服务到服务应用Service-to-service apps

服务到服务应用程序可以是需要通过 Web API 获取资源的守护程序或服务器应用程序。Service-to-service applications can be a daemon or server application that needs to get resources from a web API. 有两个适用于本部分的子方案:There are two sub-scenarios that apply to this section:

  • 需要调用 Web API 的守护程序,基于 OAuth 2.0 客户端凭据授予类型构建A daemon that needs to call a web API, built on OAuth 2.0 client credentials grant type

    在此方案中,务必了解一些事项。In this scenario, it’s important to understand a few things. 首先,用户无法与后台应用程序进行交互,因为这要求应用程序具有其自己的标识。First, user interaction is not possible with a daemon application, which requires the application to have its own identity. 在后台运行的批处理作业或操作系统服务都是后台应用程序的示例。An example of a daemon application is a batch job, or an operating system service running in the background. 此类型的应用程序通过以下方式来请求访问令牌:使用其应用程序标识并向 Azure AD 提供其应用程序 ID、凭据(密码或证书)以及应用程序 ID URI。This type of application requests an access token by using its application identity and presenting its Application ID, credential (password or certificate), and application ID URI to Azure AD. 在身份验证成功后,后台应用程序会从 Azure AD 收到一个访问令牌,并将使用该令牌来调用 Web API。After successful authentication, the daemon receives an access token from Azure AD, which is then used to call the web API.

  • 需要调用 Web API 的服务器应用程序(如 Web API),基于 OAuth 2.0 代理草案规范构建A server application (such as a web API) that needs to call a web API, built on OAuth 2.0 On-Behalf-Of draft specification

    在此方案中,假定用户已在某个本机应用程序上通过了身份验证,并且此本机应用程序需要调用 Web API。In this scenario, imagine that a user has authenticated on a native application, and this native application needs to call a web API. Azure AD 颁发一个 JWT 访问令牌来调用 Web API。Azure AD issues a JWT access token to call the web API. 如果 Web API 需要调用另一个下游 Web API,它可以使用 on-behalf-of 流来委托用户的标识并通过第二层 Web API 进行身份验证。If the web API needs to call another downstream web API, it can use the on-behalf-of flow to delegate the user’s identity and authenticate to the second-tier web API.

图示Diagram

后台或服务器应用程序到 Web API 图示

DProtocol 流DProtocol flow

带有 OAuth 2.0 客户端凭据授权的应用程序标识Application identity with OAuth 2.0 client credentials grant

  1. 首先,服务器应用程序需要自行通过 Azure AD 进行身份验证,不涉及任何人为交互(例如交互式登录对话框)。First, the server application needs to authenticate with Azure AD as itself, without any human interaction such as an interactive sign-on dialog. 它向 Azure AD 的令牌终结点发出一个请求,在其中提供凭据、应用程序 ID 以及应用程序 ID URI。It makes a request to Azure AD’s token endpoint, providing the credential, Application ID, and application ID URI.
  2. Azure AD 对应用程序进行身份验证并返回用来调用 Web API 的 JWT 访问令牌。Azure AD authenticates the application and returns a JWT access token that is used to call the web API.
  3. 通过 HTTPS,Web 应用程序使用返回的 JWT 访问令牌在发往 Web API 的请求的 Authorization 标头中添加一个具有“Bearer”限定符的 JWT 字符串。Over HTTPS, the web application uses the returned JWT access token to add the JWT string with a “Bearer” designation in the Authorization header of the request to the web API. 然后,Web API 对 JWT 令牌进行验证,如果验证成功,则返回所需的资源。The web API then validates the JWT token, and if validation is successful, returns the desired resource.

采用 OAuth 2.0 代理草案规范的委托用户标识Delegated user identity with OAuth 2.0 On-Behalf-Of Draft Specification

下面讨论的流假定用户已在另一应用程序(例如本机应用程序)上通过了身份验证,并且已使用其用户标识来获取第一层 Web API 的访问令牌。The flow discussed below assumes that a user has been authenticated on another application (such as a native application), and their user identity has been used to acquire an access token to the first-tier web API.

