如何在 Azure API 管理中使用 OAuth 2.0 为开发人员帐户授权How to authorize developer accounts using OAuth 2.0 in Azure API Management

许多 API 支持使用 OAuth 2.0 维护 API 的安全,并确保仅有效用户具有访问权限且只能访问有权访问的资源。Many APIs support OAuth 2.0 to secure the API and ensure that only valid users have access, and they can only access resources to which they're entitled. 要将 Azure API 管理的交互式开发人员门户与此类 API 配合使用,需通过该服务对服务实例进行配置,使之适用于支持 OAuth 2.0 的 API。In order to use Azure API Management's interactive Developer Console with such APIs, the service allows you to configure your service instance to work with your OAuth 2.0 enabled API.

重要

OAuth 2.0 授权在新开发人员门户的交互式控制台中尚不可用。OAuth 2.0 authorization is not yet available in the interactive console of the new developer portal.

先决条件 Prerequisites

本指南了介绍如何配置 API 管理服务实例,以便针对开发人员帐户使用 OAuth 2.0 授权,但不介绍如何配置 OAuth 2.0 提供程序。This guide shows you how to configure your API Management service instance to use OAuth 2.0 authorization for developer accounts, but does not show you how to configure an OAuth 2.0 provider. 每个 OAuth 2.0 提供程序的配置均不相同,虽然步骤类似,不过在 API 管理服务实例中配置 OAuth 2.0 时使用的必需信息是相同的。The configuration for each OAuth 2.0 provider is different, although the steps are similar, and the required pieces of information used in configuring OAuth 2.0 in your API Management service instance are the same. 本主题介绍的示例使用 Azure Active Directory 作为 OAuth 2.0 提供程序。This topic shows examples using Azure Active Directory as an OAuth 2.0 provider.

备注

有关使用 Azure Active Directory 配置 OAuth 2.0 的详细信息,请参阅 WebApp-GraphAPI-DotNet 示例。For more information on configuring OAuth 2.0 using Azure Active Directory, see the WebApp-GraphAPI-DotNet sample.

可用性Availability

重要

此功能在 API 管理的“高级”、“标准”、“基本”和“开发人员”层中可用。This feature is available in the Premium, Standard, Basic and Developer tiers of API Management.

在 API 管理中配置 OAuth 2.0 授权服务器 Configure an OAuth 2.0 authorization server in API Management

备注

如果尚未创建 API 管理服务实例,请参阅创建 API 管理服务实例If you have not yet created an API Management service instance, see Create an API Management service instance.

  1. 在左侧菜单中的 OAuth 2.0 选项卡上单击,然后单击“+添加”。 Click on the OAuth 2.0 tab in the menu on the left and click on +Add.

    OAuth 2.0 菜单

  2. 在“名称”和“说明”字段中输入名称和可选说明。 Enter a name and an optional description in the Name and Description fields.

    备注

    这些字段用于标识当前 API 管理服务实例中的 OAuth 2.0 授权服务器,其值不来自 OAuth 2.0 服务器。These fields are used to identify the OAuth 2.0 authorization server within the current API Management service instance and their values do not come from the OAuth 2.0 server.

  3. 输入“客户端注册页 URL”。 Enter the Client registration page URL. 此页是供用户创建和管理其帐户的地方,因所使用的 OAuth 2.0 提供程序而异。This page is where users can create and manage their accounts, and varies depending on the OAuth 2.0 provider used. “客户端注册页 URL”指向供用户针对 OAuth 2.0 提供程序创建和配置自己帐户的页面,这些提供程序支持用户管理帐户。 The Client registration page URL points to the page that users can use to create and configure their own accounts for OAuth 2.0 providers that support user management of accounts. 某些组织不配置或使用此功能,即使 OAuth 2.0 提供程序支持此功能。Some organizations do not configure or use this functionality even if the OAuth 2.0 provider supports it. 如果 OAuth 2.0 提供程序尚未配置用户管理帐户功能,请在此处输入一个占位符 URL,例如公司的 URL,或 https://placeholder.contoso.com 之类的 URL。If your OAuth 2.0 provider does not have user management of accounts configured, enter a placeholder URL here such as the URL of your company, or a URL such as https://placeholder.contoso.com.

    OAuth 2.0 新服务器

  4. 此窗体的下一部分包含“授权的授权类型”、“授权终结点 URL”和“授权请求方法”设置。 The next section of the form contains the Authorization grant types, Authorization endpoint URL, and Authorization request method settings.

    选中所需类型即可指定“授权的授权类型”。 Specify the Authorization grant types by checking the desired types. “授权代码”是默认指定的。 Authorization code is specified by default.

    输入“授权终结点 URL”。 Enter the Authorization endpoint URL. 对于 Azure Active Directory,此 URL 将类似于以下 URL,其中 <tenant_id> 将替换为 Azure AD 租户的 ID。For Azure Active Directory, this URL will be similar to the following URL, where <tenant_id> is replaced with the ID of your Azure AD tenant.

    https://login.chinacloudapi.cn/<tenant_id>/oauth2/authorize

    “授权请求方法”指定如何向 OAuth 2.0 服务器发送授权请求。 The Authorization request method specifies how the authorization request is sent to the OAuth 2.0 server. 默认情况下会选择 GETBy default GET is selected.

