您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

身份验证流Authentication flows

本文介绍 Microsoft 身份验证库(MSAL)提供的不同身份验证流。This article describes the different authentication flows provided by Microsoft Authentication Library (MSAL). 这些流可用于各种不同的应用程序方案。These flows can be used in a variety of different application scenarios.

Flow 说明Description 适用范围Used in
交互式Interactive 通过交互进程获取标记,该进程通过浏览器或弹出窗口提示用户提供凭据。Gets the token through an interactive process that prompts the user for credentials through a browser or pop-up window. 桌面应用移动应用Desktop apps, mobile apps
隐式授权Implicit grant 允许应用获取令牌,而无需执行后端服务器凭据交换。Allows the app to get tokens without performing a back-end server credential exchange. 这允许应用在客户端 JavaScript 代码中登录用户、维护会话并获取其他 web Api 的令牌。This allows the app to sign in the user, maintain session, and get tokens to other web APIs, all within the client JavaScript code. 单页应用程序(SPA)Single-page applications (SPA)
授权代码Authorization code 用于在设备上安装的应用程序中访问受保护的资源(如 web Api)。Used in apps that are installed on a device to gain access to protected resources, such as web APIs. 这使你可以向移动应用和桌面应用添加登录和 API 访问权限。This allows you to add sign-in and API access to your mobile and desktop apps. 桌面应用移动应用web 应用Desktop apps, mobile apps, web apps
代表On-behalf-of 应用程序调用服务或 web API,而后者又需要调用另一个服务或 web API。An application invokes a service or web API, which in turn needs to call another service or web API. 思路是通过请求链传播委托用户标识和权限。The idea is to propagate the delegated user identity and permissions through the request chain. Web APIWeb APIs
客户端凭据Client credentials 允许使用应用程序的标识访问 web 承载的资源。Allows you to access web-hosted resources by using the identity of an application. 通常用于必须在后台运行的服务器到服务器交互,而不会立即与用户交互。Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. 守护程序应用Daemon apps
设备代码Device code 允许用户登录到受输入约束的设备,例如智能电视、IoT 设备或打印机。Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. 桌面/移动应用Desktop/mobile apps
Windows 集成身份验证Integrated Windows Authentication 允许域或 Azure Active Directory (Azure AD)的已加入计算机上的应用程序以无提示方式获取令牌(无需用户的 UI 交互)。Allows applications on domain or Azure Active Directory (Azure AD) joined computers to acquire a token silently (without any UI interaction from the user). 桌面/移动应用Desktop/mobile apps
用户名/密码Username/password 允许应用程序通过直接处理其密码来登录用户。Allows an application to sign in the user by directly handling their password. 不建议使用此流。This flow isn't recommended. 桌面/移动应用Desktop/mobile apps

每个流如何发出令牌和代码How each flow emits tokens and codes

根据客户端的构建方式,它可以使用 Microsoft 标识平台支持的身份验证流中的一个(或多个)。Depending on how your client is built, it can use one (or several) of the authentication flows supported by the Microsoft identity platform. 这些流可以生成各种令牌(id_tokens、刷新令牌、访问令牌)以及授权代码,并需要不同的令牌使其正常工作。These flows can produce a variety of tokens (id_tokens, refresh tokens, access tokens) as well as authorization codes, and require different tokens to make them work. 此图表提供了概述:This chart provides an overview:

Flow 需要Requires id_tokenid_token 访问令牌access token 刷新令牌refresh token 授权代码authorization code
授权代码流Authorization code flow xx xx xx xx
隐式流Implicit flow xx xx
混合 OIDC 流Hybrid OIDC flow xx xx
刷新令牌兑换Refresh token redemption 刷新令牌refresh token xx xx xx
代理流On-behalf-of flow 访问令牌access token xx xx xx
设备代码流Device code flow xx xx xx
客户端凭据Client credentials x (仅限应用程序)x (app-only)

通过隐式模式颁发的令牌具有长度限制,原因是通过 URL 将其传递回浏览器(其中 response_mode queryfragment)。Tokens issued via the implicit mode have a length limitation due to being passed back to the browser via the URL (where response_mode is query or fragment). 某些浏览器对可放置在浏览器栏中的 URL 大小有限制,但当它太长时,会失败。Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it is too long. 因此,这些令牌没有 groupswids 声明。Thus, these tokens do not have groups or wids claims.

交互Interactive

MSAL 支持以交互方式提示用户输入其凭据进行登录,并使用这些凭据获取令牌。MSAL supports the ability to interactively prompt the user for their credentials to sign in, and obtain a token by using those credentials.

交互式流关系图

有关使用 MSAL.NET 以交互方式获取特定平台上的令牌的详细信息,请参阅:For more information on using MSAL.NET to interactively acquire tokens on specific platforms, see:

有关 MSAL 中交互式调用的详细信息,请参阅MSAL 交互式请求中的提示行为For more information on interactive calls in MSAL.js, see Prompt behavior in MSAL.js interactive requests.

隐式授权Implicit grant

MSAL 支持OAuth 2 隐式授权流,这允许应用程序从 Microsoft 标识平台获取令牌,而无需执行后端服务器凭据交换。MSAL supports the OAuth 2 implicit grant flow, which allows the app to get tokens from Microsoft identity platform without performing a back-end server credential exchange. 这允许应用在客户端 JavaScript 代码中登录用户、维护会话并获取其他 web Api 的令牌。This allows the app to sign in the user, maintain session, and get tokens to other web APIs, all within the client JavaScript code.

隐式授权流关系图

许多新式 web 应用程序构建为使用 JavaScript 或 SPA 框架(如角度、Vue 和响应)编写的客户端、单页应用程序。Many modern web applications are built as client-side, single page applications, written by using JavaScript or an SPA framework such as Angular, Vue.js, and React.js. 这些应用程序在 web 浏览器中运行,并具有不同于传统服务器端 web 应用程序的身份验证特征。These applications run in a web browser, and have different authentication characteristics than traditional server-side web applications. Microsoft 标识平台允许单页面应用程序使用隐式授予流登录用户,并获取用于访问后端服务或 web Api 的令牌。The Microsoft identity platform enables single page applications to sign in users, and get tokens to access back-end services or web APIs, by using the implicit grant flow. 隐式流允许应用程序获取 ID 令牌来表示经过身份验证的用户,还可以访问调用受保护的 Api 所需的令牌。The implicit flow allows the application to get ID tokens to represent the authenticated user, and also access tokens needed to call protected APIs.

此身份验证流不包括使用跨平台 JavaScript 框架(如 Electron 和响应本机)的应用程序方案,因为它们需要更多的功能来与本机平台交互。This authentication flow doesn't include application scenarios that use cross-platform JavaScript frameworks such as Electron and React-Native, because they require further capabilities for interaction with the native platforms.

授权代码Authorization code

MSAL 支持OAuth 2 授权代码授予MSAL supports the OAuth 2 authorization code grant. 此授予可用于在设备上安装的应用,以获取对受保护资源(例如 web Api)的访问权限。This grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. 这使你可以向移动应用和桌面应用添加登录和 API 访问权限。This allows you to add sign-in and API access to your mobile and desktop apps.

当用户登录到 web 应用程序(网站)时,web 应用程序将收到授权代码。When users sign in to web applications (websites), the web application receives an authorization code. 授权代码兑换为获取用于调用 web Api 的令牌。The authorization code is redeemed to acquire a token to call web APIs. 在 ASP.NET 和 ASP.NET Core web apps 中,AcquireTokenByAuthorizationCode 的唯一目标是向令牌缓存添加令牌。In ASP.NET and ASP.NET Core web apps, the only goal of AcquireTokenByAuthorizationCode is to add a token to the token cache. 然后,应用程序可以使用该令牌(通常在控制器中,只需使用 AcquireTokenSilent获取 API 的令牌)。The token can then be used by the application (usually in the controllers, which just get a token for an API by using AcquireTokenSilent).

