用于登录用户的 Web 应用:移到生产环境Web app that signs in users: Move to production

现在你已了解如何获取用于调用 Web API 的令牌,下面是将应用程序移到生产环境时需要考虑的一些事项。Now that you know how to get a token to call web APIs, here are some things to consider when moving your application to production.

启用日志记录Enable logging

为了帮助对调试和身份验证失败进行故障排除,Microsoft 身份验证库提供了内置的日志记录支持。To help in debugging and authentication failure troubleshooting scenarios, the Microsoft Authentication Library provides built-in logging support. 以下文章介绍了如何对每个库进行日志记录:Logging is each library is covered in the following articles:

一些数据收集建议如下:Here are some suggestions for data collection:

  • 用户在有问题时可能会寻求帮助。Users might ask for help when they have problems. 最佳做法是捕获日志并将其临时存储。A best practice is to capture and temporarily store logs. 提供一个供用户上传日志的位置。Provide a location where users can upload the logs. MSAL 提供日志记录扩展来捕获有关身份验证的详细信息。MSAL provides logging extensions to capture detailed information about authentication.

  • 如果遥测可用,请通过 MSAL 启用它,以收集有关用户如何登录应用的数据。If telemetry is available, enable it through MSAL to gather data about how users sign in to your app.

验证你的集成Validate your integration

按照 Microsoft 标识平台集成清单测试你的集成。Test your integration by following the Microsoft identity platform integration checklist.

故障排除Troubleshooting

用户首次登录到 Web 应用程序时,他们将需要同意。When users sign-in to the web application for the first time, they will need to consent. 但在某些组织中,用户可能会看到如下所示的消息:“AppName 需要权限来访问组织中只有管理员才能授权的资源。请先让管理员授予对此应用的权限,然后你才能使用此应用。”However, in some organizations, users can see a message like the following: AppName needs permissions to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it. 这是因为租户管理员已禁用让用户同意的功能。This is because your tenant administrator has disabled the ability for users to consent. 在这种情况下,请与租户管理员联系,以便他们针对应用程序要求的范围进行管理员许可。In that case, contact your tenant administrators so that they do an admin-consent for the scopes required by the application.

同一站点Same site

请确保了解 Chrome 浏览器的新版本可能存在的问题:如何在 Chrome 浏览器中处理 SameSite Cookie 更改Make sure you understand possible issues with new versions of the Chrome browser: How to handle SameSite cookie changes in Chrome browser.

Microsoft.Identity.Web NuGet 包处理最常见的 SameSite 问题。The Microsoft.Identity.Web NuGet package handles the most common SameSite issues.

深入探讨:ASP.NET Core Web 应用教程Deep dive: ASP.NET Core web app tutorial

了解如何在此 ASP.NET Core 教程中通过其他方法登录用户:Learn about other ways to sign in users with this ASP.NET Core tutorial:

允许 Web 应用通过 Microsoft 面向开发人员的标识平台登录用户和调用 APIEnable your web apps to sign in users and call APIs with the Microsoft identity platform for developers

此循序渐进教程提供了 Web 应用的生产就绪代码,包括如何在以下组织中添加使用帐户进行的登录:This progressive tutorial has production-ready code for a web app, including how to add sign-in with accounts in:

  • 你的组织Your organization
  • 多个组织Multiple organizations
  • 工作或学校帐户Work or school accounts
  • Azure AD B2CAzure AD B2C
  • 国家云National clouds

示例代码:Java Web 应用Sample code: Java web app

通过 GitHub 上的此示例详细了解 Java Web 应用:Learn more about the Java web app from this sample on GitHub:

一个 Java Web 应用程序,该应用程序使用 Microsoft 标识平台登录用户并调用 Microsoft GraphA Java Web application that signs in users with the Microsoft identity platform and calls Microsoft Graph

后续步骤Next Steps

Web 应用登录用户后,它就可以代表已登录用户调用 Web API。After your web app signs in users, it can call web APIs on behalf of the signed-in users. 从 Web 应用调用 Web API 是以下方案的目标:调用 Web API 的 Web 应用Calling web APIs from the web app is the object of the following scenario: Web app that calls web APIs.