如何在 Azure API 管理中使用 Azure Active Directory B2C 为开发人员帐户授权How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management

概述Overview

Azure Active Directory B2C 是一种云标识管理解决方案,适用于面向使用者的 Web 和移动应用程序。Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. 可以使用它来管理对开发人员门户的访问。You can use it to manage access to your developer portal. 本指南说明为了与 Azure Active Directory B2C 集成,需要在 API 管理服务中完成哪些配置。This guide shows you the configuration that's required in your API Management service to integrate with Azure Active Directory B2C. 有关使用经典 Azure Active Directory 启用对开发人员门户的访问的信息,请参阅如何使用 Azure Active Directory 为开发人员帐户授权For information about enabling access to the developer portal by using classic Azure Active Directory, see How to authorize developer accounts using Azure Active Directory.

备注

若要完成本指南中的步骤,必须先获取一个可在其中创建应用程序的 Azure Active Directory B2C 租户。To complete the steps in this guide, you must first have an Azure Active Directory B2C tenant to create an application in. 此外,需要准备好注册和登录策略。Also, you need to have signup and signin policies ready. 有关详细信息,请参阅 Azure Active Directory B2C 概述For more information, see Azure Active Directory B2C overview.

可用性Availability

重要

此功能在 API 管理的“高级”、“标准”和“开发人员”层中可用。This feature is available in the Premium, Standard and Developer tiers of API Management.

使用 Azure Active Directory B2C 为开发人员帐户授权Authorize developer accounts by using Azure Active Directory B2C

  1. 若要开始,请登录到 Azure 门户并找到你的 API 管理实例。To get started, sign in to the Azure portal and locate your API Management instance.

    备注

    如果尚未创建 API 管理服务实例,请参阅 Azure API 管理入门教程中的创建 API 管理服务实例If you haven't yet created an API Management service instance, see Create an API Management service instance in the Get started with Azure API Management tutorial.

  2. 在“标识”下。Under Identities. 单击顶部的“+添加”。Click +Add at the top.

    此时将在右侧显示“添加标识提供者”窗格。The Add identity provider pane appears on the right. 选择“Azure Active Directory B2C”。Choose Azure Active Directory B2C.

    将 AAD B2C 添加为标识提供者

  3. 复制重定向 URLCopy the Redirect URL.

    AAD B2C 标识提供者重定向 URL

  4. 在一个新选项卡中,在 Azure 门户中访问你的 Azure Active Directory B2C 租户并打开“应用程序”边栏选项卡。In a new tab, access your Azure Active Directory B2C tenant in the Azure portal and open the Applications blade.

    注册新应用程序 1

  5. 单击“添加”按钮创建新的 Azure Active Directory B2C 应用程序。Click the Add button to create a new Azure Active Directory B2C application.

    注册新应用程序 2

  6. 在“新建应用程序”边栏选项卡中,输入应用程序的名称。In the New application blade, enter a name for the application. 在“Web 应用/Web API”下面选择“是”,在“允许隐式流”下面选择“是”。 Choose Yes under Web App/Web API, and choose Yes under Allow implicit flow. 然后,将在步骤 3 中复制的重定向 URL 粘贴到“回复 URL”文本框中。Then paste the Redirect URL copied in step 3 into the Reply URL text box.

    注册新应用程序 3

  7. 单击“创建” 按钮。Click the Create button. 创建应用程序后,它会显示在“应用程序”边栏选项卡中。When the application is created, it appears in the Applications blade. 单击应用程序的名称可查看其详细信息。Click the application name to see its details.

    注册新应用程序 4

  8. 在“属性”边栏选项卡中,将“应用程序 ID”复制到剪贴板。 From the Properties blade, copy the Application ID to the clipboard.

    应用程序 ID 1

  9. 切换回 API 管理“添加标识提供者”窗格并将 ID 粘贴到“客户端 ID”文本框中。Switch back to the API Management Add identity provider pane and paste the ID into the Client Id text box.

