't have a browser, like those running on IoT
  • 机密客户端应用程序:此类别中的应用包括:Confidential client applications: Apps in this category include:

    • 调用 Web API 的 Web 应用Web apps that call a web API
    • 调用 Web API 的 Web APIWeb APIs that call a web API
    • 守护程序应用(即使实施为 Linux 守护程序或 Windows 服务等控制台服务)Daemon apps, even when implemented as a console service like a Linux daemon or a Windows service

登录受众Sign-in audience

可用的身份验证流因登录受众而异。The available authentication flows differ depending on the sign-in audience.

有关详细信息,请参阅支持的帐户类型For more information, see Supported account types.

应用程序方案Application scenarios

Microsoft 标识平台终结点支持对以下应用体系结构进行身份验证:The Microsoft identity platform endpoint supports authentication for these app architectures:

  • 单页应用Single-page apps
  • Web 应用Web apps
  • Web APIWeb APIs
  • 移动应用Mobile apps
  • 本机应用Native apps
  • 守护程序应用Daemon apps
  • 服务器端应用Server-side apps

应用程序使用不同的身份验证流将用户登录和获取令牌,以调用受保护的 API。Applications use the different authentication flows to sign in users and get tokens to call protected APIs.

单页应用程序Single-page application

许多新式 Web 应用都是作为客户端单页应用程序构建的。Many modern web apps are built as client-side single-page applications. 这些应用程序使用 JavaScript 或框架(例如 Angular、Vue 和 React)。These applications use JavaScript or a framework like Angular, Vue, and React. 这些应用程序在 Web 浏览器中运行。These applications run in a web browser.

单页应用程序在身份验证特征方面与传统的服务器端 Web 应用不同。Single-page applications differ from traditional server-side web apps in terms of authentication characteristics. 单页应用程序可以使用 Microsoft 标识平台将用户登录,并获取用于访问后端服务或 Web API 的令牌。By using the Microsoft identity platform, single-page applications can sign in users and get tokens to access back-end services or web APIs. Microsoft 标识平台为 JavaScript 应用程序提供了两种授权类型:Microsoft identity platform offers two grant types for JavaScript applications:

MSAL.js (2.x)MSAL.js (2.x) MSAL.js (1.x)MSAL.js (1.x)
单页应用程序身份验证 隐式单页应用程序

以用户身份登录的 Web 应用Web app that signs in a user

可将用户登录的 Web 应用

为了帮助保护以用户身份登录的 Web 应用:To help protect a web app that signs in a user:

  • 如果在 .NET 中进行开发,请使用包含 ASP.NET OpenID Connect 中间件的 ASP.NET 或 ASP.NET Core。If you develop in .NET, you use ASP.NET or ASP.NET Core with the ASP.NET OpenID Connect middleware. 保护资源涉及到验证安全令牌,为此,可以使用适用于 .NET 的 IdentityModel 扩展,但不能使用 MSAL 库。Protecting a resource involves validating the security token, which is done by the IdentityModel extensions for .NET and not MSAL libraries.

  • 如果在 Node.js 中进行开发,将使用 Passport.jsIf you develop in Node.js, you use Passport.js.

有关详细信息,请参阅可将用户登录的 Web 应用For more information, see Web app that signs in users.

以用户身份登录并以用户身份调用 Web API 的 Web 应用Web app that signs in a user and calls a web API on behalf of the user

调用 Web API 的 Web 应用

若要以用户身份通过 Web 应用调用 Web API,请使用授权代码流,并在令牌缓存中存储获取的令牌。To call a web API from a web app on behalf of a user, use the authorization code flow and store the acquired tokens in the token cache. 必要时,MSAL 可刷新令牌,而控制器可从缓存中以无提示方式获取令牌。When needed, MSAL refreshes tokens and the controller silently acquires tokens from the cache.

有关详细信息,请参阅调用 Web API 的 Web 应用For more information, see Web app that calls web APIs.

以登录用户身份调用 Web API 的桌面应用Desktop app that calls a web API on behalf of a signed-in user

要使桌面应用能够以登录用户身份调用 Web API,请使用 MSAL 的交互式令牌获取方法。For a desktop app to call a web API that signs in users, use the interactive token-acquisition methods of MSAL. 使用这些交互方法可以控制登录 UI 体验。With these interactive methods, you can control the sign-in UI experience. MSAL 使用 Web 浏览器进行这种交互。MSAL uses a web browser for this interaction.

调用 Web API 的桌面应用

对于已加入 Windows 域或者由 Azure Active Directory (Azure AD) 管理的计算机上的 Windows 托管应用程序,存在另一种可能的情况。There's another possibility for Windows-hosted applications on computers joined either to a Windows domain or by Azure Active Directory (Azure AD). 这些应用程序可以使用 Windows 集成身份验证以无提示方式获取令牌。These applications can silently acquire a token by using Integrated Windows Authentication.

在无浏览器的设备上运行的应用程序仍可代表用户调用 API。Applications running on a device without a browser can still call an API on behalf of a user. 若要进行身份验证,用户必须登录到有 Web 浏览器的另一台设备。To authenticate, the user must sign in on another device that has a web browser. 此方案要求使用设备代码流This scenario requires that you use the device code flow.

设备代码流

可以在公共客户端应用程序中使用用户名/密码流,不过我们并不建议使用。Though we don't recommend that you use it, the username/password flow is available in public client applications. 在某些方案(例如 DevOps)中仍需要此流。This flow is still needed in some scenarios like DevOps.

使用用户名/密码流会使应用程序受限。Using the username/password flow constrains your applications. 例如,应用程序无法以需要使用 Azure AD 中的多重身份验证或条件访问的用户身份登录。For instance, applications can't sign in a user who needs to use multifactor authentication or the Conditional Access tool in Azure AD. 应用程序也无法受益于单一登录。Your applications also don't benefit from single sign-on. 使用用户名/密码流进行身份验证的方式违反新式身份验证的原则,仅仅是出于遗留原因而提供的。Authentication with the username/password flow goes against the principles of modern authentication and is provided only for legacy reasons.

在桌面应用中,如果希望令牌缓存持久,请自定义令牌缓存序列化In desktop apps, if you want the token cache to persist, you can customize the token cache serialization. 通过实施双重令牌缓存序列化,可以使用后向兼容和前向兼容的令牌缓存。By implementing dual token cache serialization, you can use backward-compatible and forward-compatible token caches. 这些令牌支持以前代系的身份验证库。These tokens support previous generations of authentication libraries. 具体的库包括适用于 .NET 的 Azure AD 身份验证库 (ADAL.NET) 版本 3 和 4。Specific libraries include Azure AD Authentication Library for .NET (ADAL.NET) version 3 and version 4.

有关详细信息,请参阅调用 Web API 的桌面应用For more information, see Desktop app that calls web APIs.

以交互式用户身份调用 Web API 的移动应用Mobile app that calls a web API on behalf of an interactive user

类似于桌面应用,移动应用调用 MSAL 的交互式令牌获取方法来获取用于调用 Web API 的令牌。Similar to a desktop app, a mobile app calls the interactive token-acquisition methods of MSAL to acquire a token for calling a web API.

调用 Web API 的移动应用

MSAL iOS 和 MSAL Android 默认使用系统 Web 浏览器。MSAL iOS and MSAL Android use the system web browser by default. 但是,你可以指示它们改用嵌入式 Web 视图。However, you can direct them to use the embedded web view instead. 根据以下移动平台,存在一些特殊情况:通用 Windows 平台 (UWP)、iOS 或 Android。There are specificities that depend on the mobile platform: Universal Windows Platform (UWP), iOS, or Android.

某些方案(例如,涉及到与设备 ID 或设备注册相关的条件访问的方案)要求在设备上安装一个中介。Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. 中介的示例包括 Android 上的 Microsoft 公司门户,以及 Android 和 iOS 上的 Microsoft Authenticator。Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL 现在可与中介交互。MSAL can now interact with brokers. 有关中转站的详细信息,请参阅利用 Android 和 iOS 上的中转站For more information about brokers, see Leveraging brokers on Android and iOS.

有关详细信息,请参阅调用 Web API 的移动应用For more information, see Mobile app that calls web APIs.

备注

对于使用 MSAL.iOS、MSAL.Android 或 Xamarin 上的 MSAL.NET 的移动应用,可以应用应用保护策略。A mobile app that uses MSAL.iOS, MSAL.Android, or MSAL.NET on Xamarin can have app protection policies applied to it. 例如,策略可以阻止用户复制受保护的文本。For instance, the policies might prevent a user from copying protected text. 移动应用由 Intune 托管,由 Intune 识别为托管应用。The mobile app is managed by Intune and is recognized by Intune as a managed app. 有关详细信息,请参阅 Microsoft Intune App SDK 概述For more information, see Microsoft Intune App SDK overview.

Intune 应用 SDK 独立于 MSAL 库,可自行与 Azure AD 交互。The Intune App SDK is separate from MSAL libraries and interacts with Azure AD on its own.

受保护的 Web APIProtected web API

可以使用 Microsoft 标识平台终结点来保护 Web 服务,例如应用的 RESTful Web API。You can use the Microsoft identity platform endpoint to secure web services like your app's RESTful web API. 通过访问令牌调用受保护的 Web API。A protected web API is called through an access token. 该令牌帮助保护 API 的数据并对传入请求进行身份验证。The token helps secure the API's data and authenticate incoming requests. Web API 调用方会在 HTTP 请求的授权标头中追加一个访问令牌。The caller of a web API appends an access token in the authorization header of an HTTP request.

若要保护 ASP.NET 或 ASP.NET Core Web API,需要验证访问令牌。If you want to protect your ASP.NET or ASP.NET Core web API, you need to validate the access token. 可以使用 ASP.NET JWT 中间件进行这种验证。For this validation, you use the ASP.NET JWT middleware. 验证是由适用于.NET 的 IdentityModel 扩展库而不是 MSAL.NET 完成的。The validation is done by the IdentityModel extensions for .NET library and not by MSAL.NET.

有关详细信息,请参阅受保护的 Web APIFor more information, see Protected web API.

以用户身份调用另一个 Web API 的 Web APIWeb API that calls another web API on behalf of a user

要使受保护的 Web API 能以用户身份调用另一个 Web API,应用需要获取下游 Web API 的令牌。For your protected web API to call another web API on behalf of a user, your app needs to acquire a token for the downstream web API. 此类调用有时称为服务到服务调用。Such calls are sometimes referred to as service-to-service calls. 调用其他 Web API 的 Web API 需要提供自定义缓存序列化。Web APIs that call other web APIs need to provide custom cache serialization.

调用另一个 Web API 的 Web API

有关详细信息,请参阅调用 Web API 的 Web APIFor more information, see Web API that calls web APIs.

在守护程序名称中调用 Web API 的守护程序应用Daemon app that calls a web API in the daemon's name

包含长时运行进程或无需用户交互即可运行的应用还需要通过某种方式访问安全的 Web API。Apps that have long-running processes or that operate without user interaction also need a way to access secure web APIs. 此类应用可以使用应用的标识进行身份验证和获取令牌。Such an app can authenticate and get tokens by using the app's identity. 应用将使用客户端机密或证书来证明其身份。The app proves its identity by using a client secret or certificate.

可以编写此类使用 MSAL 中的客户端凭据获取方法获取调用应用令牌的守护程序应用。You can write such daemon apps that acquire a token for the calling app by using the client credential acquisition methods in MSAL. 这些方法要求将客户端密码添加到 Azure AD 中的应用注册。These methods require a client secret that you add to the app registration in Azure AD. 然后,该应用将与被调用守护程序共享机密。The app then shares the secret with the called daemon. 此类机密的示例包括应用程序密码、证书断言和客户端断言。Examples of such secrets include application passwords, certificate assertion, and client assertion.

由其他应用和 API 调用的守护程序应用

有关详细信息,请参阅调用 Web API 的守护程序应用程序For more information, see Daemon application that calls web APIs.

方案和受支持的身份验证流Scenarios and supported authentication flows

使用身份验证流实现请求令牌的应用程序方案。You use authentication flows to implement the application scenarios that are requesting tokens. 应用程序方案和身份验证流之间不存在一对一的映射。There isn't a one-to-one mapping between application scenarios and authentication flows.

涉及到获取令牌的方案还会映射到 OAuth 2.0 身份验证流。Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flows. 有关详细信息,请参阅 Microsoft 标识平台上的 OAuth 2.0 和 OpenID Connect 协议For more information, see OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform.

方案Scenario 详细方案演练Detailed scenario walk-through OAuth 2.0 流和授权OAuth 2.0 flow and grant 目标受众Audience
Single-Page App with Auth code 单页应用Single-page app 采用 PKCE 的授权代码Authorization code with PKCE 工作或学校帐户和 Azure Active Directory B2C (Azure AD B2C)Work or school accounts and Azure Active Directory B2C (Azure AD B2C)
Single-Page App with Implicit 单页应用Single-page app 隐式Implicit 工作或学校帐户和 Azure Active Directory B2C (Azure AD B2C)Work or school accounts and Azure Active Directory B2C (Azure AD B2C)
Web app that signs in users 用于登录用户的 Web 应用Web app that signs in users 授权代码Authorization code 工作或学校帐户和 Azure AD B2CWork or school accounts and Azure AD B2C
Web app that signs in users 用于调用 Web API 的 Web 应用Web app that calls web APIs 授权代码Authorization code 工作或学校帐户和 Azure AD B2CWork or school accounts and Azure AD B2C
Desktop 用于调用 Web API 的 桌面应用Desktop app that calls web APIs 使用授权代码和 PKCE 的交互式方法Interactive by using authorization code with PKCE 工作或学校帐户和 Azure AD B2CWork or school accounts and Azure AD B2C
Windows 集成身份验证Integrated Windows Authentication 工作或学校帐户Work or school accounts
资源所有者密码Resource owner password 工作或学校帐户和 Azure AD B2CWork or school accounts and Azure AD B2C
Browserless application 设备代码Device code 工作或学校帐户Work or school accounts
Mobile app that calls web APIs 用于调用 Web API 的移动应用Mobile app that calls web APIs 使用授权代码和 PKCE 的交互式方法Interactive by using authorization code with PKCE 工作或学校帐户和 Azure AD B2CWork or school accounts and Azure AD B2C
资源所有者密码Resource owner password 工作或学校帐户和 Azure AD B2CWork or school accounts and Azure AD B2C
Daemon app that calls web APIs 调用 Web API 的守护程序应用Daemon app that calls web APIs 客户端凭据Client credentials 不涉及用户的仅限应用的权限,仅用于 Azure AD 组织App-only permissions that have no user and are used only in Azure AD organizations
Web API that calls web APIs 用于调用 Web API 的 Web APIWeb API that calls web APIs 代理On-behalf-of 工作或学校帐户Work or school accounts

