安全令牌Security tokens

对于用户位于全球各地且用户不一定从企业网络登录的应用而言,集中式标识提供者尤其有用。A centralized identity provider is especially useful for apps that have users located around the globe who don't necessarily sign in from the enterprise's network. Microsoft 标识平台会对用户进行身份验证,并提供安全令牌,如访问令牌刷新令牌ID 令牌The Microsoft identity platform authenticates users and provides security tokens, such as access tokens, refresh tokens, and ID tokens. 使用安全令牌,客户端应用程序可以访问资源服务器上受保护的资源。Security tokens allow a client application to access protected resources on a resource server.

访问令牌:访问令牌是由授权服务器作为 OAuth 2.0 流的一部分颁发的安全令牌。Access token: An access token is a security token that's issued by an authorization server as part of an OAuth 2.0 flow. 它包含有关令牌所针对的用户和资源的信息。It contains information about the user and the resource for which the token is intended. 这些信息可用于访问 Web API 和其他受保护的资源。The information can be used to access web APIs and other protected resources. 访问令牌由资源进行验证,以授予对客户端应用的访问权限。Access tokens are validated by resources to grant access to a client app. 若要详细了解 Microsoft 标识平台如何颁发访问令牌,请参阅访问令牌To learn more about how the Microsoft identity platform issues access tokens, see Access tokens.

刷新令牌:由于访问令牌只在短时间内有效,因此授权服务器有时会在颁发访问令牌的同时颁发“刷新令牌”。Refresh token: Because access tokens are valid for only a short period of time, authorization servers will sometimes issue a refresh token at the same time the access token is issued. 然后,客户端应用程序可以在需要时使用此刷新令牌交换新的访问令牌。The client application can then exchange this refresh token for a new access token when needed. 若要详细了解 Microsoft 标识平台如何使用刷新令牌来撤销权限,请参阅令牌吊销To learn more about how the Microsoft identity platform uses refresh tokens to revoke permissions, see Token revocation.

ID 令牌:ID 令牌作为 OpenID Connect 流的一部分发送到客户端应用程序。ID token: ID tokens are sent to the client application as part of an OpenID Connect flow. 它们可以与访问令牌一起发送,也可以代替访问令牌发送。They can be sent alongside or instead of an access token. 客户端使用 ID 令牌对用户进行身份验证。ID tokens are used by the client to authenticate the user. 若要详细了解 Microsoft 标识平台如何颁发 ID 令牌,请参阅 ID 令牌To learn more about how the Microsoft identity platform issues ID tokens, see ID tokens.

备注

本文讨论 OAuth2 和 OpenID Connect 协议使用的安全令牌。This article discusses security tokens used by the OAuth2 and OpenID Connect protocols. 许多企业应用程序使用 SAML 对用户进行身份验证。Many enterprise applications use SAML to authenticate users.

验证安全令牌Validate security tokens

由为其生成了令牌的应用、已让用户登录的 Web 应用或所调用的 Web API 负责验证令牌。It's up to the app for which the token was generated, the web app that signed in the user, or the web API being called to validate the token. 令牌由授权服务器使用私钥签名。The token is signed by the authorization server with a private key. 授权服务器发布相应的公钥。The authorization server publishes the corresponding public key. 若要验证令牌,应用需使用授权服务器公钥验证签名,以验证签名是使用私钥创建的。To validate a token, the app verifies the signature by using the authorization server public key to validate that the signature was created using the private key.

令牌仅在有限的时间内有效。Tokens are valid for only a limited amount of time. 通常,授权服务器提供一对令牌,如:Usually, the authorization server provides a pair of tokens, such as:

  • 用于访问应用程序或受保护资源的访问令牌。An access token, which accesses the application or protected resource.
  • 用于在访问令牌即将过期时刷新访问令牌的刷新令牌。A refresh token, which is used to refresh the access token when the access token is close to expiring.

访问令牌作为 Authorization 标头中的持有者令牌传递给 Web API。Access tokens are passed to a web API as the bearer token in the Authorization header. 应用可以向授权服务器提供刷新令牌。An app can provide a refresh token to the authorization server. 如果未撤消用户对应用的访问权限,它将获得一个新的访问令牌和一个新的刷新令牌。If the user access to the app wasn't revoked, it will get back a new access token and a new refresh token. 用户离职的场景就是这样处理的。This is how the scenario of someone leaving the enterprise is handled. 当授权服务器收到刷新令牌时,如果用户不再获得授权,则授权服务器不会颁发另一个有效的访问令牌。When the authorization server receives the refresh token, it won't issue another valid access token if the user is no longer authorized.

JSON Web 令牌和声明JSON Web Tokens and claims

Microsoft 标识平台将安全令牌实现为包含声明的 JSON Web 令牌 (JWT)。The Microsoft identity platform implements security tokens as JSON Web Tokens (JWTs) that contain claims. 由于 JWT 用作安全令牌,这种形式的身份验证有时称为“JWT 身份验证”。Since JWTs are used as security tokens, this form of authentication is sometimes called JWT authentication.

声明将有关某个实体(例如客户端应用程序或资源所有者)的断言提供给另一个实体(例如资源服务器)。A claim provides assertions about one entity, such as a client application or resource owner, to another entity, such as a resource server. 声明也可以称为 JWT 声明或 JSON Web 令牌声明。A claim might also be referred to as a JWT claim or a JSON Web Token claim.

声明是对令牌主体相关事实进行中继的名称或值对。Claims are name or value pairs that relay facts about the token subject. 例如,声明可能包含由授权服务器进行身份验证的安全主体的相关事实。For example, a claim might contain facts about the security principal that was authenticated by the authorization server. 特定令牌中提供的声明取决于许多事项,例如令牌类型、用于对使用者进行身份验证的凭据类型,以及应用程序配置。The claims present in a specific token depend on many things, such as the type of token, the type of credential used to authenticate the subject, and the application configuration.

应用程序可以使用声明来完成各种任务,例如:Applications can use claims for various tasks, such as to:

  • 验证令牌。Validate the token.
  • 标识令牌使用者的租户Identify the token subject's tenant.
  • 显示用户信息。Display user information.
  • 确定使用者的授权。Determine the subject's authorization.

声明由提供如下信息的键值对组成:A claim consists of key-value pairs that provide information such as the:

  • 生成令牌的安全令牌服务器。Security Token Server that generated the token.
  • 令牌生成日期。Date when the token was generated.
  • 使用者,例如用户(守护程序除外)。Subject (such as the user--except for daemons).
  • 受众,即为其生成了令牌的应用。Audience, which is the app for which the token was generated.
  • 请求了令牌的应用(客户端)。App (the client) that asked for the token. 对于 Web 应用,该应用可能与受众相同。In the case of web apps, this app might be the same as the audience.

若要详细了解 Microsoft 标识平台如何实现令牌和声明信息,请参阅访问令牌ID 令牌To learn more about how the Microsoft identity platform implements tokens and claim information, see Access tokens and ID tokens.

每个流如何发出令牌和代码How each flow emits tokens and codes

根据客户端的生成方式,客户端可以使用 Microsoft 标识平台支持的一种(或几种)身份验证流。Depending on how your client is built, it can use one (or several) of the authentication flows supported by the Microsoft identity platform. 这些流可以生成各种令牌(ID 令牌、刷新令牌、访问令牌)和授权代码。These flows can produce various tokens (ID tokens, refresh tokens, access tokens) and authorization codes. 它们需要不同的令牌才能工作。They require different tokens to make them work. 此表提供了概述。This table provides an overview.

流向Flow 需要Requires ID 令牌ID token 访问令牌Access token 刷新令牌Refresh token 授权代码Authorization code
授权代码流Authorization code flow xx xx xx xx
隐式流Implicit flow xx xx
混合 OIDC 流Hybrid OIDC flow xx xx
刷新令牌兑换Refresh token redemption 刷新令牌Refresh token xx xx xx
代理流On-behalf-of flow 访问令牌Access token xx xx xx
客户端凭据Client credentials x(仅限应用)x (App only)

通过隐式模式颁发的令牌由于通过 URL 传回浏览器而具有长度限制,其中 response_modequeryfragmentTokens issued via the implicit mode have a length limitation because they're passed back to the browser via the URL, where response_mode is query or fragment. 有些浏览器对可以放在浏览器栏中的 URL 的大小有限制,当 URL 太长时会失败。Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it's too long. 因此,这些令牌没有 groupswids 声明。As a result, these tokens don't have groups or wids claims.

后续步骤Next steps

有关 Microsoft 标识平台中的身份验证和授权的详细信息,请参阅以下文章:For more information about authentication and authorization in the Microsoft identity platform, see the following articles: