Microsoft 标识平台开发人员术语表Microsoft identity platform developer glossary

本文包含一些核心开发人员概念和术语的定义,帮助你了解如何使用 Microsoft 标识平台进行应用程序开发。This article contains definitions for some of the core developer concepts and terminology, which are helpful when learning about application development using Microsoft identity platform.

访问令牌access token

授权服务器颁发的一种安全令牌,可供客户端应用程序用来访问受保护的资源服务器A type of security token issued by an authorization server, and used by a client application in order to access a protected resource server. 通常,该令牌采用 JSON Web 令牌 (JWT) 形式,其中包含由资源所有者授予客户端的授权,用于进行所请求级别的访问。Typically in the form of a JSON Web Token (JWT), the token embodies the authorization granted to the client by the resource owner, for a requested level of access. 该令牌包含所有适用的主体相关声明,可让客户端应用程序将其作为某种形式的凭据来访问给定的资源。The token contains all applicable claims about the subject, enabling the client application to use it as a form of credential when accessing a given resource. 并使得资源所有者不必对客户端公开凭据。This also eliminates the need for the resource owner to expose credentials to the client.

根据提供的凭据,访问令牌有时称为“用户+应用”或“仅限应用”。Access tokens are sometimes referred to as "User+App" or "App-Only", depending on the credentials being represented. 例如,如果客户端应用程序:For example, when a client application uses the:

  • 使用“授权代码”授权,则最终用户先以资源所有者的身份进行身份验证,将授权委托给客户端来访问资源。"Authorization code" authorization grant, the end user authenticates first as the resource owner, delegating authorization to the client to access the resource. 然后,客户端在获取访问令牌时进行身份验证。The client authenticates afterward when obtaining the access token. 令牌有时可以更具体地称为“用户+应用”令牌,因为它同时代表授权客户端应用程序的用户,以及应用程序。The token can sometimes be referred to more specifically as a "User+App" token, as it represents both the user that authorized the client application, and the application.
  • 使用“客户端凭据”授权,则客户端提供唯一的身份验证,在没有资源所有者身份验证/授权的情况下运行,因此该令牌有时可以称为“仅限应用”令牌。"Client credentials" authorization grant, the client provides the sole authentication, functioning without the resource-owner's authentication/authorization, so the token can sometimes be referred to as an "App-Only" token.

有关更多详细信息,请参阅 Microsoft 标识平台令牌参考See Microsoft identity platform Token Reference for more details.

应用程序 ID(客户端 ID)application ID (client ID)

Azure AD 向应用程序注册颁发的唯一标识符,用于标识特定应用程序和关联的配置。The unique identifier Azure AD issues to an application registration that identifies a specific application and the associated configurations. 执行身份验证请求时将使用此应用程序 ID(客户端 ID),开发时会向身份验证库提供它。This application ID (client ID) is used when performing authentication requests and is provided to the authentication libraries in development time. 应用程序 ID(客户端 ID)不是机密。The application ID (client ID) is not a secret.

应用程序清单application manifest

一项由 Azure 门户提供的功能,该功能可, which produces a JSON representation of the application's identity configuration, used as a mechanism for updating its associated ApplicationServicePrincipal 实体。A feature provided by the Azure portal, which produces a JSON representation of the application's identity configuration, used as a mechanism for updating its associated Application and ServicePrincipal entities. 有关更多详细信息,请参阅了解 Azure Active Directory 应用程序清单See Understanding the Azure Active Directory application manifest for more details.

应用程序对象application object

当你在 Azure 门户中注册/更新应用程序时,该门户将为此租户创建/更新应用程序对象和对应的服务主体对象When you register/update an application in the Azure portal, the portal creates/updates both an application object and a corresponding service principal object for that tenant. 应用程序对象可全局(在其能够访问的所有租户中)定义 应用程序的标识配置,并可提供模板来派生 出其对应的服务主体对象,在运行时于本地(在特定租户中)使用。The application object defines the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are derived for use locally at run-time (in a specific tenant).

有关详细信息,请参阅应用程序和服务主体对象For more information, see Application and Service Principal Objects.

应用程序注册application registration

要允许某个应用程序与标识和访问管理功能集成并将这些功能委托给 Azure AD,必须向 Azure AD 租户注册该应用程序。In order to allow an application to integrate with and delegate Identity and Access Management functions to Azure AD, it must be registered with an Azure AD tenant. 向 Azure AD 注册应用程序时,必须提供应用程序的标识配置,以允许它与 Azure AD 集成并使用如下所述的功能:When you register your application with Azure AD, you are providing an identity configuration for your application, allowing it to integrate with Azure AD and use features such as:

有关更多详细信息,请参阅将应用程序与 Azure Active Directory 集成See Integrating applications with Azure Active Directory for more details.

authenticationauthentication

向访问方质询合法凭据的措施,提供创建用于标识和访问控制的安全主体的基础。The act of challenging a party for legitimate credentials, providing the basis for creation of a security principal to be used for identity and access control. 例如,在 OAuth2 授权期间,访问方身份验证根据使用的授权填充资源所有者客户端应用程序角色。During an OAuth2 authorization grant for example, the party authenticating is filling the role of either resource owner or client application, depending on the grant used.

authorizationauthorization

授权经过身份验证的安全主体执行某项操作的措施。The act of granting an authenticated security principal permission to do something. 在 Azure AD 编程模型中有两个主要用例:There are two primary use cases in the Azure AD programming model:

授权代码authorization code

在四个 OAuth2 授权之一的“授权代码”流程中,由授权终结点提供给客户端应用程序的短期“令牌”。A short lived "token" provided to a client application by the authorization endpoint, as part of the "authorization code" flow, one of the four OAuth2 authorization grants. 为响应资源所有者的身份验证,将授权代码返回给客户端应用程序,指出资源所有者已进行所请求资源的访问授权委托。The code is returned to the client application in response to authentication of a resource owner, indicating the resource owner has delegated authorization to access the requested resources. 在执行流程的过程中,稍后会将授权代码兑换为访问令牌As part of the flow, the code is later redeemed for an access token.

授权终结点authorization endpoint

授权服务器实现的终结点之一,用来与资源所有者进行交互,以便在 OAuth2 授权流程期间提供授权One of the endpoints implemented by the authorization server, used to interact with the resource owner in order to provide an authorization grant during an OAuth2 authorization grant flow. 根据使用的授权流程,实际提供的授权可能不同,这包括授权代码安全令牌Depending on the authorization grant flow used, the actual grant provided can vary, including an authorization code or security token.

有关更多详细信息,请参阅 OAuth2 规范的授权类型and authorization endpoint部分以及 OpenIDConnect 规范See the OAuth2 specification's authorization grant types and authorization endpoint sections, and the OpenIDConnect specification for more details.

授权authorization grant

授予客户端应用程序的凭据,代表资源所有者对其受保护资源访问权限的授权A credential representing the resource owner's authorization to access its protected resources, granted to a client application. 根据客户端类型/要求,客户端应用程序可以使用 OAuth2 授权框架定义的四种授予类型之一来获取授权:“授权代码授予”、“客户端凭据授予”、“隐式授予”和“资源所有者密码凭据授予”。A client application can use one of the four grant types defined by the OAuth2 Authorization Framework to obtain a grant, depending on client type/requirements: "authorization code grant", "client credentials grant", "implicit grant", and "resource owner password credentials grant". 根据使用的授权类型,返回给客户端的凭据是访问令牌授权代码(稍后用于交换访问令牌)。The credential returned to the client is either an access token, or an authorization code (exchanged later for an access token), depending on the type of authorization grant used.

