Azure 应用服务中针对移动应用的身份验证和授权Authentication and authorization in Azure App Service for mobile apps

本文介绍了在开发具有应用服务后端的原生移动应用时身份验证和授权功能如何工作。This article describes how authentication and authorization works when developing native mobile apps with an App Service back end. 应用服务提供了集成的身份验证和授权,因此,移动应用可以在不更改应用服务中的任何代码的情况下让用户登录。App Service provides integrated authentication and authorization, so your mobile apps can sign users in without changing any code in App Service. 该功能可以方便地保护应用程序和处理每个用户的数据。It provides an easy way to protect your application and work with per-user data.

本文重点介绍了移动应用开发。This article focuses on mobile app development. 若要快速了解如何将应用服务身份验证和授权用于移动应用,请参阅以下教程之一:向 iOS 应用添加身份验证(或 AndroidWindowsXamarin.iOSXamarin.AndroidXamarin.FormsCordova)。To get started quickly with App Service authentication and authorization for your mobile app, see one of the following tutorials Add authentication to your iOS app (or Android, Windows, Xamarin.iOS, Xamarin.Android, Xamarin.Forms, or Cordova).

有关应用服务中的身份验证和授权如何工作的信息,请参阅 Azure 应用服务中的身份验证和授权For information on how authentication and authorization work in App Service, see Authentication and authorization in Azure App Service.

在使用提供者 SDK 的情况下进行身份验证Authentication with provider SDK

在应用服务中配置所有项目后,可以将移动客户端修改为通过应用服务进行登录。After everything is configured in App Service, you can modify mobile clients to sign in with App Service. 可以使用下述两种方式:There are two approaches here:

  • 使用给定标识提供者发布的 SDK 来建立标识,即可获得应用服务的访问权限。Use an SDK that a given identity provider publishes to establish identity and then gain access to App Service.
  • 使用单行代码即可让移动应用客户端 SDK 登录用户。Use a single line of code so that the Mobile Apps client SDK can sign in users.


大多数应用程序应使用提供者 SDK,这样可以让用户在登录时获得更一致的体验,可以使用令牌刷新支持,还可以获得提供者指定的其他权益。Most applications should use a provider SDK to get a more consistent experience when users sign in, to use token refresh support, and to get other benefits that the provider specifies.

使用提供者 SDK 时,用户一登录即可获得与操作系统结合更紧密的体验,而应用程序就运行在该操作系统中。When you use a provider SDK, users can sign in to an experience that integrates more tightly with the operating system that the app is running on. 此方法还提供提供者令牌以及客户端上的某些用户信息,因此可以更轻松地使用图形 API 和自定义用户体验。This method also gives you a provider token and some user information on the client, which makes it much easier to consume graph APIs and customize the user experience. 在博客和论坛上,此过程有时也被称为“客户端流”或“客户端定向流”,因为客户端代码可以登录用户,还可以访问提供者令牌。Occasionally on blogs and forums, it is referred to as the "client flow" or "client-directed flow" because code on the client signs in users, and the client code has access to a provider token.

获取提供者令牌后,需将其发送到应用服务进行验证。After a provider token is obtained, it needs to be sent to App Service for validation. 应用服务在验证令牌后会创建新的应用服务令牌,将其返回给客户端。After App Service validates the token, App Service creates a new App Service token that is returned to the client. 移动应用客户端 SDK 提供的帮助器方法可用于管理此交换,并可自动将令牌附加到针对应用程序后端的所有请求。The Mobile Apps client SDK has helper methods to manage this exchange and automatically attach the token to all requests to the application back end. 开发人员也可以保留对提供者令牌的引用。Developers can also keep a reference to the provider token.

有关身份验证流的详细信息,请参阅应用服务身份验证流For more information on the authentication flow, see App Service authentication flow.

在不使用提供者 SDK 的情况下进行身份验证Authentication without provider SDK

如果不希望设置提供者 SDK,可以利用 Azure 应用服务的移动应用功能进行登录。If you do not want to set up a provider SDK, you can allow the Mobile Apps feature of Azure App Service to sign in for you. 移动应用客户端 SDK 会针对所选提供者打开一个 Web 视图,方便用户登录。The Mobile Apps client SDK will open a web view to the provider of your choosing and sign in the user. 在博客和论坛上,此过程有时也被称为“服务器流”或“服务器定向流”,因为服务器管理用户登录过程,而客户端 SDK 从来不会收到提供者令牌。Occasionally on blogs and forums, it is called the "server flow" or "server-directed flow" because the server manages the process that signs in users, and the client SDK never receives the provider token.

启动此流程的代码包括在每个平台的身份验证教程中。Code to start this flow is included in the authentication tutorial for each platform. 在流程结束时,客户端 SDK 将拥有一个应用服务令牌,该令牌自动附加到针对应用程序后端的所有请求。At the end of the flow, the client SDK has an App Service token, and the token is automatically attached to all requests to the application backend.

有关身份验证流的详细信息,请参阅应用服务身份验证流For more information on the authentication flow, see App Service authentication flow.

更多资源More resources

以下教程展示了如何通过服务器定向流向移动客户端添加身份验证:The following tutorials show how to add authentication to your mobile clients by using the server-directed flow:

若要为 Azure Active Directory 使用客户端定向流,请参阅以下资源:Use the following resources if you want to use the client-directed flow for Azure Active Directory: