Microsoft 标识平台的应用程序类型Application types for Microsoft identity platform

Microsoft 标识平台终结点支持各种现代应用体系结构的身份验证,所有这些体系结构都基于行业标准协议 OAuth 2.0 或 OpenID ConnectThe Microsoft identity platform endpoint supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols OAuth 2.0 or OpenID Connect. 本指南介绍可以通过 Microsoft 标识平台生成的应用的类型,而不考虑首选语言或平台。This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. 该信息旨在帮助你在开始处理应用程序方案中的代码之前了解高级方案。The information is designed to help you understand high-level scenarios before you start working with the code in the application scenarios.

基础知识The basics

必须在 Azure 门户应用注册中注册使用 Microsoft 标识平台终结点的每个应用。You must register each app that uses the Microsoft identity platform endpoint in the Azure portal App registrations. 应用注册过程将收集这些值并将其分配给应用:The app registration process collects and assigns these values for your app:

  • 用于唯一标识应用的“应用程序(客户端) ID”。An Application (client) ID that uniquely identifies your app
  • 用于将响应定向回应用的重定向 URIA Redirect URI that you can use to direct responses back to your app
  • 其他一些特定于方案的值,例如支持的帐户类型A few other scenario-specific values such as supported account types

有关详细信息,请了解如何注册应用For details, learn how to register an app.

注册应用后,应用通过向终结点发送请求来与 Microsoft 标识平台通信。After the app is registered, the app communicates with Microsoft identity platform by sending requests to the endpoint. 我们提供开源框架和库,用于处理这些请求的详细信息。We provide open-source frameworks and libraries that handle the details of these requests. 还可以通过创建对这些终结点的请求,选择自行实现身份验证逻辑:You also have the option to implement the authentication logic yourself by creating requests to these endpoints:

单页应用 (JavaScript)Single-page apps (JavaScript)

许多新式应用都有一个单页应用前端(主要以 JavaScript 编写),通常使用 Angular、React 或 Vue 之类的框架。Many modern apps have a single-page app front end written primarily in JavaScript, often with a framework like Angular, React, or Vue. Microsoft 标识平台终结点支持这些应用的方式是使用 OpenID Connect 协议进行身份验证,以及使用 OAuth 2.0 隐式授权流或更新的 OAuth 2.0 授权代码 + PKCE 流进行授权(见下)。The Microsoft identity platform endpoint supports these apps by using the OpenID Connect protocol for authentication and either OAuth 2.0 implicit grant flow or the more recent OAuth 2.0 authorization code + PKCE flow for authorization (see below).

下面的流程图演示了 OAuth 2.0 授权代码的授予(省略了关于 PKCE 的详细信息),其中的应用从 Microsoft 标识平台 authorize 终结点接收代码,并使用跨站点 Web 请求将其兑换为令牌和刷新令牌。The flow diagram below demonstrates the OAuth 2.0 authorization code grant (with details around PKCE omitted), where the app receives a code from the Microsoft identity platform authorize endpoint, and redeems it for tokens and refresh tokens using cross-site web requests. 刷新令牌每 24 小时过期一次,应用必须请求另一个代码。The refresh token expires every 24 hours, and the app must request another code. 除了访问令牌外,通常还通过相同的流和/或单独的 OpenID Connect 请求(此处未显示)来请求 id_token(表示已登录到客户端应用程序的用户)。In addition to the access token, an id_token that represents the signed-in user to the client application is typically also requested through the same flow and/or a separate OpenID Connect request (not shown here).

显示单页应用和安全令牌服务终结点之间的 OAuth 2 授权代码流的图表。

授权代码流与隐式流Authorization code flow vs. implicit flow

在 OAuth 2.0 历史上,大多建议使用隐式流来生成单页应用。For most of the history of OAuth 2.0, the implicit flow was the recommended way to build single-page apps. 随着第三方 Cookie 的删除,以及对隐式流安全问题的日益关注,我们已转为使用授权代码流来生成单页应用。With the removal of third-party cookies and greater attention paid to security concerns around the implicit flow, we've moved to the authorization code flow for single-page apps.

为了确保应用在 Safari 和其他注重隐私的浏览器中的兼容性,我们不再建议使用隐式流,而建议使用授权代码流。To ensure compatibility of your app in Safari and other privacy-conscious browsers, we no longer recommend use of the implicit flow and instead recommend the authorization code flow.

Web 应用Web apps

对于通过浏览器访问的 Web 应用(.NET、PHP、Java、Ruby、Python、Node 等),可以使用 OpenID Connect 来执行用户登录。For web apps (.NET, PHP, Java, Ruby, Python, Node) that the user accesses through a browser, you can use OpenID Connect for user sign-in. 在 OpenID Connect 中,Web 应用接收 ID 令牌。In OpenID Connect, the web app receives an ID token. ID 令牌是一个安全令牌,用于验证用户的标识并以声明形式提供有关用户的信息:An ID token is a security token that verifies the user's identity and provides information about the user in the form of claims:

// Partial raw ID token

// Partial content of a decoded ID token
    "name": "John Smith",
    "email": "",
    "oid": "d9674823-dffc-4e3f-a6eb-62fe4bd48a58"

有关 Microsoft 标识平台终结点中使用的不同类型令牌的更多详细信息,请参阅访问令牌参考和 id_token 参考Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the access token reference and id_token reference

在 Web 服务器应用中,登录身份验证流采用以下高级步骤:In web server apps, the sign-in authentication flow takes these high-level steps:

显示 Web 应用身份验证流

可以通过使用从 Microsoft 标识平台终结点接收到的公用签名密钥来验证 ID 令牌,从而确定用户的身份。You can ensure the user's identity by validating the ID token with a public signing key that is received from the Microsoft identity platform endpoint. 设置会话 Cookie,在后续页面请求中将其用于识别用户。A session cookie is set, which can be used to identify the user on subsequent page requests.

若要查看此方案的实际运行情况,请尝试可将用户登录的 Web 应用的方案中的代码示例。To see this scenario in action, try the code samples in the Web app that signs in users scenario.

除了简单登录,Web 服务器应用可能还需要访问其他 Web 服务,例如 REST API。In addition to simple sign-in, a web server app might need to access another web service, such as a REST API. 在这种情况下,Web 服务器应用可以使用 OAuth 2.0 授权代码流参与合并的 OpenID Connect 和 OAuth 2.0 流。In this case, the web server app engages in a combined OpenID Connect and OAuth 2.0 flow, by using the OAuth 2.0 authorization code flow. 有关此方案的详细信息,请阅读 Web 应用和 Web API 入门For more information about this scenario, read about getting started with web apps and Web APIs.


可以使用 Microsoft 标识平台终结点来保护 Web 服务,例如应用的 RESTful Web API。You can use the Microsoft identity platform endpoint to secure web services, such as your app's RESTful web API. Web API 可以在多种平台和语言中实现。Web APIs can be implemented in numerous platforms and languages. 它们还可以使用 Azure Functions 中的 HTTP 触发器来实现。They can also be implemented using HTTP Triggers in Azure Functions. Web API 使用 OAuth 2.0 访问令牌(而不是 ID 令牌和会话 Cookie)来保护数据并对传入的请求进行身份验证。Instead of ID tokens and session cookies, a web API uses an OAuth 2.0 access token to secure its data and to authenticate incoming requests. Web API 调用方会在 HTTP 请求的授权标头中附加一个访问令牌,如下所示:The caller of a web API appends an access token in the authorization header of an HTTP request, like this:

GET /api/items HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6...
Accept: application/json

Web API 使用此访问令牌来验证 API 调用方的标识,并从访问令牌中编码的声明里提取调用方的相关信息。The web API uses the access token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the access token. 有关 Microsoft 标识平台终结点中使用的不同类型令牌的更多详细信息,请参阅访问令牌参考和 id_token 参考。Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the access token reference and id_token reference.

Web API 可让用户通过公开权限(也称为范围)来选择添加/排除特定的功能或数据。A web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as scopes. 为了使调用应用能够获取某个范围的权限,用户必须在执行流的过程中同意该范围。For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. Microsoft 标识平台终结点向用户请求权限,并将这些权限记录在 Web API 收到的所有访问令牌中。The Microsoft identity platform endpoint asks the user for permission, and then records permissions in all access tokens that the web API receives. Web API 验证每次调用中接收的访问令牌,并执行授权检查。The web API validates the access tokens it receives on each call and performs authorization checks.

