使用 Azure Active Directory 进行 OpenID Connect 身份验证OpenID Connect authentication with Azure Active Directory

OpenID Connect (OIDC) 是基于 OAuth2 协议(用于授权)的身份验证协议。OpenID Connect (OIDC) is an authentication protocol based on the OAuth2 protocol (which is used for authorization). OIDC 使用来自 OAuth2 的标准化消息流来提供标识服务。OIDC uses the standardized message flows from OAuth2 to provide identity services.

OIDC 的设计目标是“使简单的事情保持简单,使复杂的事情成为可能”。The design goal of OIDC is "making simple things simple and complicated things possible". OIDC 使开发人员可以跨网站和应用对其用户进行身份验证,而不必拥有和管理密码文件。OIDC lets developers authenticate their users across websites and apps without having to own and manage password files. 这为应用生成器提供了一种安全的方式来验证当前使用浏览器或本机应用连接到该应用程序的的人员的身份。This provides the app builder with a secure way to verify the identity of the person currently using the browser or native app that is connected to the application.

用户的身份验证必须在标识提供者中进行,用户的会话或凭据将在其中进行检查。The authentication of the user must take place at an identity provider where the user's session or credentials will be checked. 为此,需要一个受信任的代理。To do that, you need a trusted agent. 本机应用通常会因此启动系统浏览器。Native apps usually launch the system browser for that purpose. 嵌入式视图被视为不受信任,因为没有任何设置可阻止应用对用户密码进行窥探。Embedded views are considered not trusted since there's nothing to prevent the app from snooping on the user password.

除了进行身份验证外,还可以要求用户提供同意。In addition to authentication, the user can be asked for consent. 同意是用户允许应用程序访问受保护资源的显式权限。Consent is the user's explicit permission to allow an application to access protected resources. 同意与身份验证不同,因为只需为资源提供一次同意。Consent is different from authentication because consent only needs to be provided once for a resource. 同意将一直有效,直到用户或管理员手动撤销授权为止。Consent remains valid until the user or admin manually revokes the grant.

何时使用Use when

需要征得用户同意并进行 Web 登录。There is a need for user consent and for web sign in.

体系结构图

系统组件Components of system

  • 用户:从应用程序请求服务。User: Requests a service from the application.

  • 受信任的代理:用户与之交互的组件。Trusted agent: The component that the user interacts with. 这个受信任的代理通常是 Web 浏览器。This trusted agent is usually a web browser.

  • 应用程序:应用程序或资源服务器是资源或数据所在的位置。Application: The application, or Resource Server, is where the resource or data resides. 它信任标识提供者以安全方式对受信任的代理进行身份验证和授权。It trusts the identity provider to securely authenticate and authorize the trusted agent.

  • Azure AD:OIDC 提供程序(也称为标识提供者)会安全地管理与用户信息、用户访问权限及流中各方之间的信任关系有关的任何事情。Azure AD: The OIDC provider, also known as the identity provider, securely manages anything to do with the user's information, their access, and the trust relationships between parties in a flow. 它会对用户的身份进行验证、授予和吊销对资源的访问权限,以及颁发令牌。It authenticates the identity of the user, grants and revokes access to resources, and issues tokens.

通过 Azure AD 实现 OIDCImplement OIDC with Azure AD