方案:受保护的 Web APIScenario: Protected web API

通过此方案了解如何公开 Web API。In this scenario, you learn how to expose a web API. 还了解如何保护 Web API,以便只有经过身份验证的用户才能访问它。You also learn how to protect the web API so that only authenticated users can access it.

若要使用 Web API,需要启用使用工作和学校帐户进行了身份验证的用户。To use your web API, you need to either enable authenticated users with work and school accounts.

先决条件Prerequisites

在阅读本文之前,应熟悉以下概念:Before reading this article, you should be familiar with the following concepts:

详情Specifics

下面是保护 Web API 时需要了解的具体信息:Here is specific information you need to know to protect web APIs:

  • 应用注册必须至少公开一个范围或一个应用程序角色 。Your app registration must expose at least one scope or one application role.
    • 范围由代表用户调用的 Web API 公开。Scopes are exposed by web APIs that are called on behalf of a user.
    • 应用程序角色由守护程序应用程序调用的 Web API(应用程序代表它们自己调用你的 Web API)公开。Application roles are exposed by web APIs called by daemon applications (that calls your web API on their own behalf).
  • 如果你创建新的 Web API 应用注册,请选择 2 作为 Web API 接受的访问令牌版本If you create a new web API app registration, choose the access token version accepted by your web API to 2. 对于旧版 Web API,接受的令牌版本可以是 null,但此值将登录受众限制为仅组织。For legacy web APIs, the accepted token version can be null, but this value restricts the sign-in audience to organizations only.
  • Web API 的代码配置必须验证调用 Web API 时使用的令牌。The code configuration for the web API must validate the token used when the web API is called.
  • 控制器操作中的代码必须验证令牌中的角色或范围。The code in the controller actions must validate the roles or scopes in the token.

后续步骤Next steps