  1. 本机应用程序将访问令牌发送到第一层 Web API。The native application sends the access token to the first-tier web API.
  2. 第一层 Web API 向 Azure AD 的令牌终结点发送一个请求,其中提供了其应用程序 ID 和凭据以及用户的访问令牌。The first-tier web API sends a request to Azure AD’s token endpoint, providing its Application ID and credentials, as well as the user’s access token. 此外,将随请求发送一个 on_behalf_of 参数,此参数指示 Web API 是在代表原始用户请求新令牌以调用下游 Web API。In addition, the request is sent with an on_behalf_of parameter that indicates the web API is requesting new tokens to call a downstream web API on behalf of the original user.
  3. Azure AD 验证第一层 Web API 是否有权访问第二层 Web API 并对请求进行验证,并将一个 JWT 访问令牌和一个 JWT 刷新令牌返回给第一层 Web API。Azure AD verifies that the first-tier web API has permissions to access the second-tier web API and validates the request, returning a JWT access token and a JWT refresh token to the first-tier web API.
  4. 然后,第一层 Web API 使用 HTTPS 通过将令牌字符串附加到请求的 Authorization 标头中来调用第二层 Web API。Over HTTPS, the first-tier web API then calls the second-tier web API by appending the token string in the Authorization header in the request. 只要访问令牌和刷新令牌有效,第一层 Web API 就可以继续调用第二层 Web API。The first-tier web API can continue to call the second-tier web API as long as the access token and refresh tokens are valid.

代码示例Code samples

请参阅后台或服务器应用程序到 Web API 方案的代码示例。See the code samples for Daemon or Server Application to Web API scenarios. 另外,请经常回来查看,因为我们会经常添加新示例。And, check back frequently as new samples are added frequently. 服务器或后台应用程序到 Web APIServer or Daemon Application to Web API

应用注册App registration

  • 单租户 - 对于应用程序标识和委托用户标识这两种情况,守护程序或服务器应用程序都必须在 Azure AD 的同一个目录中进行注册。Single tenant - For both the application identity and delegated user identity cases, the daemon or server application must be registered in the same directory in Azure AD. 可以对 Web API 进行配置以公开一组权限,并使用这些权限来限制后台或服务器对其资源的访问。The web API can be configured to expose a set of permissions, which are used to limit the daemon or server’s access to its resources. 如果使用的是委托用户标识类型,则服务器应用程序需要从 Azure 门户的“对其他应用程序的权限”下拉菜单中选择所需的权限。If a delegated user identity type is being used, the server application needs to select the desired permissions from the “Permissions to Other Applications” drop-down menu in the Azure portal. 如果使用的是应用程序标识类型,则不需要此步骤。This step is not required if the application identity type is being used.
  • 多租户 - 首先,守护程序或服务器应用程序在配置后会指示它在正常运行时所需的权限。Multi-tenant - First, the daemon or server application is configured to indicate the permissions it requires to be functional. 目标目录中的用户或管理员许可应用程序的要求,使应用程序可供其组织使用时,此必需权限列表会显示在一个对话框中。This list of required permissions is shown in a dialog when a user or administrator in the destination directory gives consent to the application, which makes it available to their organization. 某些应用程序只需要用户级权限,组织中的任何用户都可以表示许可。Some applications only require user-level permissions, which any user in the organization can consent to. 另外一些应用程序需要管理员级权限,组织中的用户无法许可。Other applications require administrator-level permissions, which a user in the organization cannot consent to. 只有目录管理员可以对需要此级别的权限的应用程序表示许可。Only a directory administrator can give consent to applications that require this level of permissions. 当用户或管理员表示许可后,将在其目录中注册这两个 Web API。When the user or administrator consents, both of the web APIs are registered in their directory.

令牌过期Token expiration

第一个应用程序使用其授权代码来获取 JWT 访问令牌时,它还会收到一个 JWT 刷新令牌。When the first application uses its authorization code to get a JWT access token, it also receives a JWT refresh token. 访问令牌过期时,可以使用刷新令牌来重新对用户进行身份验证,而不会提示他们输入凭据。When the access token expires, the refresh token can be used to re-authenticate the user without prompting for credentials. 然后将使用此刷新令牌对用户进行身份验证,生成新的访问令牌和刷新令牌。This refresh token is then used to authenticate the user, which results in a new access token and refresh token.

后续步骤Next steps