使用客户端凭据(共享密钥或证书)进行服务到服务调用Service to service calls using client credentials (shared secret or certificate)

适用于:Applies to:
  • Azure AD v1.0 终结点Azure AD v1.0 endpoint

OAuth 2.0 客户端凭据授权流允许 Web 服务(机密客户端 )在调用其他 Web 服务时使用它自己的凭据(而不是模拟用户)进行身份验证。The OAuth 2.0 Client Credentials Grant Flow permits a web service (confidential client) to use its own credentials instead of impersonating a user, to authenticate when calling another web service. 在这种情况下,客户端通常是中间层 Web 服务、后台程序服务或网站。In this scenario, the client is typically a middle-tier web service, a daemon service, or web site. 为了更高级别的保证,Azure AD 还允许调用服务以将证书(而不是共享密钥)用作凭据。For a higher level of assurance, Azure AD also allows the calling service to use a certificate (instead of a shared secret) as a credential.

客户端凭据授权流关系图Client credentials grant flow diagram

下图说明了客户端凭据授权流在 Azure Active Directory (Azure AD) 中的工作原理。The following diagram explains how the client credentials grant flow works in Azure Active Directory (Azure AD).

OAuth2.0 客户端凭据授权流

  1. 客户端应用程序向 Azure AD 令牌颁发终结点进行身份验证,并请求访问令牌。The client application authenticates to the Azure AD token issuance endpoint and requests an access token.
  2. Azure AD 令牌颁发终结点颁发访问令牌。The Azure AD token issuance endpoint issues the access token.
  3. 使用访问令牌向受保护资源进行身份验证。The access token is used to authenticate to the secured resource.
  4. 受保护资源中的数据返回到客户端应用程序。Data from the secured resource is returned to the client application.

在 Azure AD 中注册服务Register the Services in Azure AD

在 Azure Active Directory (Azure AD) 中注册调用服务和接收服务。Register both the calling service and the receiving service in Azure Active Directory (Azure AD). 有关详细说明,请参阅 将应用程序与 Azure Active Directory 集成For detailed instructions, see Integrating applications with Azure Active Directory.

请求访问令牌Request an Access Token

若要请求访问令牌,对特定于租户的 Azure AD 终结点使用 HTTP POST。To request an access token, use an HTTP POST to the tenant-specific Azure AD endpoint.

https://login.partner.microsoftonline.cn/<tenant id>/oauth2/token

服务到服务访问令牌请求Service-to-service access token request

有两种情况,具体取决于客户端应用程序选择由共享密钥还是由证书保护。There are two cases depending on whether the client application chooses to be secured by a shared secret, or a certificate.

第一种情况:使用共享机密访问令牌请求First case: Access token request with a shared secret

使用共享密钥时,服务到服务访问令牌请求包含以下参数:When using a shared secret, a service-to-service access token request contains the following parameters:

参数Parameter 说明Description
grant_typegrant_type 必填required 指定请求的授权类型。Specifies the requested grant type. 在客户端凭据授权流中,该值必须是 client_credentials。 In a Client Credentials Grant flow, the value must be client_credentials.
client_idclient_id 必填required 指定调用 Web 服务的 Azure AD 客户端 ID。Specifies the Azure AD client id of the calling web service. 要查找调用应用程序的客户端 ID,请在 Azure 门户中,依次单击“Azure Active Directory”和“应用注册”,然后单击该应用程序 。To find the calling application's client ID, in the Azure portal, click Azure Active Directory, click App registrations, click the application. client_id 是应用程序 ID The client_id is the Application ID
client_secretclient_secret 必填required 在 Azure AD 中输入为调用 Web 服务或 daemon 应用程序注册的密钥。Enter a key registered for the calling web service or daemon application in Azure AD. 要创建密钥,请在 Azure 门户中,依次单击“Azure Active Directory”>“应用注册”并单击该应用程序,然后依次单击“设置”>“密钥”,并添加密钥 。To create a key, in the Azure portal, click Azure Active Directory, click App registrations, click the application, click Settings, click Keys, and add a Key. 提供此机密时请对其进行 URL 编码。URL-encode this secret when providing it.
resourceresource 必填required 输入接收 Web 服务的应用 ID URI。Enter the App ID URI of the receiving web service. 要查找应用 ID URI,请在 Azure 门户中,依次单击“Azure Active Directory”和“应用注册”,并单击服务应用程序,然后依次单击“设置”和“属性” 。To find the App ID URI, in the Azure portal, click Azure Active Directory, click App registrations, click the service application, and then click Settings and Properties.

示例Example

以下 HTTP POST 请求 https://service.contoso.com/ Web 服务的访问令牌The following HTTP POST requests an access token for the https://service.contoso.com/ web service. client_id 标识请求访问令牌的 Web 服务。The client_id identifies the web service that requests the access token.

POST /contoso.com/oauth2/token HTTP/1.1
Host: login.partner.microsoftonline.cn
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=625bc9f6-3bf6-4b6d-94ba-e97cf07a22de&client_secret=qkDwDJlDfig2IpeuUZYKH1Wb8q1V0ju6sILxQQqhJ+s=&resource=https%3A%2F%2Fservice.contoso.com%2F

第二种情况:使用证书访问令牌请求Second case: Access token request with a certificate

使用证书的服务到服务访问令牌请求包含以下参数:A service-to-service access token request with a certificate contains the following parameters:

参数Parameter 说明Description
grant_typegrant_type 必填required 指定请求的响应类型。Specifies the requested response type. 在客户端凭据授权流中,该值必须是 client_credentials。 In a Client Credentials Grant flow, the value must be client_credentials.
client_idclient_id 必填required 指定调用 Web 服务的 Azure AD 客户端 ID。Specifies the Azure AD client id of the calling web service. 要查找调用应用程序的客户端 ID,请在 Azure 门户中,依次单击“Azure Active Directory”和“应用注册”,然后单击该应用程序 。To find the calling application's client ID, in the Azure portal, click Azure Active Directory, click App registrations, click the application. client_id 是应用程序 ID The client_id is the Application ID
client_assertion_typeclient_assertion_type 必填required 值必须是 urn:ietf:params:oauth:client-assertion-type:jwt-bearerThe value must be urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertionclient_assertion 必填required 断言(JSON Web 令牌),需使用作为凭据向应用程序注册的证书进行创建和签名。An assertion (a JSON Web Token) that you need to create and sign with the certificate you registered as credentials for your application. 有关如何注册证书以及断言的格式,请阅读证书凭据Read about certificate credentials to learn how to register your certificate and the format of the assertion.
resourceresource 必填required 输入接收 Web 服务的应用 ID URI。Enter the App ID URI of the receiving web service. 要查找应用 ID URI,请在 Azure 门户中,依次单击“Azure Active Directory”和“应用注册”,并单击服务应用程序,然后依次单击“设置”和“属性” 。To find the App ID URI, in the Azure portal, click Azure Active Directory, click App registrations, click the service application, and then click Settings and Properties.

请注意,参数几乎与共享密钥请求的参数相同,只不过 client_secret 参数替换为两个参数:client_assertion_type 和 client_assertion。Notice that the parameters are almost the same as in the case of the request by shared secret except that the client_secret parameter is replaced by two parameters: a client_assertion_type and client_assertion.

示例Example

以下 HTTP POST 请求具有证书的 https://service.contoso.com/ Web 服务的访问令牌。The following HTTP POST requests an access token for the https://service.contoso.com/ web service with a certificate. client_id 标识请求访问令牌的 Web 服务。The client_id identifies the web service that requests the access token.

POST /<tenant_id>/oauth2/token HTTP/1.1
Host: login.partner.microsoftonline.cn
Content-Type: application/x-www-form-urlencoded

resource=https%3A%2F%contoso.partner.onmschina.cn%2Ffc7664b4-cdd6-43e1-9365-c2e1c4e1b3bf&client_id=97e0a5b7-d745-40b6-94fe-5f77d35c6e05&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg&grant_type=client_credentials

服务到服务访问令牌响应Service-to-Service Access Token Response

成功响应包含具有以下参数的 JSON OAuth 2.0 响应:A success response contains a JSON OAuth 2.0 response with the following parameters:

参数Parameter 说明Description
access_tokenaccess_token 请求的访问令牌。The requested access token. 调用 Web 服务可以使用此令牌向接收 Web 服务进行身份验证。The calling web service can use this token to authenticate to the receiving web service.
token_typetoken_type 指示令牌类型值。Indicates the token type value. Azure AD 唯一支持的类型是 Bearer 。The only type that Azure AD supports is Bearer. 有关持有者令牌的详细信息,请参阅 OAuth 2.0 授权框架:持有者令牌用法 (RFC 6750)For more information about bearer tokens, see The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750).
expires_inexpires_in 访问令牌的有效期(以秒为单位)。How long the access token is valid (in seconds).
expires_onexpires_on 访问令牌的过期时间。The time when the access token expires. 该日期表示为自 1970-01-01T0:0:0Z UTC 至过期时间的秒数。The date is represented as the number of seconds from 1970-01-01T0:0:0Z UTC until the expiration time. 此值用于确定缓存令牌的生存期。This value is used to determine the lifetime of cached tokens.
not_beforenot_before 访问令牌可用的时间。The time from which the access token becomes usable. 该日期表示为自 1970-01-01T0:0:0Z UTC 至令牌有效时间的秒数。The date is represented as the number of seconds from 1970-01-01T0:0:0Z UTC until time of validity for the token.
resourceresource 接收 Web 服务的应用 ID URI。The App ID URI of the receiving web service.

响应示例Example of response

下面的示例演示对 Web 服务的访问令牌请求的成功响应。The following example shows a success response to a request for an access token to a web service.

{
"access_token":"eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1nZWNOZ1gxWmY3R0xrT3ZwT0IyZGNWQSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0ODI2NywibmJmIjoxMzg4NDQ4MjY3LCJleHAiOjEzODg0NTIxNjcsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6ImE5OTE5MTYyLTkyMTctNDlkYS1hZTIyLWYxMTM3YzI1Y2RlYSIsInN1YiI6ImE5OTE5MTYyLTkyMTctNDlkYS1hZTIyLWYxMTM3YzI1Y2RlYSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZS8iLCJhcHBpZCI6ImQxN2QxNWJjLWM1NzYtNDFlNS05MjdmLWRiNWYzMGRkNThmMSIsImFwcGlkYWNyIjoiMSJ9.aqtfJ7G37CpKV901Vm9sGiQhde0WMg6luYJR4wuNR2ffaQsVPPpKirM5rbc6o5CmW1OtmaAIdwDcL6i9ZT9ooIIicSRrjCYMYWHX08ip-tj-uWUihGztI02xKdWiycItpWiHxapQm0a8Ti1CWRjJghORC1B1-fah_yWx6Cjuf4QE8xJcu-ZHX0pVZNPX22PHYV5Km-vPTq2HtIqdboKyZy3Y4y3geOrRIFElZYoqjqSv5q9Jgtj5ERsNQIjefpyxW3EwPtFqMcDm4ebiAEpoEWRN4QYOMxnC9OUBeG9oLA0lTfmhgHLAtvJogJcYFzwngTsVo6HznsvPWy7UP3MINA",
"token_type":"Bearer",
"expires_in":"3599",
"expires_on":"1388452167",
"resource":"https://service.contoso.com/"
}

另请参阅See also