调用 Web API 的桌面应用:应用注册Desktop app that calls web APIs: App registration

本文涵盖了桌面应用程序的应用注册详细信息。This article covers the app registration specifics for a desktop application.

支持的帐户类型Supported account types

在桌面应用程序中支持的帐户类型取决于你想要启用的体验。The account types supported in a desktop application depend on the experience that you want to light up. 由于此关系,支持的帐户类型取决于要使用的流。Because of this relationship, the supported account types depend on the flows that you want to use.

交互式令牌获取的受众Audience for interactive token acquisition

如果桌面应用程序使用交互式身份验证,则可通过任何帐户类型将用户登录。If your desktop application uses interactive authentication, you can sign in users from any account type.

桌面应用无提示流的受众Audience for desktop app silent flows

  • 若要使用集成 Windows 身份验证或用户名和密码,应用程序需要在你自己的租户中将用户登录,例如,当你是业务线应用 (LOB) 开发人员时。To use Integrated Windows Authentication or a username and a password, your application needs to sign in users in your own tenant, for example, if you're a line-of-business (LOB) developer. 或者,在 Azure Active Directory 组织中,如果你的应用程序是 ISV 方案,也需要在你自己的租户中将用户登录。Or, in Azure Active Directory organizations, your application needs to sign in users in your own tenant if it's an ISV scenario.
  • 如果你使用传递商家对客户 (B2C) 颁发机构和策略的社交标识来将用户登录,则只能使用交互式和用户-密码身份验证。If you sign in users with social identities that pass a business-to-commerce (B2C) authority and policy, you can only use the interactive and username-password authentication.

重定向 URIRedirect URIs

可以在桌面应用程序中使用的重定向 URI 取决于要使用的流。The redirect URIs to use in a desktop application depend on the flow you want to use.

  • 如果使用交互式身份验证或设备代码流,请使用 https://login.partner.microsoftonline.cn/common/oauth2/nativeclientIf you use interactive authentication or device code flow, use https://login.partner.microsoftonline.cn/common/oauth2/nativeclient. 若要实现此配置,请在应用程序的“身份验证”部分中选择相应的 URL。 To achieve this configuration, select the corresponding URL in the Authentication section for your application.

    重要

    目前,默认情况下,MSAL.NET 会在 Windows 上运行的桌面应用程序中使用另一重定向 URI (urn:ietf:wg:oauth:2.0:oob)。Today, MSAL.NET uses another redirect URI by default in desktop applications that run on Windows (urn:ietf:wg:oauth:2.0:oob). 将来,我们需要更改此默认设置,因此建议你使用 https://login.partner.microsoftonline.cn/common/oauth2/nativeclientIn the future, we'll want to change this default, so we recommend that you use https://login.partner.microsoftonline.cn/common/oauth2/nativeclient.

  • 如果你针对 macOS 构建本机 Objective-C 或 Swift 应用,请基于你的应用程序的捆绑包标识符采用以下格式注册重定向 URI:msauth.<your.app.bundle.id>://auth。请将 <your.app.bundle.id> 替换为你的应用程序的捆绑包标识符。If you build a native Objective-C or Swift app for macOS, register the redirect URI based on your application's bundle identifier in the following format: msauth.<your.app.bundle.id>://auth. Replace <your.app.bundle.id> with your application's bundle identifier.

  • 如果你的应用仅使用集成 Windows 身份验证或用户名和密码,则不需要为应用程序注册重定向 URI。If your app uses only Integrated Windows Authentication or a username and a password, you don't need to register a redirect URI for your application. 这些流前往 Microsoft 标识平台 v2.0 终结点并返回。These flows do a round trip to the Microsoft identity platform v2.0 endpoint. 不会在任何特定 URI 上调用你的应用程序。Your application won't be called back on any specific URI.

  • 为了将设备代码流、集成 Windows 身份验证以及用户名和密码与也没有重定向 URI 的机密客户端应用程序流(在守护程序应用程序中使用的客户端凭据流)区分开来,你需要表明你的应用程序是公共客户端应用程序。To distinguish device code flow, Integrated Windows Authentication, and a username and a password from a confidential client application flow that doesn't have redirect URIs either (the client credential flow used in daemon applications), you need to express that your application is a public client application. 若要实现此配置,请转到应用程序的“身份验证”部分。 To achieve this configuration, go to the Authentication section for your application. 在“高级设置”子部分中,在“默认客户端类型”段落中,针对“将应用程序视为公共客户端”问题选择“是”。 In the Advanced settings subsection, in the Default client type paragraph, select Yes for Treat application as a public client.

    允许公共客户端

API 权限API permissions

桌面应用程序为已登录用户调用 API。Desktop applications call APIs for the signed-in user. 它们需要请求委托的权限。They need to request delegated permissions. 它们无法请求应用程序权限,权限仅在守护程序应用程序中处理。They can't request application permissions, which are handled only in daemon applications.

后续步骤Next steps