调用 Web API 的桌面应用:应用注册Desktop app that calls web APIs: App registration

本文涵盖了桌面应用程序的应用注册详细信息。This article covers the app registration specifics for a desktop application.

支持的帐户类型Supported account types

在桌面应用程序中支持的帐户类型取决于你想要启用的体验。The account types supported in a desktop application depend on the experience that you want to light up. 由于此关系,支持的帐户类型取决于要使用的流。Because of this relationship, the supported account types depend on the flows that you want to use.

交互式令牌获取的受众Audience for interactive token acquisition

如果桌面应用程序使用交互式身份验证,则可通过任何帐户类型将用户登录。If your desktop application uses interactive authentication, you can sign in users from any account type.

桌面应用无提示流的受众Audience for desktop app silent flows

  • 若要使用集成 Windows 身份验证或用户名和密码,应用程序需要在你自己的租户中将用户登录,例如,当你是业务线应用 (LOB) 开发人员时。To use Integrated Windows Authentication or a username and a password, your application needs to sign in users in your own tenant, for example, if you're a line-of-business (LOB) developer. 或者,在 Azure Active Directory 组织中,如果你的应用程序是 ISV 方案,也需要在你自己的租户中将用户登录。Or, in Azure Active Directory organizations, your application needs to sign in users in your own tenant if it's an ISV scenario.
  • 如果你使用传递商家对客户 (B2C) 颁发机构和策略的社交标识来将用户登录,则只能使用交互式和用户-密码身份验证。If you sign in users with social identities that pass a business-to-commerce (B2C) authority and policy, you can only use the interactive and username-password authentication.

重定向 URIRedirect URIs

可以在桌面应用程序中使用的重定向 URI 取决于要使用的流。The redirect URIs to use in a desktop application depend on the flow you want to use.

  • 如果使用交互式身份验证或设备代码流,请使用 https://login.partner.microsoftonline.cn/common/oauth2/nativeclientIf you use interactive authentication or device code flow, use https://login.partner.microsoftonline.cn/common/oauth2/nativeclient. 若要实现此配置,请在应用程序的“身份验证”部分中选择相应的 URL。 To achieve this configuration, select the corresponding URL in the Authentication section for your application.

    重要

    使用 https://login.partner.microsoftonline.cn/common/oauth2/nativeclient 作为重定向 URI 这一做法已被推荐为安全最佳做法。Using https://login.partner.microsoftonline.cn/common/oauth2/nativeclient as the redirect URI is recommended as a security best practice. 如果未指定重定向 URI,则 MSAL.NET 默认使用 urn:ietf:wg:oauth:2.0:oob,但不建议这样做。If no redirect URI is specified, MSAL.NET uses urn:ietf:wg:oauth:2.0:oob by default which is not recommneded. 在下一个主要版本中,此默认值将作为中断性变更进行更新。This default will be updated as a breaking change in the next major release.

  • 如果针对 macOS 构建本机 Objective-C 或 Swift 应用,请基于应用程序的捆绑包标识符采用以下格式注册重定向 URI:msauth.<your.app.bundle.id>://authIf you build a native Objective-C or Swift app for macOS, register the redirect URI based on your application's bundle identifier in the following format: msauth.<your.app.bundle.id>://auth. <your.app.bundle.id> 替换为应用程序的捆绑包标识符。Replace <your.app.bundle.id> with your application's bundle identifier.

  • 如果你的应用仅使用集成 Windows 身份验证或用户名和密码,则不需要为应用程序注册重定向 URI。If your app uses only Integrated Windows Authentication or a username and a password, you don't need to register a redirect URI for your application. 这些流前往 Microsoft 标识平台 v2.0 终结点并返回。These flows do a round trip to the Microsoft identity platform v2.0 endpoint. 不会在任何特定 URI 上调用你的应用程序。Your application won't be called back on any specific URI.

  • 若要使用守护程序应用程序中使用的客户端凭据流将设备代码流集成 Windows 身份验证以及用户名和密码与机密的客户端应用程序(它们都不要求重定向 URI)区分开来,请将应用程序配置为公共客户端应用程序。To distinguish device code flow, Integrated Windows Authentication, and a username and a password from a confidential client application using a client credential flow used in daemon applications, none of which requires a redirect URI, configure it as a public client application. 为了实现该配置:To achieve this configuration:

    1. Azure 门户中,选择“应用注册”中的应用,然后选择“身份验证” 。In the Azure portal, select your app in App registrations, and then select Authentication.

    2. 在“高级设置” > “允许公共客户端流” > “启用以下移动和桌面流:”中,选择“是”。In Advanced settings > Allow public client flows > Enable the following mobile and desktop flows:, select Yes.

      在 Azure 门户中的“身份验证”窗格上启用公共客户端设置

API 权限API permissions

桌面应用程序为已登录用户调用 API。Desktop applications call APIs for the signed-in user. 它们需要请求委托的权限。They need to request delegated permissions. 它们无法请求应用程序权限,权限仅在守护程序应用程序中处理。They can't request application permissions, which are handled only in daemon applications.

后续步骤Next steps

转到此方案中的下一篇文章:应用代码配置Move on to the next article in this scenario, App Code configuration.