通过 Azure Active Directory 进行 OAuth 2.0 身份验证OAuth 2.0 authentication with Azure Active Directory

OAuth 2.0 是用于授权的行业协议。The OAuth 2.0 is the industry protocol for authorization. 它允许用户授予对其受保护资源的有限访问权限。It allows a user to grant limited access to its protected resources. OAuth 专为与超文本传输协议 (HTTP) 配合使用而设计,可将客户端的角色与资源所有者分开。Designed to work specifically with Hypertext Transfer Protocol (HTTP), OAuth separates the role of the client from the resource owner. 客户端会请求对资源所有者控制且由资源服务器托管的的资源的访问权限。The client requests access to the resources controlled by the resource owner and hosted by the resource server. 资源服务器在获得资源所有者的批准后颁发访问令牌。The resource server issues access tokens with the approval of the resource owner. 客户端使用访问令牌访问资源服务器托管的受保护资源。The client uses the access tokens to access the protected resources hosted by the resource server.

OAuth 2.0 直接与 OpenID Connect (OIDC) 相关。OAuth 2.0 is directly related to OpenID Connect (OIDC). 由于 OIDC 是建立在 OAuth 2.0 之上的身份验证和授权层,因此它不与 OAuth 1.0 后向兼容。Since OIDC is an authentication and authorization layer built on top of OAuth 2.0, it isn't backwards compatible with OAuth 1.0. Azure Active Directory (Azure AD) 支持所有 OAuth 2.0 流。Azure Active Directory (Azure AD) supports all OAuth 2.0 flows.

何时使用:Use when:

适用于富客户端、新式应用方案和 RESTful Web API 访问权限。For rich client & modern app scenarios and RESTful Web API access.

体系结构示意图

系统组件Components of system

  • 用户 :从 Web 应用程序(应用)请求服务。User : Requests a service from the web application (app). 用户通常是拥有数据且有权允许客户端访问数据或资源的资源所有者。The user is typically the resource owner who owns the data and has the power to allow clients to access the data or resource.

  • Web 浏览器 :用户与之交互的 Web 浏览器是 OAuth 客户端。Web browser : The web browser that the user interacts with is the OAuth client.

  • Web 应用 :Web 应用或资源服务器是资源或数据所在的位置。Web app : The web app, or resource server, is where the resource or data resides. 它信任授权服务器,以安全地对 OAuth 客户端进行验证和授权。It trusts the authorization server to securely authenticate and authorize the OAuth client.

  • Azure AD :Azure AD 是授权服务器,也称为标识提供者 (IdP)。Azure AD : Azure AD is the authorization server, also known as the Identity Provider (IdP). 它安全地处理与用户信息、用户访问权限和信任关系相关的任何内容。It securely handles anything to do with the user's information, their access, and the trust relationship. 它负责颁发可授予和撤销对资源的访问权限的令牌。It's responsible for issuing the tokens that grant and revoke access to resources.

通过 Azure AD 实现 OAuth 2.0Implement OAuth 2.0 with Azure AD