授权服务器authorization server

根据 OAuth2 授权框架的定义,这是在成功验证资源所有者身份并获取其授权之后,负责向客户端颁发访问令牌的服务器。As defined by the OAuth2 Authorization Framework, the server responsible for issuing access tokens to the client after successfully authenticating the resource owner and obtaining its authorization. 客户端应用程序在运行时根据 OAuth2 定义的权限授予,通过其权限令牌终结点来与授权服务器交互。A client application interacts with the authorization server at runtime via its authorization and token endpoints, in accordance with the OAuth2 defined authorization grants.

对于 Microsoft 标识平台应用程序集成,Microsoft 标识平台为 Azure AD 应用程序和 Microsoft 服务 API(例如 Microsoft Graph API)实现授权服务器角色。In the case of Microsoft identity platform application integration, Microsoft identity platform implements the authorization server role for Azure AD applications and Microsoft service APIs, for example Microsoft Graph APIs.

声明claim

安全令牌包含声明,声明将有关某个实体(例如客户端应用程序资源所有者)的断言提供给另一个实体(例如资源服务器)。A security token contains claims, which provide assertions about one entity (such as a client application or resource owner) to another entity (such as the resource server). 声明是中继令牌主体(例如,由授权服务器进行身份验证的安全主体)相关事实的名称/值对。Claims are name/value pairs that relay facts about the token subject (for example, the security principal that was authenticated by the authorization server). 给定令牌中的声明依赖于几个变量,包括令牌类型、用于验证主体身份的凭据类型和应用程序配置等。The claims present in a given token are dependent upon several variables, including the type of token, the type of credential used to authenticate the subject, the application configuration, etc.

有关更多详细信息,请参阅 Microsoft 标识平台令牌参考See Microsoft identity platform token reference for more details.

客户端应用程序client application

根据 OAuth2 授权框架的定义,这是代表资源所有者发出受保护资源请求的应用程序。As defined by the OAuth2 Authorization Framework, an application that makes protected resource requests on behalf of the resource owner. “客户端”一词并不代表任何特定的硬件实现特征(例如,应用程序是在服务器、台式机还是其他设备上执行)。The term "client" does not imply any particular hardware implementation characteristics (for instance, whether the application executes on a server, a desktop, or other devices).

客户端应用程序向资源所有者请求授权,以参与 OAuth2 授权流程,并可代表资源所有者访问 API/数据。A client application requests authorization from a resource owner to participate in an OAuth2 authorization grant flow, and may access APIs/data on the resource owner's behalf. OAuth2 授权框架根据客户端是否能够维护其凭据的机密性定义两种类型的客户端:“机密”和“公共”。The OAuth2 Authorization Framework defines two types of clients, "confidential" and "public", based on the client's ability to maintain the confidentiality of its credentials. 应用程序可实现在 Web 服务器上运行的 Web 客户端(机密)、安装在设备上的本机客户端(公共),或者在设备浏览器中运行的基于用户代理的客户端(公共)Applications can implement a web client (confidential) which runs on a web server, a native client (public) installed on a device, or a user-agent-based client (public) which runs in a device's browser.

资源所有者授权给客户端应用程序,让其通过特定权限代表资源所有者访问受保护资源的过程。The process of a resource owner granting authorization to a client application, to access protected resources under specific permissions, on behalf of the resource owner. 根据客户端请求的权限,要求管理员或用户同意分别允许其组织/个人数据的访问权限。Depending on the permissions requested by the client, an administrator or user will be asked for consent to allow access to their organization/individual data respectively. 请注意,在多租户方案中,应用程序的服务主体也会记录在同意方用户的租户中。Note, in a multi-tenant scenario, the application's service principal is also recorded in the tenant of the consenting user.

有关详细信息,请参阅许可框架See consent framework for more information.

ID 令牌ID token

授权服务器授权终结点提供的 OpenID Connect 安全令牌,其中包含与最终用户资源所有者的身份验证相关的声明An OpenID Connect security token provided by an authorization server's authorization endpoint, which contains claims pertaining to the authentication of an end user resource owner. 与访问令牌一样,ID 令牌也以数字签名的 JSON Web 令牌 (JWT) 形式来表示。Like an access token, ID tokens are also represented as a digitally signed JSON Web Token (JWT). 不过,与访问令牌不同的是,ID 令牌的声明并不用于与资源访问相关的用途(具体地说,是访问控制)。Unlike an access token though, an ID token's claims are not used for purposes related to resource access and specifically access control.

有关更多详细信息,请参阅 Microsoft 标识平台令牌参考See Microsoft identity platform token reference for more details.

Microsoft 标识平台Microsoft identity platform

Microsoft 标识平台是 Azure Active Directory (Azure AD) 标识服务和开发人员平台的进化版。Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) identity service and developer platform. 开发人员可以通过它来生成应用程序,以便进行所有 Microsoft 标识的登录,以及获取令牌来调用 Microsoft Graph、其他 Microsoft API 或者开发人员生成的 API。It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. 它是一种全功能的平台,包含身份验证服务、库、应用程序注册和配置、完整的开发人员文档、代码示例,以及其他开发人员内容。It’s a full-featured platform that consists of an authentication service, libraries, application registration and configuration, full developer documentation, code samples, and other developer content. Microsoft 标识平台支持行业标准协议,例如 OAuth 2.0 和 OpenID Connect。The Microsoft identity platform supports industry standard protocols such as OAuth 2.0 and OpenID Connect. 有关更多详细信息,请参阅关于 Microsoft 标识平台See About Microsoft identity platform for more details.

多租户应用程序multi-tenant application

一类应用程序,允许在任何 Azure AD 租户(包括在其中注册了客户端的租户以外的租户)中预配的用户进行登录和同意操作。A class of application that enables sign in and consent by users provisioned in any Azure AD tenant, including tenants other than the one where the client is registered. 本机客户端应用程序默认为多租户,而 Web 客户端Web 资源/API 应用程序则可在单租户和多租户之间做出选择。Native client applications are multi-tenant by default, whereas web client and web resource/API applications have the ability to select between single or multi-tenant. 相反,注册为单租户的 Web 应用程序只允许来自应用程序注册所在相同租户中预配的用户帐户的登录。By contrast, a web application registered as single-tenant, would only allow sign-ins from user accounts provisioned in the same tenant as the one where the application is registered.

有关更多详细信息,请参阅如何使用多租户应用程序模式将任何 Azure AD 用户登录See How to sign in any Azure AD user using the multi-tenant application pattern for more details.

本机客户端native client

设备上本机安装的 客户端应用程序 类型。A type of client application that is installed natively on a device. 由于所有代码都在设备上执行,因此设备因为无法隐私/秘密地存储凭据而被视为“公共”客户端。Since all code is executed on a device, it is considered a "public" client due to its inability to store credentials privately/confidentially. 有关更多详细信息,请参阅 OAuth2 客户端类型和配置文件See OAuth2 client types and profiles for more details.

权限permissions

客户端应用程序通过声明权限请求来获取资源服务器访问权限。A client application gains access to a resource server by declaring permission requests. 有两种权限类型:Two types are available:

权限也会在 同意 过程中出现,让管理员或资源所有者有机会允许/拒绝客户端对其租户中的资源进行访问。They also surface during the consent process, giving the administrator or resource owner the opportunity to grant/deny the client access to resources in their tenant.

权限请求是在 Azure 门户中用于应用程序的“API 权限” 页上配置的,方法是选择所需的“委托的权限”和“应用程序权限”(后者需要“全局管理员”角色中的成员资格)。Permission requests are configured on the API permissions page for an application in the Azure portal, by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Admin role). 公共客户端无法安全地维护凭据,因此它只能请求委托的权限,而机密客户端则可以请求委托的权限和应用程序权限。Because a public client can't securely maintain credentials, it can only request delegated permissions, while a confidential client has the ability to request both delegated and application permissions. 客户端的应用程序对象将声明的权限存储在其 requiredResourceAccess 属性中。The client's application object stores the declared permissions in its requiredResourceAccess property.

资源所有者resource owner

根据 OAuth2 授权框架的定义,这是能够授予对受保护资源的访问权限的实体。As defined by the OAuth2 Authorization Framework, an entity capable of granting access to a protected resource. 如果资源所有者是个人,则称为最终用户。When the resource owner is a person, it is referred to as an end user. 例如,当客户端应用程序想要通过 Microsoft Graph API 访问用户的邮箱时,需要从该邮箱的资源所有者获取权限。For example, when a client application wants to access a user's mailbox through the Microsoft Graph API, it requires permission from the resource owner of the mailbox.

资源服务器resource server

根据 OAuth2 授权框架的定义,这是托管受保护资源的服务器,该服务器能够接受并响应出示访问令牌客户端应用程序发出的受保护资源请求。As defined by the OAuth2 Authorization Framework, a server that hosts protected resources, capable of accepting and responding to protected resource requests by client applications that present an access token. 它也称为受保护的资源服务器或资源应用程序。Also known as a protected resource server, or resource application.

资源服务器使用 OAuth 2.0 授权框架公开 API,并通过范围角色强制实施其受保护资源的访问权限。A resource server exposes APIs and enforces access to its protected resources through scopes and roles, using the OAuth 2.0 Authorization Framework. 示例包括可访问 Azure AD 租户数据的 Azure AD Graph API,以及可访问邮件和日历等数据的 Office 365 API。Examples include the Azure AD Graph API which provides access to Azure AD tenant data, and the Office 365 APIs that provide access to data such as mail and calendar. 这两项也可通过 Microsoft Graph API 进行访问。Both of these are also accessible via the Microsoft Graph API.

与客户端应用程序一样,资源应用程序的标识配置是通过 Azure AD 租户中的 注册 来建立的,可提供应用程序和服务主体对象。Just like a client application, resource application's identity configuration is established via registration in an Azure AD tenant, providing both the application and service principal object. Microsoft 提供的某些 API(例如 Azure AD 图形 API)在预配期间将预先注册的服务主体设置为在所有租户中可用。Some Microsoft-provided APIs, such as the Azure AD Graph API, have pre-registered service principals made available in all tenants during provisioning.

角色roles

范围一样,角色提供某种方式让资源服务器控制其受保护资源的访问权限。Like scopes, roles provide a way for a resource server to govern access to its protected resources. 有两种类型的角色:“用户”角色为需要资源访问权限的用户/组实现基于角色的访问控制,“应用程序”角色为需要访问权限的 客户端应用程序 实现相同的访问控制。There are two types: a "user" role implements role-based access control for users/groups that require access to the resource, while an "application" role implements the same for client applications that require access.

角色是资源定义的字符串(例如“开支审批人”、“只读”、“Directory.ReadWrite.All”),在 Azure 门户中通过资源的应用程序清单进行管理,并且存储在资源的 appRoles 属性中。Roles are resource-defined strings (for example "Expense approver", "Read-only", "Directory.ReadWrite.All"), managed in the Azure portal via the resource's application manifest, and stored in the resource's appRoles property. 也可通过 Azure 门户为用户分配“用户”角色,并配置用于访问“应用程序”角色的客户端应用程序权限The Azure portal is also used to assign users to "user" roles, and configure client application permissions to access an "application" role.

有关 Azure AD 的 Graph API 公开的应用程序角色的详细讨论,请参阅 Graph API 权限范围. For a step-by-step implementation example, see Manage access using RBAC and the Azure portalFor a detailed discussion of the application roles exposed by Azure AD's Graph API, see Graph API Permission Scopes. For a step-by-step implementation example, see Manage access using RBAC and the Azure portal.

范围scopes

角色一样,范围提供某种方式让资源服务器控制其受保护资源的访问权限。Like roles, scopes provide a way for a resource server to govern access to its protected resources. 对于资源所有者已为其提供资源的委托访问权限的客户端应用程序,范围可用于实现基于范围的访问控制。Scopes are used to implement scope-based access control, for a client application that has been given delegated access to the resource by its owner.