Web API 可以从各种应用接收访问令牌,其中包括 Web 服务器应用、桌面和移动应用、单页应用、服务器端守护程序,甚至其他 Web API。A web API can receive access tokens from all types of apps, including web server apps, desktop and mobile apps, single-page apps, server-side daemons, and even other web APIs. Web API 的高级流如下所示:The high-level flow for a web API looks like this:

显示 Web API 身份验证流

若要了解如何使用 OAuth2 访问令牌来保护 Web API,请查看受保护的 Web API 方案中提供的 Web API 代码示例。To learn how to secure a web API by using OAuth2 access tokens, check out the web API code samples in the protected web API scenario.

在许多情况下,Web API 还需要对由 Microsoft 标识平台保护的其他下游 Web API 发出出站请求。In many cases, web APIs also need to make outbound requests to other downstream web APIs secured by Microsoft identity platform. 为执行此操作,Web API 可以利用代理流,它允许 Web API 将传入的访问令牌替换为要在出站请求中使用的另一个访问令牌。To do so, web APIs can take advantage of the On-Behalf-Of flow, which allows the web API to exchange an incoming access token for another access token to be used in outbound requests. 有关详细信息,请参阅 Microsoft 标识平台和 OAuth 2.0 代理流For more info, see Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow.

移动和本机应用Mobile and native apps

安装在设备中的应用(如移动和桌面应用)通常需要访问用于存储数据和代表用户执行各种功能的后端服务或 Web API。Device-installed apps, such as mobile and desktop apps, often need to access back-end services or web APIs that store data and perform functions on behalf of a user. 这些应用可以使用 OAuth 2.0 授权代码流将登录凭据和授权添加到后端服务。These apps can add sign-in and authorization to back-end services by using the OAuth 2.0 authorization code flow.

在此流中,应用会在用户登录时接收来自 Microsoft 标识平台终结点的授权代码。In this flow, the app receives an authorization code from the Microsoft identity platform endpoint when the user signs in. 授权代码表示应用有权代表登录用户调用后端服务。The authorization code represents the app's permission to call back-end services on behalf of the user who is signed in. 应用可以通过在后台交换授权代码获得 OAuth 2.0 访问令牌和刷新令牌。The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. 应用可以使用访问令牌在 HTTP 请求中向 Web API 进行身份验证,并可以在旧的访问令牌过期时,用刷新令牌获取新的访问令牌。The app can use the access token to authenticate to web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire.



如果应用程序使用默认的系统 Web 视图,请查看 Azure AD 身份验证和授权错误代码中有关“确认我的登录”功能和错误代码 AADSTS50199 的信息。If the application uses the default system webview, check the information about "Confirm My Sign-In" functionality and error code AADSTS50199 in Azure AD authentication and authorization error codes.

守护程序和服务器端应用Daemons and server-side apps

对于包含长时间运行的进程或无需用户交互便可操作的应用,还需要通过其他方法来访问受保护的资源,例如 Web API。Apps that have long-running processes or that operate without interaction with a user also need a way to access secured resources, such as web APIs. 这些应用可以通过 OAuth 2.0 客户端凭据流使用应用的标识(而不是用户的委派标识)来进行身份验证和获取令牌。These apps can authenticate and get tokens by using the app's identity, rather than a user's delegated identity, with the OAuth 2.0 client credentials flow. 可以使用客户端机密或证书证明应用的身份。You can prove the app's identity using a client secret or certificate. 有关详细信息,请参阅使用 Microsoft 标识平台的 .NET Core 守护程序控制台应用程序For more info, see .NET Core daemon console application using Microsoft identity platform.

在此流中,应用通过直接与 /token 终结点交互来获取访问权限:In this flow, the app interacts directly with the /token endpoint to obtain access:


若要生成守护程序,请参阅客户端凭据文档,或者尝试 .NET 示例应用To build a daemon app, see the client credentials documentation, or try a .NET sample app.

后续步骤Next steps

你已经熟悉 Microsoft 标识平台支持的应用程序类型,接下来详细了解 OAuth 2.0 和 OpenID Connect,以了解不同方案使用的协议组件。Now that you're familiar with the types of applications supported by the Microsoft identity platform, learn more about OAuth 2.0 and OpenID Connect to gain an understanding of the protocol components used by the different scenarios.