您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

身份验证和授权Authentication vs authorization

本文对身份验证和授权进行了定义,还简要介绍了如何使用 Microsoft 标识平台对 Web 应用、Web API 或调用受保护的 Web API 的应用中的用户进行身份验证和授权。This article defines authentication and authorization and briefly covers how you can use the Microsoft identity platform to authenticate and authorize users in your web apps, web APIs, or apps calling protected web APIs. 如果看到不熟悉的术语,请试着查看我们的词汇表Microsoft 标识平台视频,其中涵盖了基本概念。If you see a term you aren't familiar with, try our glossary or our Microsoft identity platform videos which cover basic concepts.

身份验证Authentication

身份验证就是证明你是你本人的过程。Authentication is the process of proving you are who you say you are. 身份验证有时缩写为 AuthN。Authentication is sometimes shortened to AuthN. Microsoft 标识平台实现了的 OpenID Connect 协议来处理身份验证。Microsoft identity platform implements the OpenID Connect protocol for handling authentication.

授权Authorization

授权是指向经过身份验证的参与方授予执行某项操作的权限的操作。Authorization is the act of granting an authenticated party permission to do something. 它指定了你可访问的数据以及可使用该数据执行的操作。It specifies what data you're allowed to access and what you can do with that data. 授权有时缩写为 AuthZ。Authorization is sometimes shortened to AuthZ. Microsoft 标识平台实现了 OAuth 2.0 协议来处理授权。Microsoft identity platform implements the OAuth 2.0 protocol for handling authorization.

使用 Microsoft 标识平台进行身份验证和授权Authentication and authorization using Microsoft identity platform

当你需要在多个应用中添加或删除用户时,应用不必创建各自维护自己的用户名和密码信息的应用(这会带来很重的管理负担),而是可以将此责任委托给一个集中式标识提供程序。Instead of creating apps that each maintain their own username and password information, which incurs a high administrative burden when you need to add or remove users across multiple apps, apps can delegate that responsibility to a centralized identity provider.

Azure Active Directory (Azure AD) 就是云中的一个集中标识提供程序。Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. 通过将身份验证和授权委托给它可实现以下场景:要求用户位于特定位置的条件访问策略、使用多重身份验证(有时称为双因素身份验证或 2FA),以及允许用户登录一次后可自动登录到共享同一集中目录的所有 Web 应用。Delegating authentication and authorization to it enables scenarios such as Conditional Access policies that require a user to be in a specific location, the use of multi-factor authentication (sometimes referred to as two-factor authentication or 2FA), as well as enabling a user to sign in once and then be automatically signed in to all of the web apps that share the same centralized directory. 此功能被称为“单一登录 (SSO)”。This capability is referred to as Single Sign On (SSO).

Microsoft 标识平台将标识提供为一项服务、支持行业标准协议(例如 OAuth 2.0 和 OpenID Connect),还提供用于不同平台的开源库来帮助你快速开始编码,从而简化了对应用程序开发人员的授权和身份验证。Microsoft identity platform simplifies authorization and authentication for application developers by providing identity as a service, with support for industry-standard protocols such as OAuth 2.0 and OpenID Connect, as well as open-source libraries for different platforms to help you start coding quickly. 借助它,开发人员可构建这样的应用程序,即进行所有 Microsoft 标识的登录,并获取令牌来调用 Microsoft Graph、其他 Microsoft API 或者开发人员生成的 API。It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. 有关详细信息,请参Microsoft 标识平台的发展For more information, see Evolution of Microsoft identity platform.

下面是 Microsoft 标识平台使用的各种协议的简单比较:Following is a brief comparison of the various protocols used by Microsoft identity platform:

  • OAuth 与 OpenID Connect:OAuth 用于授权,OpenID Connect (OIDC) 用于身份验证。OAuth vs OpenID Connect: OAuth is used for authorization and OpenID Connect (OIDC) is used for authentication. OpenID Connect 构建在 OAuth 2.0 的基础之上,因此两者的术语和流很相似。OpenID Connect is built on top of OAuth 2.0, so the terminology and flow are similar between the two. 你甚至可在一个请求中对用户进行身份验证(使用 OpenID Connect),并同时获得授权来访问用户拥有的受保护资源(使用 OAuth 2.0)。You can even both authenticate a user (using OpenID Connect) and get authorization to access a protected resource that the user owns (using OAuth 2.0) in one request. 有关详细信息,请参阅 OAuth 2.0 和 OpenID Connect 协议OpenID Connect 协议For more information, see OAuth 2.0 and OpenID Connect protocols and OpenID Connect protocol.
  • OAuth 与 SAML:OAuth 用于授权,SAML 用于身份验证。OAuth vs SAML: OAuth is used for authorization and SAML is used for authentication. 要详细了解如何同时使用这两种协议对用户进行身份验证(使用 SAML)并获得授权来访问受保护的资源(使用 OAuth 2.0),请参阅 Microsoft 标识平台和 OAuth 2.0 SAML 持有者断言流See Microsoft identity platform and OAuth 2.0 SAML bearer assertion flow for more information on how the two protocols can be used together to both authenticate a user (using SAML) and get authorization to access a protected resource (using OAuth 2.0).
  • OpenID Connect 与 SAML:OpenID Connect 和 SAML 都用于对用户进行身份验证,也用于启用单一登录。OpenID Connect vs SAML: Both OpenID Connect and SAML are used to authenticate a user and are used to enable Single Sign On. SAML 身份验证通常与标识提供程序(例如与 Azure AD 联合的 Active Directory 联合身份验证服务 (ADFS))一起使用,因此经常用于企业应用程序。SAML authentication is commonly used with identity providers such as Active Directory Federation Services (ADFS) federated to Azure AD and is therefore frequently used in enterprise applications. OpenID Connect 通常用于纯云端应用,例如移动应用、网站和 Web API。OpenID Connect is commonly used for apps that are purely in the cloud, such as mobile apps, web sites, and web APIs.

后续步骤Next steps

有关其他涉及身份验证和授权基础知识的主题:For other topics covering authentication and authorization basics: