快速入门:将应用程序注册到 Microsoft 标识平台Quickstart: Register an application with the Microsoft identity platform

在本快速入门中,你将在 Azure 门户中注册一个应用,以便 Microsoft 标识平台可为该应用程序及其用户提供身份验证和授权服务。In this quickstart, you register an app in the Azure portal so the Microsoft identity platform can provide authentication and authorization services for your application and its users.

希望 Microsoft 标识平台执行标识和访问管理 (IAM) 的每个应用程序都需要注册。Each application you want the Microsoft identity platform to perform identity and access management (IAM) for needs to be registered. 无论是类似于 Web 应用或移动应用的客户端应用程序是,还是支持客户端应用的 Web API,注册它都会在应用程序与标识提供程序(Microsoft 标识平台)之间建立信任关系。Whether it's a client application like a web or mobile app, or it's a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform.

先决条件Prerequisites

注册应用程序Register an application

注册应用程序会在应用与 Microsoft 标识平台之间建立信任关系。Registering your application establishes a trust relationship between your app and the Microsoft identity platform. 信任是单向的:应用信任 Microsoft 标识平台,但标识平台并不信任应用。The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around.

按照以下步骤创建应用注册:Follow these steps to create the app registration:

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 如果有权访问多个租户,请使用顶部菜单中的“目录 + 订阅”筛选器 ,选择要在其中注册应用程序的租户。

  3. 搜索并选择“Azure Active Directory” 。Search for and select Azure Active Directory.

  4. 在“管理”下,选择“应用注册”,然后选择“新建注册” 。Under Manage, select App registrations, then New registration.

  5. 输入应用程序的名称Enter a Name for your application. 应用的用户可能会看到此名称,你稍后可对其进行更改。Users of your app might see this name, and you can change it later.

  6. 指定可使用该应用程序的人员,这有时称为“登录访问者”。Specify who can use the application, sometimes referred to as the sign-in audience.

    支持的帐户类型Supported account types 说明Description
    仅此组织目录中的帐户Accounts in this organizational directory only 如果要生成仅供租户中的用户(或来宾)使用的应用程序,请选择此选项。Select this option if you're building an application for use only by users (or guests) in your tenant.

    通常称为业务线 (LOB) 应用程序,这是 Microsoft 标识平台中的单租户应用程序。Often called a line-of-business (LOB) application, this is a single-tenant application in the Microsoft identity platform.
    任何组织目录中的帐户Accounts in any organizational directory 如果希望任何 Azure AD 租户中的用户都能够使用你的应用程序,请选择此选项。Select this option if you'd like users in any Azure AD tenant to be able to use your application. 例如,如果要构建打算向多个组织提供的软件即服务 (SaaS) 应用程序,则适合使用此选项。This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations.

    这在 Microsoft 标识平台中被称为多租户应用程序。This is known as a multi-tenant application in the Microsoft identity platform.
  7. 请勿对“重定向 URI (可选)”输入任何内容,你将在下一部分中进行配置。Don't enter anything for Redirect URI (optional), you'll configure one in the next section.

  8. 选择“注册”,完成初始应用注册。Select Register to complete the initial app registration.

    Web 浏览器中 Azure 门户的屏幕截图,其中显示了“注册应用程序”窗格。

注册完成后,Azure 门户会显示应用注册的“概述”窗格,其中包括其应用程序(客户端)ID 。When registration completes, the Azure portal displays the app registration's Overview pane, which includes its Application (client) ID. 此值也被称为客户端 ID,它可唯一地标识 Microsoft 标识平台中的应用程序。Also referred to as just client ID, this value uniquely identifies your application in the Microsoft identity platform.

应用程序的代码(或者更通常是应用程序中使用的身份验证库)也将使用客户端 ID 来验证从标识平台接收的安全令牌。Your application's code, or more typically an authentication library used in your application, also uses the client ID as one aspect in validating the security tokens it receives from the identity platform.

Web 浏览器中 Azure 门户的屏幕截图,其中显示了“注册应用程序”窗格。

添加重定向 URIAdd a redirect URI

重定向 URI 是 Microsoft 标识平台重定向用户客户端并在身份验证后发送安全令牌的位置。A redirect URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.

例如,在生产 Web 应用程序中,重定向 URI 通常是运行应用的公共终结点,比如 https://contoso.com/auth-responseIn a production web application, for example, the redirect URI is often a public endpoint where your app is running, like https://contoso.com/auth-response. 在开发过程中,通常还会添加在本地运行应用的终结点,例如 https://127.0.0.1/auth-responsehttp://localhost/auth-responseDuring development, it's common to also add the endpoint where you run your app locally, like https://127.0.0.1/auth-response or http://localhost/auth-response.

可通过配置已注册应用程序的平台设置来添加和修改它的重定向 URI。You add and modify redirect URIs for your registered applications by configuring their platform settings.

配置平台设置Configure platform settings

在 Azure 门户的平台配置中配置每种应用程序类型的设置(包括重定向 URI)。Settings for each application type, including redirect URIs, are configured in Platform configurations in the Azure portal. 某些平台(例如 Web 和单页应用程序)要求手动指定重定向 URI 。Some platforms, like Web and Single-page applications, require you to manually specify a redirect URI. 对于其他平台(例如移动和桌面),可选择在配置其他设置时为用户生成的重定向 URI。For other platforms like mobile and desktop, you can select from redirect URIs generated for you when you configure their other settings.

若要根据面向的平台或设备配置应用程序设置:To configure application settings based on the platform or device you're targeting:

  1. 在 Azure 门户中的“应用注册”中选择你的应用程序。Select your application in App registrations in the Azure portal.

  2. 在“管理”下,选择“身份验证”。 Under Manage, select Authentication.

  3. 在“平台配置”下,选择“添加平台” 。Under Platform configurations, select Add a platform.

  4. 在“配置平台”中,为应用程序类型(平台)选择磁贴,以配置其设置。In Configure platforms, select the tile for your application type (platform) to configure its settings.

    Web 浏览器中 Azure 门户的屏幕截图,其中显示了“注册应用程序”窗格。

    平台Platform 配置设置Configuration settings
    WebWeb 输入应用的重定向 URI,即 Microsoft 标识平台重定向用户客户端并在身份验证后发送安全令牌的位置。Enter a Redirect URI for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication.

    为服务器上运行的标准 Web 应用程序选择此平台。Select this platform for standard web applications that run on a server.
    单页应用程序Single-page application 输入应用的重定向 URI,即 Microsoft 标识平台重定向用户客户端并在身份验证后发送安全令牌的位置。Enter a Redirect URI for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication.

    如果要在 JavaScript 中或使用 Angular、Vue.js、React.js 或 Blazor WebAssembly 等框架构建客户端 Web 应用,请选择此平台。Select this platform if you're building a client-side web app in JavaScript or with a framework like Angular, Vue.js, React.js, or Blazor WebAssembly.
    iOS/macOSiOS / macOS 输入应用捆绑 ID,可在 info.plist 中的 XCode 或生成设置中找到。Enter the app Bundle ID, found in XCode in Info.plist or Build Settings.

    如果指定捆绑 ID,将生成重定向 URI。A redirect URI is generated for you when you specify a Bundle ID.
    AndroidAndroid 输入应用包名称(可在 AndroidManifest.xml 文件中找到),然后生成并输入签名哈希。Enter the app Package name, which you can find in the AndroidManifest.xml file, and generate and enter the Signature hash.

    如果指定这些设置,将生成重定向 URI。A redirect URI is generated for you when you specify these settings.
    移动和桌面应用程序Mobile and desktop applications 选择建议的重定向 URI 之一,或指定自定义重定向 URI 。Select one of the Suggested redirect URIs or specify a Custom redirect URI.
    对于桌面应用程序,建议:For desktop applications, we recommend:
    https://login.partner.microsoftonline.cn/common/oauth2/nativeclient

    对于不使用最新 Microsoft 身份验证库 (MSAL) 或不使用代理的移动应用程序,请选择此平台。Select this platform for mobile applications that aren't using the latest Microsoft Authentication Library (MSAL) or are not using a broker. 同时也为桌面应用程序选择此平台。Also select this platform for desktop applications.
  5. 选择“配置”以完成平台配置。Select Configure to complete the platform configuration.

重定向 URI 限制Redirect URI restrictions

对于添加到应用注册的重定向 URI 的格式,存在某些限制。There are certain restrictions on the format of the redirect URIs you add to an app registration. 有关这些限制的详细信息,请参阅重定向 URI(回复 URL)的限制和局限For details on these restrictions, see Redirect URI (reply URL) restrictions and limitations.

添加凭据Add credentials

凭据供访问 Web API 的机密客户端应用程序使用。Credentials are used by confidential client applications that access a web API. Web 应用、其他 Web API 或服务类型和守护程序类型的应用程序都是机密客户端。Examples of confidential clients are web apps, other web APIs, or service- and daemon-type applications. 通过凭据,应用程序可以自己的身份进行身份验证,无需用户在运行时进行任何交互。Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime.

可将证书和客户端密码(字符串)作为凭据添加到机密客户端应用注册。You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.

Web 浏览器中 Azure 门户的屏幕截图,其中显示了“注册应用程序”窗格。

添加证书Add a certificate

证书有时被称为公钥,它们是推荐的凭据类型,因为它们提供的保证级别比客户端密码高。Sometimes called a public key, certificates are the recommended credential type as they provide a higher level of assurance than a client secret.

  1. 在 Azure 门户中的“应用注册”中选择你的应用程序。Select your application in App registrations in the Azure portal.
  2. 选择“证书和密码” > “上传证书” 。Select Certificates & secrets > Upload certificate.
  3. 选择要上传的文件。Select the file you'd like to upload. 它必须是以下文件类型之一:.cer、.pem、.crt。It must be one of the following file types: .cer, .pem, .crt.
  4. 选择 添加Select Add.

添加客户端密码Add a client secret

客户端密码(也称为应用程序密码)是应用可用于代替证书来标识自身的字符串。The client secret, known also as an application password, is a string value your app can use in place of a certificate to identity itself. 这是两种凭证类型中更容易使用的一种,而且通常在开发过程中使用,但它不如证书安全。It's the easier of the two credential types to use and is often used during development, but is considered less secure than a certificate. 应在生产环境中运行的应用程序中使用证书。You should use certificates in your applications running in production.

  1. 在 Azure 门户中的“应用注册”中选择你的应用程序。Select your application in App registrations in the Azure portal.
  2. 选择“证书和密码” > “新建客户端密码” 。Select Certificates & secrets > New client secret.
  3. 添加客户端机密的说明。Add a description for your client secret.
  4. 选择持续时间。Select a duration.
  5. 选择 添加Select Add.
  6. “记录密码的值”,以便在客户端应用程序中使用 - 离开此页面后,它将不再显示。Record the secret's value for use in your client application code - it's never displayed again after you leave this page.

后续步骤Next steps

客户端应用程序通常需要访问 Web API 中的资源。Client applications typically need to access resources in a web API. 除了使用 Microsoft 标识平台保护客户端应用程序以外,还可使用平台对 Web API 进行范围内基于权限的访问。In addition to protecting your client application with the Microsoft identity platform, you can use the platform for authorizing scoped, permissions-based access to your web API.

请转到本系列的下一篇快速入门,为 Web API 创建另一个应用注册并公开其范围。Move on to the next quickstart in the series to create another app registration for your web API and expose its scopes.