范围是资源定义的字符串(例如“Mail.Read”、“Directory.ReadWrite.All”),在 Azure 门户中通过资源的应用程序清单进行管理,并且存储在资源的 oauth2Permissions 属性中。Scopes are resource-defined strings (for example "Mail.Read", "Directory.ReadWrite.All"), managed in the Azure portal via the resource's application manifest, and stored in the resource's oauth2Permissions property. 也可通过 Azure 门户配置用于访问范围的客户端应用程序委托权限The Azure portal is also used to configure client application delegated permissions to access a scope.

命名约定最佳实践是使用“resource.operation.constraint”格式。A best practice naming convention, is to use a "resource.operation.constraint" format. 有关 Azure AD 的 Graph API 公开的范围的详细介绍,请参阅 Graph API 权限范围. For scopes exposed by Office 365 services, see Office 365 API permissions referenceFor a detailed discussion of the scopes exposed by Azure AD's Graph API, see Graph API Permission Scopes. For scopes exposed by Office 365 services, see Office 365 API permissions reference.

安全令牌security token

包含 OAuth2 令牌或 SAML 2.0 断言等声明的已签名文档。A signed document containing claims, such as an OAuth2 token or SAML 2.0 assertion. 对于 OAuth2 授权访问令牌 (OAuth2) 和 ID 令牌都是安全令牌类型,并且这两种类型都作为 JSON Web 令牌 (JWT) 实现。For an OAuth2 authorization grant, an access token (OAuth2) and an ID Token are types of security tokens, both of which are implemented as a JSON Web Token (JWT).

应用程序对象service principal object

当你在 Azure 门户中注册/更新应用程序时,该门户将为此租户创建/更新应用程序对象和对应的服务主体对象。When you register/update an application in the Azure portal, the portal creates/updates both an application object and a corresponding service principal object for that tenant. 应用程序对象可全局(在关联的应用程序已获授予访问权限的所有租户中)定义应用程序的标识配置,并可作为模板来派生出其对应的服务主体对象,以便在运行时于本地(在特定租户)使用。The application object defines the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are derived for use locally at run-time (in a specific tenant).

有关详细信息,请参阅应用程序和服务主体对象For more information, see Application and Service Principal Objects.

登录sign-in

客户端应用程序启动最终用户身份验证并捕获相关状态,以便获取安全令牌并将应用程序会话局限在该状态的过程。The process of a client application initiating end-user authentication and capturing related state, for the purpose of acquiring a security token and scoping the application session to that state. 状态可以包括多种项目,例如用户配置文件信息,以及派生自令牌声明的信息。State can include artifacts such as user profile information, and information derived from token claims.

应用程序的登录功能通常用于实现单一登录 (SSO)。The sign-in function of an application is typically used to implement single-sign-on (SSO). 该功能前面可能还会有一个“注册”功能,作为用户访问应用程序(在首次登录时)的入口点。It may also be preceded by a "sign-up" function, as the entry point for an end user to gain access to an application (upon first sign-in). 注册功能用于收集和保存用户特定的其他状态,并且可能需要用户同意The sign-up function is used to gather and persist additional state specific to the user, and may require user consent.

注销sign-out

使最终用户变成未身份验证状态的过程,解除用户在登录期间与客户端应用程序会话关联的状态The process of unauthenticating an end user, detaching the user state associated with the client application session during sign-in

tenanttenant

Azure AD 目录的实例称为 Azure AD 租户。An instance of an Azure AD directory is referred to as an Azure AD tenant. 它提供的一些功能包括:It provides several features, including:

  • 适用于集成应用程序的注册表服务a registry service for integrated applications
  • 对用户帐户和已注册应用程序进行身份验证authentication of user accounts and registered applications
  • 为各种协议(包括 OAuth2 和 SAML)提供支持所需的 REST 终结点,包括授权终结点令牌终结点以及多租户应用程序使用的“通用”终结点。REST endpoints required to support various protocols including OAuth2 and SAML, including the authorization endpoint, token endpoint and the "common" endpoint used by multi-tenant applications.

