身份验证和授权Authentication vs. authorization

本文阐述了身份验证和授权。This article defines authentication and authorization. 此外还简要介绍了如何使用 Microsoft 标识平台对 Web 应用、Web API 或调用受保护 Web API 的应用中的用户进行身份验证和授权。It also briefly covers how you can use the Microsoft identity platform to authenticate and authorize users in your web apps, web APIs, or apps that call protected web APIs. 如果你看到不熟悉的术语,请尝试查看我们的术语表,其中涵盖了基本概念。If you see a term you aren't familiar with, try our glossary, which cover basic concepts.

身份验证Authentication

身份验证是证明你自己的身份的过程。Authentication is the process of proving that you are who you say you are. 它有时缩写为 AuthN。It's sometimes shortened to AuthN. Microsoft 标识平台使用 OpenID Connect 协议来处理身份验证。The Microsoft identity platform uses the OpenID Connect protocol for handling authentication.

授权Authorization

授权是指向经过身份验证的参与方授予执行某项操作的权限的操作。Authorization is the act of granting an authenticated party permission to do something. 它指定了你可访问的数据以及可使用该数据执行的操作。It specifies what data you're allowed to access and what you can do with that data. 授权有时缩写为 AuthZ。Authorization is sometimes shortened to AuthZ. Microsoft 标识平台使用 OAuth 2.0 协议来处理授权。The Microsoft identity platform uses the OAuth 2.0 protocol for handling authorization.

使用 Microsoft 标识平台进行身份验证和授权Authentication and authorization using the Microsoft identity platform

如果创建会维护自己的用户名和密码信息的应用,在多个应用中添加或删除用户时,会产生较高的管理负担。Creating apps that each maintain their own username and password information incurs a high administrative burden when adding or removing users across multiple apps. 不过,应用可以将该职责委托给一个集中式标识提供者。Instead, your apps can delegate that responsibility to a centralized identity provider.

Azure Active Directory (Azure AD) 就是云中的一个集中标识提供程序。Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. 将身份验证和授权委托给它可以实现如下方案:Delegating authentication and authorization to it enables scenarios such as:

  • 要求用户位于特定位置的条件访问策略。Conditional Access policies that require a user to be in a specific location.
  • 使用多重身份验证,有时称为双因素身份验证或 2FA。The use of multi-factor authentication, which is sometimes called two-factor authentication or 2FA.

Microsoft 标识平台通过提供标识即服务为应用程序开发人员简化了授权和身份验证。The Microsoft identity platform simplifies authorization and authentication for application developers by providing identity as a service. 它支持用于各种平台的行业标准协议和开源库,可以帮助你快速开始编码。It supports industry-standard protocols and open-source libraries for different platforms to help you start coding quickly. 开发人员可以使用它构建具有以下功能的应用程序:可以使用所有 Microsoft 标识进行登录、获取令牌来调用 Microsoft Graph、访问 Microsoft API,或访问开发人员构建的其他 API。It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, access Microsoft APIs, or access other APIs that developers have built.

下面比较了 Microsoft 标识平台使用的各种协议:Here's a comparison of the protocols that the Microsoft identity platform uses:

  • OAuth 与 OpenID Connect:平台使用 OAuth 进行授权,使用 OpenID Connect (OIDC) 进行身份验证。OAuth versus OpenID Connect: The platform uses OAuth for authorization and OpenID Connect (OIDC) for authentication. OpenID Connect 构建在 OAuth 2.0 的基础之上,因此两者的术语和流很相似。OpenID Connect is built on top of OAuth 2.0, so the terminology and flow are similar between the two. 甚至可以在一个请求中(通过 OpenID Connect)对用户进行身份验证和(通过 OAuth 2.0)获得访问该用户拥有的受保护资源的权限。You can even both authenticate a user (through OpenID Connect) and get authorization to access a protected resource that the user owns (through OAuth 2.0) in one request. 有关详细信息,请参阅 OAuth 2.0 和 OpenID Connect 协议OpenID Connect 协议For more information, see OAuth 2.0 and OpenID Connect protocols and OpenID Connect protocol.
  • OAuth 与 SAML:平台使用 OAuth 2.0 进行授权,使用 SAML 进行身份验证。OAuth versus SAML: The platform uses OAuth 2.0 for authorization and SAML for authentication.
  • OpenID Connect 与 SAML:平台使用 OpenID Connect 和 SAML 对用户进行身份验证并启用单一登录。OpenID Connect versus SAML: The platform uses both OpenID Connect and SAML to authenticate a user and enable single sign-on. SAML 身份验证通常与标识提供者(例如,联合到 Azure AD 的 Active Directory 联合身份验证服务 (AD FS))一起使用,因此经常用于企业应用程序。SAML authentication is commonly used with identity providers such as Active Directory Federation Services (AD FS) federated to Azure AD, so it's often used in enterprise applications. OpenID Connect 通常用于仅位于云中的应用,例如移动应用、网站和 Web API。OpenID Connect is commonly used for apps that are purely in the cloud, such as mobile apps, websites, and web APIs.

后续步骤Next steps

有关介绍身份验证和授权基础知识的其他主题,请参阅以下资源:For other topics that cover authentication and authorization basics:

  • 若要了解如何在授权和身份验证中使用访问令牌、刷新令牌和 ID 令牌,请参阅安全令牌To learn how access tokens, refresh tokens, and ID tokens are used in authorization and authentication, see Security tokens.
  • 若要了解注册应用程序以便它可以与 Microsoft 标识平台集成的过程,请参阅应用程序模型To learn about the process of registering your application so it can integrate with the Microsoft identity platform, see Application model.