注册调用 Web API 的移动应用Register mobile apps that call web APIs

可以借助本文中的说明注册你正在创建的移动应用程序。This article contains instructions to help you register a mobile application that you're creating.

支持的帐户类型Supported account types

移动应用程序支持的帐户类型取决于要启用的体验,以及要使用的流。The account types that your mobile applications support depend on the experience that you want to enable and the flows that you want to use.

交互式令牌获取的受众Audience for interactive token acquisition

大多数移动应用程序使用交互式身份验证。Most mobile applications use interactive authentication. 如果应用使用这种形式的身份验证,则你可以从任何帐户类型将用户登录。If your app uses this form of authentication, you can sign in users from any account type.

Windows 集成身份验证、用户名-密码以及 B2C 的受众Audience for Integrated Windows authentication, username-password, and B2C

如果你有通用 Windows 平台 (UWP) 应用,则可以使用 Windows 集成身份验证将用户登录。If you have a Universal Windows Platform (UWP) app, you can use Integrated Windows authentication to sign in users. 若要使用 Windows 集成身份验证或用户名-密码身份验证,应用程序需在你自己的业务线 (LOB) 开发人员租户中将用户登录。To use Integrated Windows authentication or username-password authentication, your application needs to sign in users in your own line-of-business (LOB) developer tenant. 在独立软件供应商 (ISV) 方案中,应用程序可以在 Azure Active Directory 组织中将用户登录。In an independent software vendor (ISV) scenario, your application can sign in users in Azure Active Directory organizations.

还可以使用传递 B2C 颁发机构和策略的社交标识将用户登录。You can also sign in users by using social identities that pass a B2C authority and policy. 若要使用此方法,只能使用交互式身份验证和用户名-密码身份验证。To use this method, you can use only interactive authentication and username-password authentication. 用户名-密码身份验证目前仅在 Xamarin.iOS、Xamarin.Android 和 UWP 上受支持。Username-password authentication is currently supported only on Xamarin.iOS, Xamarin.Android, and UWP.

有关详细信息,请参阅方案和支持的身份验证流以及方案和支持的平台与语言For more information, see Scenarios and supported authentication flows and Scenarios and supported platforms and languages.

平台配置和重定向 URIPlatform configuration and redirect URIs

交互式身份验证Interactive authentication

构建使用交互式身份验证的移动应用时,最关键的注册步骤是重定向 URI。When you build a mobile app that uses interactive authentication, the most critical registration step is the redirect URI. 可以通过“身份验证”边栏选项卡上的平台配置来设置交互式身份验证。You can set interactive authentication through the platform configuration on the Authentication blade.

应用可以在此体验中通过 Microsoft Authenticator(以及 Android 上的 Intune 公司门户)实现单一登录 (SSO)。This experience will enable your app to get single sign-on (SSO) through Microsoft Authenticator (and Intune Company Portal on Android). 它还支持设备管理策略。It will also support device management policies.

应用注册门户提供一个预览版体验来帮助你计算 iOS 和 Android 应用程序的中介回复 URI:The app registration portal provides a preview experience to help you compute the brokered reply URI for iOS and Android applications:

  1. 在应用注册门户中选择“身份验证” > “尝试新体验”。In the app registration portal, select Authentication > Try out the new experience.

    “身份验证”边栏选项卡,可在其中选择新体验

  2. 选择“添加平台”。 Select Add a platform.

    添加平台

  3. 如果支持平台列表,请选择“iOS”。 When the list of platforms is supported, select iOS.

    选择移动应用程序

  4. 输入捆绑 ID,然后选择“注册”。 Enter your bundle ID, and then select Register.

    输入捆绑 ID

完成这些步骤后,系统将会计算重定向 URI,如下图所示。When you complete the steps, the redirect URI is computed for you, as in the following image.

生成的重定向 URI

如果你偏向于手动配置重定向 URI,可以通过应用程序清单进行配置。If you prefer to manually configure the redirect URI, you can do so through the application manifest. 下面是清单的建议格式:Here's the recommended format for the manifest:

  • iOSmsauth.<BUNDLE_ID>://authiOS: msauth.<BUNDLE_ID>://auth
    • 例如,输入 msauth.com.yourcompany.appName://authFor example, enter msauth.com.yourcompany.appName://auth
  • Androidmsauth://<PACKAGE_NAME>/<SIGNATURE_HASH>Android: msauth://<PACKAGE_NAME>/<SIGNATURE_HASH>
    • 可以通过 KeyTool 命令使用发布密钥或调试密钥来生成 Android 签名哈希。You can generate the Android signature hash by using the release key or debug key through the KeyTool command.

用户名-密码身份验证Username-password authentication

如果应用仅使用用户名-密码身份验证,则无需为应用程序注册重定向 URI。If your app uses only username-password authentication, you don't need to register a redirect URI for your application. 此流将往返访问 Microsoft 标识平台版本 2.0 终结点。This flow does a round trip to the Microsoft identity platform version 2.0 endpoint. 不会在任何特定 URI 上调用你的应用程序。Your application won't be called back on any specific URI.

但是,需要将应用程序标识为公共客户端应用程序。However, you need to identify your application as a public client application. 为此,请从应用程序的“身份验证”部分开始。 To do so, start in the Authentication section of your application. 在“高级设置”子部分的“默认客户端类型”段落中,对于“将应用程序视为公共客户端”问题,请选择“是”。 In the Advanced settings subsection, in the Default client type paragraph, for the question Treat application as a public client, select Yes.

API 权限API permissions

移动应用程序代表已登录用户调用 API。Mobile applications call APIs on behalf of the signed-in user. 应用需要请求委托的权限。Your app needs to request delegated permissions. 这些权限也称为范围。These permissions are also called scopes. 根据所需的体验,可以通过 Azure 门户以静态方式请求委托的权限。Depending on the experience that you want, you can request delegated permissions statically through the Azure portal. 或者,可以在运行时动态请求这些权限。Or you can request them dynamically at runtime.

以静态方式注册权限可让管理员轻松审批应用。By statically registering permissions, you allow administrators to easily approve your app. 建议使用静态注册。Static registration is recommended.

后续步骤Next steps