在注册期间创建 Azure AD 租户/将 Azure AD 租户与 Azure 和 Office 365 订阅相关联,以便为该订阅提供标识和访问管理功能。Azure AD tenants are created/associated with Azure and Office 365 subscriptions during sign-up, providing Identity & Access Management features for the subscription. Azure 订阅管理员还可通过 Azure 门户创建其他 Azure AD 租户。Azure subscription administrators can also create additional Azure AD tenants via the Azure portal. 有关可访问租户的各种方式的详细信息,请参阅如何获取 Azure Active Directory 租户See How to get an Azure Active Directory tenant for details on the various ways you can get access to a tenant.

令牌终结点token endpoint

授权服务器为了支持 OAuth2 权限授予而实现的终结点之一。One of the endpoints implemented by the authorization server to support OAuth2 authorization grants. 根据具体的授权,可将其用于获取客户端访问令牌(和相关的“刷新”令牌)或 ID 令牌(与 OpenID Connect 协议结合使用时)。Depending on the grant, it can be used to acquire an access token (and related "refresh" token) to a client, or ID token when used with the OpenID Connect protocol.

基于用户代理的客户端User-agent-based client

一种客户端应用程序,例如单页应用程序 (SPA),可从 Web 服务器下载代码并在用户代理(例如 Web 浏览器)中执行。A type of client application that downloads code from a web server and executes within a user-agent (for instance, a web browser), such as a single-page application (SPA). 由于所有代码都在设备上执行,因此设备因为无法隐私/秘密地存储凭据而被视为“公共”客户端。Since all code is executed on a device, it is considered a "public" client due to its inability to store credentials privately/confidentially. 有关详细信息,请参阅 OAuth2 客户端类型和配置文件For more information, see OAuth2 client types and profiles.

用户主体user principal

与服务主体对象用于表示应用程序实例的方式一样,用户主体对象是另一种类型的安全主体,它代表用户。Similar to the way a service principal object is used to represent an application instance, a user principal object is another type of security principal, which represents a user. Azure AD Graph 用户实体定义了用户对象的架构,包括用户相关属性,例如姓名、用户主体名称、目录角色成员身份等。这样即可提供 Azure AD 的用户标识配置,用于在运行时建立用户主体。The Azure AD Graph User entity defines the schema for a user object, including user-related properties such as first and last name, user principal name, directory role membership, etc. This provides the user identity configuration for Azure AD to establish a user principal at run-time. 用户主体用于代表经身份验证的用户执行记录同意委托、做出访问控制决策等操作。The user principal is used to represent an authenticated user for recording consent delegation, making access control decisions, etc.

Web 客户端web client

一类客户端应用程序 ,可在 Web 服务器上执行所有代码,并可将凭据安全地存储在服务器上,充当“机密”客户端。A type of client application that executes all code on a web server, and able to function as a "confidential" client by securely storing its credentials on the server. 有关详细信息,请参阅 OAuth2 客户端类型和配置文件For more information, see OAuth2 client types and profiles.

后续步骤Next steps

Microsoft 标识平台开发人员指南is the landing page to use for all Microsoft identity platform development-related topics, including an overview of application integrationMicrosoft 标识平台身份验证和支持的身份验证方案的基本知识。The Microsoft identity platform Developer's Guide is the landing page to use for all Microsoft identity platform development-related topics, including an overview of application integration and the basics of Microsoft identity platform authentication and supported authentication scenarios. 另外,还可在 GitHub 上找到关于如何快速启动和运行的代码示例及教程。You can also find code samples & tutorials on how to get up and running quickly on GitHub.

请使用以下评论部分提供反馈,帮助我们改进和编写此内容,包括有关新建定义或更新现有定义的请求!Use the following comments section to provide feedback and help to refine and shape this content, including requests for new definitions or updating existing ones!