方案:调用 Web API 的 Web 应用Scenario: A web app that calls web APIs

了解如何构建 Web 应用,使其可将用户在 Microsoft 标识平台上登录,然后代表已登录用户调用 Web API。Learn how to build a web app that signs users in to the Microsoft identity platform, and then calls web APIs on behalf of the signed-in user.

先决条件Prerequisites

此方案假定你已完成方案:可将用户登录的 Web 应用This scenario assumes you've already completed Scenario: Web app that signs in users.

概述Overview

向 Web 应用添加身份验证,以便该应用可以将用户登录并代表已登录用户调用 Web API。You add authentication to your web app so that it can sign users in and call a web API on behalf of the signed-in user.

用于调用 Web API 的 Web 应用

调用 Web API 的 Web 应用是机密客户端应用程序。Web apps that call web APIs are confidential client applications. 这是它们将机密(应用程序密码或证书)注册到 Azure Active Directory (Azure AD) 的原因。That's why they register a secret (an application password or certificate) with Azure Active Directory (Azure AD). 该机密是在调用 Azure AD 以获取令牌的过程中传入的。This secret is passed in during the call to Azure AD to get a token.

详情Specifics

备注

向 Web 应用添加登录信息是为了保护 Web 应用本身。Adding sign-in to a web app is about protecting the web app itself. 该保护是通过使用“中间件” 库来实现的,而不是使用 Microsoft 身份验证库 (MSAL)。That protection is achieved by using middleware libraries, not the Microsoft Authentication Library (MSAL). 前面的方案用于将用户登录的 Web 应用中涵盖了该主题。The preceding scenario, Web app that signs in users, covered that subject.

此方案涵盖了如何从 Web 应用调用 Web API。This scenario covers how to call web APIs from a web app. 你必须获取这些 Web API 的访问令牌。You must get access tokens for those web APIs. 使用 MSAL 库来获取这些令牌。You use MSAL libraries to acquire these tokens.

此方案的开发涉及以下具体任务:Development for this scenario involves these specific tasks:

  • 应用程序注册过程中,必须提供要与 Azure AD 共享的回复 URI、机密或证书。During application registration, you must provide a reply URI, secret, or certificate to be shared with Azure AD. 如果将应用部署到多个位置,需为每个位置提供回复 URI。If you deploy your app to several locations, you'll provide a reply URI for each location.
  • 应用程序配置必须提供已在注册应用程序期间与 Azure AD 共享的客户端凭据。The application configuration must provide the client credentials that were shared with Azure AD during application registration.

如果你不熟悉 OAuth 2.0 和 OpenID Connect 的标识和访问管理 (IAM),甚至不熟悉 Microsoft 标识平台上的 IAM,请将下列文章加入你的阅读列表。If you're new to identity and access management (IAM) with OAuth 2.0 and OpenID Connect, or even just new to IAM on the Microsoft identity platform, the following set of articles should be high on your reading list.

虽然在完成第一个快速入门或教程之前不需要阅读这些文章,但是它们涵盖了平台不可或缺的主题,熟悉它们将有助于构建更复杂的方案。Although not required reading before completing your first quickstart or tutorial, they cover topics integral to the platform, and familiarity with them will help you on your path as you build more complex scenarios.

后续步骤Next steps

转到此方案中的下一篇文章:应用注册Move on to the next article in this scenario, App registration.