方案:用于调用 Web API 的移动应用程序Scenario: Mobile application that calls web APIs

了解如何构建用于调用 Web API 的移动应用。Learn how to build a mobile app that calls web APIs.

先决条件Prerequisites

在阅读本文之前,应熟悉以下概念:Before reading this article, you should be familiar with the following concepts:

入门Getting started

创建第一个移动应用程序并尝试快速入门。Create your first mobile application and try out a quickstart.

概述Overview

个性化无缝用户体验对于移动应用很重要。A personalized, seamless user experience is essential for mobile apps. 移动开发人员可以通过 Microsoft 标识平台为 iOS 和 Android 用户创建该体验。Microsoft identity platform enables mobile developers to create that experience for iOS and Android users. 应用程序可以登录 Azure Active Directory (Azure AD) 用户和 Azure AD B2C 用户。Your application can sign in Azure Active Directory (Azure AD) users and Azure AD B2C users. 它还可以获取令牌,代表这些用户来调用 Web API。It can also acquire tokens to call a web API on their behalf. 为了实现这些流,我们将使用 Microsoft 身份验证库 (MSAL)。To implement these flows, we'll use Microsoft Authentication Library (MSAL). MSAL 用于实现行业标准 OAuth2.0 授权代码流MSAL implements the industry standard OAuth2.0 authorization code flow.

守护程序应用

移动应用的注意事项:Considerations for mobile apps:

  • 关键在于用户体验:在要求用户登录之前,让用户了解应用的价值。User experience is key: Allow users to see the value of your app before you ask for sign-in. 只请求所需的权限。Request only the required permissions.
  • 支持所有用户配置:许多移动业务用户必须遵循条件访问策略和设备合规性策略。Support all user configurations: Many mobile business users must adhere to conditional-access policies and device-compliance policies. 请务必支持这些关键方案。Be sure to support these key scenarios.
  • 实现单一登录 (SSO) :使用 MSAL 和 Microsoft 标识平台即可通过设备的浏览器或 Microsoft Authenticator(以及 Android 上的 Intune 公司门户)进行单一登录。Implement single sign-on (SSO): By using MSAL and Microsoft identity platform, you can enable single sign-on through the device's browser or Microsoft Authenticator (and Intune Company Portal on Android).
  • 实现共享设备模式:使应用程序可以在共享设备场景(例如医院、制造、零售和金融)中使用。Implement shared device mode: Enable your application to be used in shared-device scenarios, for example hospitals, manufacturing, retail, and finance. 阅读有关支持共享设备模式的详细信息Read more about supporting shared device mode.

详情Specifics

在 Microsoft 标识平台上生成移动应用时,请牢记以下注意事项:Keep in mind the following considerations when you build a mobile app on Microsoft identity platform:

  • 该用户第一次登录时,可能需要完成某些用户交互,具体取决于平台。Depending on the platform, some user interaction might be required the first time that users sign in. 例如,在首次通过 Microsoft Authenticator(以及 Android 上的 Intune 公司门户)使用 SSO 时,iOS 会要求应用显示用户交互。For example, iOS requires apps to show user interaction when they use SSO for the first time through Microsoft Authenticator (and Intune Company Portal on Android).
  • 在 iOS 和 Android 上,MSAL 可以使用外部浏览器来登录用户。On iOS and Android, MSAL might use an external browser to sign in users. 外部浏览器可能显示在应用顶端。The external browser might appear on top of your app.
  • 不要在移动应用程序中使用机密。Never use a secret in a mobile application. 在这些应用程序中,所有用户都可以访问机密。In these applications, secrets are accessible to all users.

后续步骤Next steps