方案:调用 Web API 的 Web 应用Scenario: A web app that calls web APIs

了解如何构建 Web 应用,使其可将用户在 Microsoft 标识平台上登录,然后代表已登录用户调用 Web API。Learn how to build a web app that signs users in to the Microsoft identity platform, and then calls web APIs on behalf of the signed-in user.

先决条件Prerequisites

在阅读本文之前,应熟悉以下概念:Before reading this article, you should be familiar with the following concepts:

此方案假设你已完成以下方案:This scenario assumes that you've already gone through the following scenario:

概述Overview

向 Web 应用添加身份验证,以便该应用可以将用户登录并代表已登录用户调用 Web API。You add authentication to your web app so that it can sign users in and call a web API on behalf of the signed-in user.

用于调用 Web API 的 Web 应用

调用 Web API 的 Web 应用是机密客户端应用程序。Web apps that call web APIs are confidential client applications. 这是它们将机密(应用程序密码或证书)注册到 Azure Active Directory (Azure AD) 的原因。That's why they register a secret (an application password or certificate) with Azure Active Directory (Azure AD). 该机密是在调用 Azure AD 以获取令牌的过程中传入的。This secret is passed in during the call to Azure AD to get a token.

详情Specifics

备注

向 Web 应用添加登录信息是为了保护 Web 应用本身。Adding sign-in to a web app is about protecting the web app itself. 该保护是通过使用“中间件” 库来实现的,而不是使用 Microsoft 身份验证库 (MSAL)。That protection is achieved by using middleware libraries, not the Microsoft Authentication Library (MSAL). 前面的方案用于将用户登录的 Web 应用中涵盖了该主题。The preceding scenario, Web app that signs in users, covered that subject.

此方案涵盖了如何从 Web 应用调用 Web API。This scenario covers how to call web APIs from a web app. 你必须获取这些 Web API 的访问令牌。You must get access tokens for those web APIs. 使用 MSAL 库来获取这些令牌。You use MSAL libraries to acquire these tokens.

此方案的开发涉及以下具体任务:Development for this scenario involves these specific tasks:

  • 应用程序注册过程中,必须提供要与 Azure AD 共享的回复 URI、机密或证书。During application registration, you must provide a reply URI, secret, or certificate to be shared with Azure AD. 如果将应用部署到多个位置,需为每个位置提供回复 URI。If you deploy your app to several locations, you'll provide a reply URI for each location.
  • 应用程序配置必须提供已在注册应用程序期间与 Azure AD 共享的客户端凭据。The application configuration must provide the client credentials that were shared with Azure AD during application registration.

后续步骤Next steps