  10. 切换回 B2C 应用注册,单击“密钥”按钮,并单击“生成密钥”。 Switch back to the B2C app registration, click the Keys button, and then click Generate key. 单击“保存”保存配置并显示“应用密钥”。 Click Save to save the configuration and display the App key. 将该密钥复制到剪贴板。Copy the key to the clipboard.

    应用密钥 1

  11. 切换回 API 管理“添加标识提供者”窗格并将密钥粘贴到“客户端机密”文本框中。Switch back to the API Management Add identity provider pane and paste the key into the Client Secret text box.

  12. 在“登录租户”中指定 Azure Active Directory B2C 租户的域名。Specify the domain name of the Azure Active Directory B2C tenant in Signin tenant.

  13. 使用“机构/授权”字段可以控制要使用的 Azure AD B2C 登录 URL。The Authority field let you control the Azure AD B2C login URL to use. 将值设置为“<your_b2c_tenant_name>.b2clogin.com”。Set the value to <your_b2c_tenant_name>.b2clogin.com.

  14. 从 B2C 租户策略中指定注册策略登录策略Specify the Signup Policy and Signin Policy from the B2C Tenant policies. 或者,也可以提供“配置文件编辑策略”和“密码重置策略”。 Optionally, you can also provide the Profile Editing Policy and Password Reset Policy.

  15. 指定所需的配置后,单击“保存”。After you've specified the desired configuration, click Save.

    保存更改后,开发人员可以使用 Azure Active Directory B2C 创建新帐户并登录到开发人员门户。After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.

开发人员门户 - 添加 Azure AD B2C 帐户身份验证Developer portal - add Azure AD B2C account authentication

在开发人员门户中,可以使用“OAuth 按钮”小组件通过 AAD B2C 登录。In the developer portal, sign-in with AAD B2C is possible with the OAuth buttons widget. 此小组件已包括在默认开发人员门户内容的登录页上。The widget is already included on the sign-in page of the default developer portal content.

“AAD 按钮”小组件

尽管每当新用户使用 AAD B2C 登录时都会自动创建一个新帐户,但你可以考虑向注册页添加同一小组件。Although a new account will be automatically created whenever a new user signs in with AAD B2C, you may consider adding the same widget to the sign-up page.

重要

需要重新发布门户才能使 AAD 更改生效。You need to republish the portal for the AAD changes to take effect.

旧开发人员门户 - 如何使用 Azure AD B2C 注册Legacy developer portal - how to sign up with Azure AD B2C

备注

此文档内容与旧开发人员门户有关。This documentation content is about the legacy developer portal. 请参阅以下文章,了解有关新开发人员门户的内容:Refer to the following articles for content about the new developer portal:

  1. 若要使用 Azure Active Directory B2C 注册开发人员帐户,请打开新的浏览器窗口并转到开发人员门户。To sign up for a developer account by using Azure Active Directory B2C, open a new browser window and go to the developer portal. 单击“注册”按钮。Click the Sign up button.

    开发人员门户 1

  2. 选择使用 Azure Active Directory B2C 注册。Choose to sign up with Azure Active Directory B2C.

    开发人员门户 2

  3. 将重定向到在上一部分中配置的注册策略。You're redirected to the signup policy that you configured in the previous section. 选择使用电子邮件地址或现有的某个社交帐户注册。Choose to sign up by using your email address or one of your existing social accounts.

    备注

    如果“Azure Active Directory B2C”是发布者门户上“标识”选项卡中启用的唯一选项,将直接重定向到注册策略。If Azure Active Directory B2C is the only option that's enabled on the Identities tab in the publisher portal, you'll be redirected to the signup policy directly.

    开发人员门户

    注册完成后,将重定向回开发人员门户。When the signup is complete, you're redirected back to the developer portal. 现已登录到 API 管理服务实例的开发人员门户。You're now signed in to the developer portal for your API Management service instance.

    注册完成

后续步骤Next steps