方案:用于登录用户的 Web 应用Scenario: Web app that signs in users

了解生成一个可以通过 Microsoft 标识平台登录用户的 Web 应用所需的一切。Learn all you need to build a web app that uses the Microsoft identity platform to sign in users.

先决条件Prerequisites

在阅读本文之前,应熟悉以下概念:Before reading this article, you should be familiar with the following concepts:

入门Getting started

如果需要创建第一个可移植 (ASP.NET Core) Web 应用来登录用户,请按以下快速入门操作:If you want to create your first portable (ASP.NET Core) web app that signs in users, follow this quickstart:

概述Overview

向 Web 应用添加身份验证,使之可以登录用户。You add authentication to your web app so that it can sign in users. 添加身份验证以后,Web 应用即可访问受限制的配置文件信息,以便自定义用户的体验。Adding authentication enables your web app to access limited profile information in order to customize the experience for users.

Web 应用可对 Web 浏览器中的用户进行身份验证。Web apps authenticate a user in a web browser. 在此方案中,Web 应用指示用户的浏览器让用户登录到 Azure Active Directory (Azure AD)。In this scenario, the web app directs the user's browser to sign them in to Azure Active Directory (Azure AD). Azure AD 通过用户的浏览器返回一个登录响应,该响应在一个安全令牌中包含了关于用户的声明。Azure AD returns a sign-in response through the user's browser, which contains claims about the user in a security token. 登录用户会利用 Open ID Connect 标准协议,该协议已通过使用中间件简化。Signing in users takes advantage of the Open ID Connect standard protocol, simplified by the use of middleware libraries.

通过 Web 应用让用户登录

在第二阶段,可让应用程序代表已登录用户调用 Web API。As a second phase, you can enable your application to call web APIs on behalf of the signed-in user. 此下一阶段是另一方案,详见调用 Web API 的 Web 应用This next phase is a different scenario, which you'll find in Web app that calls web APIs.

备注

向 Web 应用添加登录就是保护 Web 应用并验证用户令牌,这正是中间件库所做的。Adding sign-in to a web app is about protecting the web app and validating a user token, which is what middleware libraries do. 就 .NET 而言,此方案尚不需要 Microsoft 身份验证库 (MSAL),后者用于获取令牌来调用受保护的 API。In the case of .NET, this scenario does not yet require the Microsoft Authentication Library (MSAL), which is about acquiring a token to call protected APIs. 身份验证库在后续方案中引入,此时 Web 应用需要调用 Web API。Authentication libraries will be introduced in the follow-up scenario, when the web app needs to call web APIs.

详情Specifics

  • 在应用程序注册期间,需提供一个回复 URI,或多个回复 URI(如果将应用部署到多个位置)。During the application registration, you'll need to provide one or several (if you deploy your app to several locations) reply URIs. 在某些情况下 (ASP.NET 和 ASP.NET Core),需启用 ID 令牌。In some cases (ASP.NET and ASP.NET Core), you'll need to enable the ID token. 最后需设置注销 URI,方便应用程序响应用户注销。Finally, you'll want to set up a sign-out URI so that your application reacts to users signing out.
  • 在应用程序代码中,需提供方便 Web 应用向其委托登录的机构。In the code for your application, you'll need to provide the authority to which your web app delegates sign-in. 可能需要自定义令牌验证(尤其是在合作伙伴方案中)。You might want to customize token validation (in particular, in partner scenarios).
  • Web 应用程序支持任何帐户类型。Web applications support any account types. 有关详细信息,请参阅支持的帐户类型For more information, see Supported account types.

后续步骤Next steps