授权代理 (Android)Authorization agents (Android)

本文介绍 Microsoft 身份验证库 (MSAL) 允许应用使用的不同授权代理,以及如何启用这些代理。This article describes the different authorization agents that the Microsoft Authentication Library (MSAL) allows your app to use and how to enable them.

为授权代理选择特定的策略属于可选操作,这是应用可以自定义的附加功能。Choosing a specific strategy for authorization agents is optional and represents additional functionality apps can customize. 大多数应用使用 MSAL 默认设置(有关各项默认设置,请参阅了解 Android MSAL 配置文件)。Most apps will use the MSAL defaults (see Understand the Android MSAL configuration file to see the various defaults).

MSAL 支持使用 WebView 或系统浏览器授权。MSAL supports authorization using a WebView, or the system browser. 下图显示了使用 WebView 或使用包含或不包含自定义标签页的系统浏览器进行授权的大致形式:The image below shows how it looks using the WebView, or the system browser with CustomTabs or without CustomTabs:

MSAL 登录示例

单一登录的含义Single sign-in implications

默认情况下,与 MSAL 集成的应用程序使用系统浏览器的自定义标签页进行授权。By default, applications integrated with MSAL use the system browser's Custom Tabs to authorize. 与 WebView 不同,自定义标签页与默认系统浏览器共享 Cookie jar,可以减少与自定义标签页集成的 Web 应用或其他本机应用中的登录次数。Unlike WebViews, Custom Tabs share a cookie jar with the default system browser enabling fewer sign-ins with web or other native apps that have integrated with Custom Tabs.

如果应用程序使用 WebView 策略但未在应用中集成 Microsoft Authenticator 或公司门户支持,则用户在整个设备上或者在本机应用与 Web 应用之间无法获得单一登录 (SSO) 体验。If the application uses a WebView strategy without integrating Microsoft Authenticator or Company Portal support into their app, users won't have a Single Sign On (SSO) experience across the device or between native apps and web apps.

如果应用程序使用支持 Microsoft Authenticator 或公司门户的 MSAL,并且用户在某个应用中具有有效的登录名,则用户可以获得跨应用程序的 SSO 体验。If the application uses MSAL with Microsoft Authenticator or Company Portal support, then users can have a SSO experience across applications if the user has an active sign-in with one of the apps.


若要使用应用中 WebView,请在传递给 MSAL 的应用配置 JSON 中添加以下行:To use the in-app WebView, put the following line in the app configuration JSON that is passed to MSAL:

"authorization_user_agent" : "WEBVIEW"

使用应用中 WebView 时,用户可以直接登录到应用。When using the in-app WebView, the user signs in directly to the app. 令牌保留在应用的沙盒内部,不能在应用 Cookie jar 的外部使用。The tokens are kept inside the sandbox of the app and aren't available outside the app's cookie jar. 因此,除非应用与 Authenticator 或公司门户集成,否则用户无法获得跨应用程序的 SSO 体验。As a result, the user can't have a SSO experience across applications unless the apps integrate with the Authenticator or Company Portal.

但是,WebView 确实提供用于自定义登录 UI 外观的功能。However, WebView does provide the capability to customize the look and feel for sign-in UI. 有关如何进行这种自定义的详细信息,请参阅 Android WebViewSee Android WebViews for more about how to do this customization.

默认浏览器加上自定义标签页Default browser plus custom tabs

MSAL 默认使用浏览器和自定义标签页策略。By default, MSAL uses the browser and a custom tabs strategy. 可以在自定义配置文件中使用以下 JSON 配置显式指定此策略,以防将来的版本对 DEFAULT 做出更改:You can explicitly indicate this strategy to prevent changes in future releases to DEFAULT by using the following JSON configuration in the custom configuration file:

"authorization_user_agent" : "BROWSER"

使用此方法可通过设备的浏览器提供 SSO 体验。Use this approach to provide a SSO experience through the device's browser. MSAL 使用共享的 Cookie jar,使其他本机应用或 Web 应用能够使用 MSAL 设置的持久会话 Cookie 在设备上实现 SSO。MSAL uses a shared cookie jar, which allows other native apps or web apps to achieve SSO on the device by using the persist session cookie set by MSAL.

浏览器选择试探法Browser selection heuristic

由于 MSAL 无法指定可在众多 Android 手机上使用的确切浏览器包,因此 MSAL 实施浏览器选择试探法,以尝试提供最佳的跨设备 SSO。Because it's impossible for MSAL to specify the exact browser package to use on each of the broad array of Android phones, MSAL implements a browser selection heuristic that tries to provide the best cross-device SSO.

MSAL 将检索设备上安装的浏览器的完整列表,以选择要使用的浏览器。MSAL retrieves the full list of browsers installed on the device to select which browser to use. 该列表由包管理器按顺序(间接反映了用户的偏好)返回。The list is in the order returned by the package manager, which indirectly reflects the user's preferences. 例如,如果已设置默认浏览器,则它是列表中的第一个条目。For example, the default browser, if set, is the first entry in the list. 始终会选择列表中的第一个浏览器,无论它是否支持自定义标签页。The first browser in the list will be chosen regardless of whether it supports custom tabs. 如果浏览器支持自定义标签页,MSAL 将启动自定义标签页。自定义标签页的外观更接近应用中 WebView,允许基本的 UI 自定义。If the browser supports Custom Tabs, MSAL will launch the Custom Tab. Custom Tabs have a look and feel closer to an in-app WebView and allow basic UI customization. 有关详细信息,请参阅 Android 中的自定义标签页See Custom Tabs in Android to learn more.

如果设备上没有浏览器包,MSAL 将使用应用中 WebViewIf there are no browser packages on the device, MSAL uses the in-app WebView.

浏览器列表中的浏览器顺序取决于操作系统。The order of browsers in the browser list is determined by the operating system. 该列表按从高到低的优先顺序排列。It is in order from most preferred to least. 如果设备默认设置未更改,则每次登录时应启动同一浏览器,以确保提供 SSO 体验。If the device default setting isn't changed, the same browser should be launched for each sign in to ensure a SSO experience.


如果将另一个浏览器设置为默认浏览器,MSAL 将不再优先使用 Chrome。MSAL no longer always prefers Chrome if another browser is set as default. 例如,在同时预装有 Chrome 和另一浏览器的设备上,MSAL 将使用用户设置的默认浏览器。For example, on a device which has both Chrome and another browser pre-installed, MSAL will use the browser the user has set as the default.

已测试的浏览器Tested Browsers

我们已对以下浏览器进行测试,以确定它们是否可以正确重定向到配置文件中指定的 "redirect_uri"The following browsers have been tested to see if they correctly redirect to the "redirect_uri" specified in the configuration file:

设备Device 内置浏览器Built-in Browser ChromeChrome OperaOpera Microsoft EdgeMicrosoft Edge UC 浏览器UC Browser FirefoxFirefox
Nexus 4 (API 17)Nexus 4 (API 17) 通过pass 通过pass 不适用not applicable 不适用not applicable 不适用not applicable 不适用not applicable
Samsung S7 (API 25)Samsung S7 (API 25) 通过*pass* 通过pass 通过pass 通过pass 失败fail 通过pass
Huawei (API 26)Huawei (API 26) 通过**pass** 通过pass 失败fail 通过pass 通过pass 通过pass
Vivo (API 26)Vivo (API 26) 通过pass 通过pass 通过pass 通过pass 通过pass 失败fail
Pixel 2 (API 26)Pixel 2 (API 26) 通过pass 通过pass 通过pass 通过pass 失败fail 通过pass
OppoOppo 通过pass 不适用***not applicable*** 不适用not applicable 不适用not applicable 不适用not applicable 不适用not applicable
OnePlus (API 25)OnePlus (API 25) 通过pass 通过pass 通过pass 通过pass 失败fail 通过pass
Nexus (API 28)Nexus (API 28) 通过pass 通过pass 通过pass 通过pass 失败fail 通过pass
MIMI 通过pass 通过pass 通过pass 通过pass 失败fail 通过pass

*Samsung 的内置浏览器为 Samsung Internet。*Samsung's built-in browser is Samsung Internet.
**Huawei 的内置浏览器为 Huawei Browser。**Huawei's built-in browser is Huawei Browser.
***无法在 Oppo 设备设置中更改默认浏览器。***The default browser can't be changed inside the Oppo device setting.