调用 Web API 的 Web API:应用注册A web API that calls web APIs: App registration

调用下游 Web API 的 Web API 与受保护的 Web API 具有相同的注册。A web API that calls downstream web APIs has the same registration as a protected web API. 因此,需要按照受保护的 Web API:应用注册中的说明进行操作。Therefore, you need to follow the instructions in Protected web API: App registration.

由于 Web 应用现在调用 Web API,因此它将成为一个机密客户端应用程序。Because the web app now calls web APIs, it becomes a confidential client application. 这就是为什么需要额外的注册信息的原因:应用需要与 Microsoft 标识平台共享机密(客户端凭据)。That's why extra registration information is required: the app needs to share secrets (client credentials) with the Microsoft identity platform.

注册机密或证书Register secrets or certificates

与任何机密客户端应用程序一样,你需要注册机密或证书。As for any confidential client application, you need to register a secret or certificate. 可以通过 Azure 门户中的交互体验或使用命令行工具(如 PowerShell)注册应用程序机密。You can register your application secrets either through the interactive experience in the Azure portal or by using command-line tools (like PowerShell).

使用门户注册客户端机密Register client secrets by using the portal

在应用程序的“证书和机密” 页上管理客户端凭据:The management of client credentials happens on the Certificates & secrets page for an application:

“证书和机密”页

  • 可以通过在 Azure 门户的应用注册中选择”新建客户端机密”来创建客户端机密。You create a client secret by selecting New client secret in the app's registration in the Azure portal. 创建客户端机密时,必须在记录机密的字符串后再从“证书和机密”窗格中离开。When you create a client secret, you must record the secret's string before navigating away from the Certificates & secrets pane. 不会再次显示该机密的字符串。The secret's string is never displayed again.
  • 在应用程序注册过程中,请使用“上传证书”**** 按钮来上传证书。During application registration, you use the Upload certificate button to upload the certificate. Azure AD 仅支持在应用程序上直接注册的证书,而不遵循证书链。Azure AD supports only certificates that are directly registered on the application and don't follow certificate chains.

有关详细信息,请参阅快速入门:将客户端应用程序配置为访问 Web API | 将凭据添加到应用程序For details, see Quickstart: Configure a client application to access web APIs | Add credentials to your application.

使用 PowerShell 注册客户端机密Register client secrets by using PowerShell

或者,可以使用命令行工具向 Azure AD 注册应用程序。Alternatively, you can register your application with Azure AD by using command-line tools. active-directory-dotnetcore-daemon-v2 示例显示如何向 Azure AD 应用程序注册应用程序机密或证书:The active-directory-dotnetcore-daemon-v2 sample shows how to register an application secret or certificate with an Azure AD application:

API 权限API permissions

Web 应用代表收到持有者令牌的用户调用 API。Web apps call APIs on behalf of users for whom the bearer token was received. Web 应用需要请求委托的权限。The web apps need to request delegated permissions. 有关详细信息,请参阅添加用于访问 Web API 的权限For more information, see Add permissions to access web APIs.

后续步骤Next steps