  5. 然后,需要指定“令牌终结点 URL”、“客户端身份验证方法”、“访问令牌发送方法”和“默认范围”。 Then, Token endpoint URL, Client authentication methods, Access token sending method and Default scope need to be specified.

    OAuth 2.0 新服务器

    对于 Azure Active Directory OAuth 2.0 服务器,“令牌终结点 URL”将具有如下格式,其中 <TenantID> 的格式为 yourapp.onmicrosoft.comFor an Azure Active Directory OAuth 2.0 server, the Token endpoint URL will have the following format, where <TenantID> has the format of yourapp.onmicrosoft.com.

    https://login.chinacloudapi.cn/<TenantID>/oauth2/token

    “客户端身份验证方法”的默认设置为“基本”,“访问令牌发送方法”为“授权标头”。 The default setting for Client authentication methods is Basic, and Access token sending method is Authorization header. 这些值以及“默认范围”在窗体的此部分配置。 These values are configured on this section of the form, along with the Default scope.

“客户端凭据”部分包含“客户端 ID”和“客户端密钥”,在创建和配置 OAuth 2.0 服务器的过程中获取。 The Client credentials section contains the Client ID and Client secret, which are obtained during the creation and configuration process of your OAuth 2.0 server. 指定“客户端 ID”和“客户端密钥”以后,会生成“授权代码”的“redirect_uri”。 Once the Client ID and Client secret are specified, the redirect_uri for the authorization code is generated. 该 URI 用于在 OAuth 2.0 服务器配置中配置回复 URL。This URI is used to configure the reply URL in your OAuth 2.0 server configuration.

OAuth 2.0 新服务器

如果“授权的授权类型”设置为“资源所有者密码”,则可使用“资源所有者密码凭据”部分指定这些凭据;否则可将其留空。 If Authorization grant types is set to Resource owner password, the Resource owner password credentials section is used to specify those credentials; otherwise you can leave it blank.

完成窗体的操作后,单击“创建”保存 API 管理 OAuth 2.0 授权服务器配置。 Once the form is complete, click Create to save the API Management OAuth 2.0 authorization server configuration. 保存服务器配置后,可将 API 配置为使用此配置,如下一部分所示。Once the server configuration is saved, you can configure APIs to use this configuration, as shown in the next section.

配置 API 以使用 OAuth 2.0 用户授权 Configure an API to use OAuth 2.0 user authorization

  1. 在左侧的“API 管理”菜单中单击“API”。 Click APIs from the API Management menu on the left.

    OAuth 2.0 API

  2. 单击所需的 API 的名称并单击“设置” 。Click the name of the desired API and click Settings. 滚动到“安全性” 部分,然后选中 OAuth 2.0 的复选框。Scroll to the Security section, and then check the box for OAuth 2.0.

    OAuth 2.0 设置

  3. 从下拉列表中选择所需的“授权服务器”,并单击“保存”。 Select the desired Authorization server from the drop-down list, and click Save.

    OAuth 2.0 设置

旧开发人员门户 - 测试 OAuth 2.0 用户授权 Legacy developer portal - test the OAuth 2.0 user authorization

备注

此文档内容与旧开发人员门户有关。This documentation content is about the legacy developer portal. 请参阅以下文章,了解有关新开发人员门户的内容:Refer to the following articles for content about the new developer portal:

配置 OAuth 2.0 授权服务器并将 API 配置为使用该服务器以后,即可转到开发人员门户并调用 API 对其进行测试。Once you have configured your OAuth 2.0 authorization server and configured your API to use that server, you can test it by going to the Developer Portal and calling an API. 在 Azure API 管理实例“概述”页的顶部菜单中,单击“开发人员门户(旧)”。 Click Developer portal (legacy) in the top menu from your Azure API Management instance Overview page.

单击顶部菜单中的“API”,并选择“Echo API”。 Click APIs in the top menu and select Echo API.

Echo API

备注

如果只配置了一个 API 或者只有一个 API 对你的帐户可见,则单击 API 会直接进入该 API 的操作。If you have only one API configured or visible to your account, then clicking APIs takes you directly to the operations for that API.

选择“GET 资源”操作,单击“打开控制台”,并从下拉列表中选择“授权代码”。 Select the GET Resource operation, click Open Console, and then select Authorization code from the drop-down.

打开控制台

选中“授权代码”后,会显示一个弹出窗口,其中包含 OAuth 2.0 提供程序的登录窗体。 When Authorization code is selected, a pop-up window is displayed with the sign-in form of the OAuth 2.0 provider. 在此示例中,登录窗体由 Azure Active Directory 提供。In this example the sign-in form is provided by Azure Active Directory.

备注

如果已禁用弹出窗口,则浏览器会提示用户启用该功能。If you have pop-ups disabled you will be prompted to enable them by the browser. 启用该功能后,再次选中“授权代码”,此时就会显示登录窗体。 After you enable them, select Authorization code again and the sign-in form will be displayed.

登录

登录后,“请求标头”中会填充用于对请求授权的 Authorization : Bearer 标头。 Once you have signed in, the Request headers are populated with an Authorization : Bearer header that authorizes the request.

请求标头令牌

此时可以配置剩余参数的所需值,并提交请求。At this point you can configure the desired values for the remaining parameters, and submit the request.

后续步骤Next steps

有关如何使用 OAuth 2.0 和 API 管理的详细信息,请参阅此文章For more information about using OAuth 2.0 and API Management, see the article.