方案和受支持的平台和语言Scenarios and supported platforms and languages

Microsoft 身份验证库支持多种平台:Microsoft authentication libraries support multiple platforms:

  • JavascriptJavaScript
  • .NET framework.NET Framework
  • .NET Core.NET Core
  • Windows 10/UWPWindows 10/UWP
  • Xamarin.iOSXamarin.iOS
  • Xamarin.AndroidXamarin.Android
  • 本机 iOSNative iOS
  • macOSmacOS
  • 本机 AndroidNative Android
  • JavaJava
  • PythonPython

你还可以使用多种语言来构建你的应用程序。You can also use various languages to build your applications.

备注

某些应用程序类型并非在每种平台上都可用。Some application types aren't available on every platform.

在下表的“Windows”列中,每当提到 .NET Core,表示 .NET Framework 也可用。In the Windows column of the following table, each time .NET Core is mentioned, .NET Framework is also possible. 省略后者是为了避免表格内容混杂。The latter is omitted to avoid cluttering the table.

方案Scenario WindowsWindows LinuxLinux MacMac iOSiOS AndroidAndroid
单页应用Single-page app
单页应用身份验证Single-Page App Auth
MSAL.js
MSAL.jsMSAL.js
MSAL.js
MSAL.jsMSAL.js
MSAL.js
MSAL.jsMSAL.js
MSAL.js MSAL.jsMSAL.js MSAL.js
MSAL.jsMSAL.js
单页应用Single-page app
隐式单页应用Single-Page App Implicit
MSAL.js
MSAL.jsMSAL.js
MSAL.js
MSAL.jsMSAL.js
MSAL.js
MSAL.jsMSAL.js
MSAL.js MSAL.jsMSAL.js MSAL.js
MSAL.jsMSAL.js
用于登录用户的 Web 应用Web app that signs in users
可将用户登录的 Web 应用Web app that signs-in users
ASP.NET Core
ASP.NET CoreASP.NET Core
ASP.NET Core
ASP.NET CoreASP.NET Core
ASP.NET Core
ASP.NET CoreASP.NET Core
用于调用 Web API 的 Web 应用Web app that calls web APIs

调用 Web API 的 Web 应用Web app that calls web APIs
ASP.NET Core
ASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
Flask + MSAL PythonFlask + MSAL Python
ASP.NET Core
ASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
Flask + MSAL PythonFlask + MSAL Python
ASP.NET Core
ASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
Flask + MSAL PythonFlask + MSAL Python
用于调用 Web API 的 桌面应用Desktop app that calls web APIs

调用 Web API 的桌面应用 设备代码流Desktop app that calls web APIs Device code flow
.NET CoreMSAL.NETMSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
.NET CoreMSAL.NETMSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
.NET CoreMSAL.NETMSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
iOS / Objective C 或 swift MSAL.objcMSAL.objc
用于调用 Web API 的移动应用Mobile app that calls web APIs
用于调用 Web API 的移动应用Mobile app that calls web APIs
UWP MSAL.NETMSAL.NET Xamarin MSAL.NETMSAL.NET iOS / Objective C 或 swift MSAL.objcMSAL.objc Android MSAL.AndroidMSAL.Android
守护程序应用Daemon app
守护程序应用Daemon app
.NET CoreMSAL.NETMSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
.NET Core MSAL.NETMSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
.NET CoreMSAL.NETMSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
用于调用 Web API 的 Web APIWeb API that calls web APIs

用于调用 Web API 的 Web APIWeb API that calls web APIs
ASP.NET Core
ASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
.NET Core
ASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python
.NET Core
ASP.NET Core + MSAL.NETASP.NET Core + MSAL.NET MSAL Java
MSAL JavaMSAL Java
MSAL Python
MSAL PythonMSAL Python

有关详细信息,请参阅按 OS/语言列出的 Microsoft 支持的库For more information, see Microsoft-supported libraries by OS/language.

后续步骤Next steps