授权代码流示意图

在上图中,应用程序:In the preceding diagram, the application:

  1. 请求授权代码,该代码兑换为访问令牌。Requests an authorization code, which is redeemed for an access token.
  2. 使用访问令牌来调用 web API。Uses the access token to call a web API.

注意事项Considerations

  • 仅可使用授权代码一次来兑换令牌。You can use the authorization code only once to redeem a token. 不要尝试使用相同的授权代码多次获取令牌(协议标准规范明确禁止使用该令牌)。Don't try to acquire a token multiple times with the same authorization code (it's explicitly prohibited by the protocol standard specification). 如果你有意兑换代码几次,或者你不知道某个框架还能为你执行此操作,则会收到以下错误: AADSTS70002: Error validating credentials. AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.If you redeem the code several times intentionally, or because you are not aware that a framework also does it for you, you'll get the following error: AADSTS70002: Error validating credentials. AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.

  • 如果你正在编写 ASP.NET 或 ASP.NET Core 应用程序,如果你不知道已经兑换了授权代码,则可能会发生这种情况。If you're writing an ASP.NET or ASP.NET Core application, this might happen if you don't tell the framework that you've already redeemed the authorization code. 为此,需要调用 AuthorizationCodeReceived 事件处理程序的 context.HandleCodeRedemption() 方法。For this, you need to call the context.HandleCodeRedemption() method of the AuthorizationCodeReceived event handler.

  • 避免与 ASP.NET 共享访问令牌,这可能会阻止增量许可正确进行。Avoid sharing the access token with ASP.NET, which might prevent incremental consent happening correctly. 有关详细信息,请参阅issue #693For more information, see issue #693.

代表On-behalf-of

MSAL 支持OAuth 2 代理身份验证流MSAL supports the OAuth 2 on-behalf-of authentication flow. 当应用程序调用服务或 web API 时使用此流,后者又需要调用另一个服务或 web API。This flow is used when an application invokes a service or web API, which in turn needs to call another service or web API. 思路是通过请求链传播委托用户标识和权限。The idea is to propagate the delegated user identity and permissions through the request chain. 要使中间层服务向下游服务发出身份验证请求,需要代表用户保护来自 Microsoft 标识平台的访问令牌。For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.

代表流的关系图

在上图中:In the preceding diagram:

  1. 应用程序获取 web API 的访问令牌。The application acquires an access token for the web API.
  2. 客户端(web、桌面、移动或单页应用程序)调用受保护的 web API,并将访问令牌作为持有者令牌添加到 HTTP 请求的身份验证标头中。A client (web, desktop, mobile, or single-page application) calls a protected web API, adding the access token as a bearer token in the authentication header of the HTTP request. Web API 对用户进行身份验证。The web API authenticates the user.
  3. 当客户端调用 web API 时,web API 代表用户请求另一个令牌。When the client calls the web API, the web API requests another token on-behalf-of the user.
  4. 受保护的 web API 使用此令牌代表用户调用下游 web API。The protected web API uses this token to call a downstream web API on-behalf-of the user. 然后,web API 还可以为其他下游 Api (但仍代表同一个用户)请求令牌。The web API can also later request tokens for other downstream APIs (but still on behalf of the same user).

客户端凭据Client credentials

MSAL 支持OAuth 2 客户端凭据流MSAL supports the OAuth 2 client credentials flow. 通过此流,你可以使用应用程序的标识访问 web 承载的资源。This flow allows you to access web-hosted resources by using the identity of an application. 这种授予通常用于必须在后台运行的服务器间交互,不需要立即与用户交互。This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. 这些类型的应用程序通常称为 "守护程序" 或 "服务帐户"。These types of applications are often referred to as daemons or service accounts.

客户端凭据授权流允许 web 服务(机密客户端)在调用其他 web 服务时使用其自己的凭据(而不是模拟用户)进行身份验证。The client credentials grant flow permits a web service (a confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. 在此方案中,客户端通常是中间层 web 服务、后台程序服务或网站。In this scenario, the client is typically a middle-tier web service, a daemon service, or a website. 为了进行更高级别的保证,Microsoft 标识平台还允许调用服务将证书(而不是共享机密)用作凭据。For a higher level of assurance, the Microsoft identity platform also allows the calling service to use a certificate (instead of a shared secret) as a credential.

备注

机密客户端流在移动平台(UWP、Xamarin 和 Xamarin)上不可用,因为它们仅支持公共客户端应用程序。The confidential client flow isn't available on the mobile platforms (UWP, Xamarin.iOS, and Xamarin.Android), because these only support public client applications. 公共客户端应用程序不知道如何向标识提供程序证明应用程序的身份。Public client applications don't know how to prove the application's identity to the Identity Provider. 通过部署证书,可以在 web 应用或 web API 后端实现安全连接。A secure connection can be achieved on web app or web API back ends by deploying a certificate.

MSAL.NET 支持两种类型的客户端凭据。MSAL.NET supports two types of client credentials. 需要在 Azure AD 中注册这些客户端凭据。These client credentials need to be registered with Azure AD. 凭据会传入代码中的机密客户端应用程序的构造函数。The credentials are passed in to the constructors of the confidential client application in your code.

应用程序密钥Application secrets

具有密码的机密客户端示意图

在上图中,应用程序:In the preceding diagram, the application:

  1. 使用应用程序机密或密码凭据获取令牌。Acquires a token by using application secret or password credentials.
  2. 使用令牌发出资源请求。Uses the token to make requests of the resource.

证书Certificates

证书的机密客户端示意图

在上图中,应用程序:In the preceding diagram, the application:

  1. 使用证书凭据获取令牌。Acquires a token by using certificate credentials.
  2. 使用令牌发出资源请求。Uses the token to make requests of the resource.

这些客户端凭据需要:These client credentials need to be:

  • 注册到 Azure AD。Registered with Azure AD.
  • 在代码中的机密客户端应用程序构造中传入。Passed in at the construction of the confidential client application in your code.

设备代码Device code

MSAL 支持OAuth 2 设备代码流,这允许用户登录到输入限制的设备,如智能电视、IoT 设备或打印机。MSAL supports the OAuth 2 device code flow, which allows users to sign in to input-constrained devices, such as a smart TV, IoT device, or printer. 使用 Azure AD 进行交互式身份验证需要使用 web 浏览器。Interactive authentication with Azure AD requires a web browser. 设备代码流允许用户使用另一台设备(例如,另一台计算机或移动电话)以交互方式登录,其中设备或操作系统不提供 web 浏览器。The device code flow lets the user use another device (for example, another computer or a mobile phone) to sign in interactively, where the device or operating system doesn't provide a web browser.

通过使用设备代码流,应用程序将通过两个步骤来获取令牌,此过程尤其适用于这些设备或操作系统。By using the device code flow, the application obtains tokens through a two-step process especially designed for these devices or operating systems. 此类应用程序的示例包括在 IoT 设备上运行的应用程序或命令行工具(CLI)。Examples of such applications include those running on IoT devices or command-line tools (CLI).

设备代码流示意图

在上图中:In the preceding diagram:

  1. 只要需要用户身份验证,应用程序就会提供代码,并要求用户使用其他设备(如连接 internet 的智能手机)来访问 URL (例如 https://microsoft.com/devicelogin)。Whenever user authentication is required, the app provides a code, and asks the user to use another device (such as an internet-connected smartphone) to go to a URL (for example, https://microsoft.com/devicelogin). 然后,将提示用户输入代码,并通过正常的身份验证体验(如有必要)进行身份验证。The user is then prompted to enter the code, and proceeds through a normal authentication experience, including consent prompts and multi-factor authentication if necessary.

  2. 身份验证成功后,命令行应用通过后通道接收所需的令牌,并使用它们来执行所需的 web API 调用。Upon successful authentication, the command-line app receives the required tokens through a back channel, and uses them to perform the web API calls it needs.

约束Constraints

  • 设备代码流仅适用于公用客户端应用程序。Device code flow is only available on public client applications.
  • 构造公用客户端应用程序时传入的颁发机构必须是以下各项之一:The authority passed in when constructing the public client application must be one of the following:
    • 租户(格式 https://login.microsoftonline.com/{tenant}/,其中 {tenant} 为表示租户 ID 的 GUID 或与租户关联的域)。Tenanted (of the form https://login.microsoftonline.com/{tenant}/ where {tenant} is either the GUID representing the tenant ID or a domain associated with the tenant).
    • 适用于任何工作和学校帐户(https://login.microsoftonline.com/organizations/)。For any work and school accounts (https://login.microsoftonline.com/organizations/).
  • Azure AD v2.0 终结点尚不支持 Microsoft 个人帐户(无法使用 /common/consumers 租户)。Microsoft personal accounts aren't yet supported by the Azure AD v2.0 endpoint (you can't use the /common or /consumers tenants).

集成 Windows 身份验证Integrated Windows Authentication

对于在加入域或 Azure AD 加入的 Windows 计算机上运行的桌面应用程序或移动应用程序,MSAL 支持集成 Windows 身份验证(IWA)。MSAL supports Integrated Windows Authentication (IWA) for desktop or mobile applications that run on a domain joined or Azure AD joined Windows computer. 使用 IWA,这些应用程序可以无提示地获取令牌(无需用户的 UI 交互)。Using IWA, these applications can acquire a token silently (without any UI interaction from the user).

集成的 Windows 身份验证示意图

在上图中,应用程序:In the preceding diagram, the application:

  1. 使用集成 Windows 身份验证获取令牌。Acquires a token by using Integrated Windows Authentication.
  2. 使用令牌发出资源请求。Uses the token to make requests of the resource.

约束Constraints

IWA 仅支持联合用户,这意味着在 Active Directory 中创建的用户以及 Azure AD 的支持用户。IWA supports federated users only, meaning users created in Active Directory and backed by Azure AD. 直接在 Azure AD 中创建的用户(不 Active Directory 支持)无法使用此身份验证流。Users created directly in Azure AD, without Active Directory backing (managed users) can't use this authentication flow. 此限制不会影响用户名/密码流This limitation doesn't affect the username/password flow.

IWA 适用于针对 .NET Framework、.NET Core 和通用 Windows 平台平台编写的应用。IWA is for apps written for .NET Framework, .NET Core, and Universal Windows Platform platforms.

IWA 不会绕过多重身份验证。IWA doesn't bypass multi-factor authentication. 如果配置了多重身份验证,则当需要多重身份验证质询时,IWA 可能会失败。If multi-factor authentication is configured, IWA might fail if a multi-factor authentication challenge is required. 多重身份验证需要用户交互。Multi-factor authentication requires user interaction.

不控制标识提供者请求执行双重身份验证的时间。You don't control when the identity provider requests two-factor authentication to be performed. 租户管理员将执行。The tenant admin does. 通常,当你从不同的国家/地区进行身份验证时,如果不是通过 VPN 连接到公司网络,甚至是通过 VPN 进行连接时,都需要双重身份验证。Typically, two-factor authentication is required when you sign in from a different country, when you're not connected via VPN to a corporate network, and sometimes even when you are connected via VPN. Azure AD 使用 AI 持续了解是否需要双因素身份验证。Azure AD uses AI to continuously learn if two-factor authentication is required. 如果 IWA 失败,则应回退到 [交互用户提示] (#interactive)。If IWA fails, you should fall back to an [interactive user prompt] (#interactive).

构造公用客户端应用程序时传入的颁发机构必须是以下各项之一:The authority passed in when constructing the public client application must be one of the following:

  • 租户(格式 https://login.microsoftonline.com/{tenant}/,其中 tenant 为表示租户 ID 的 guid 或与租户关联的域)。Tenanted (of the form https://login.microsoftonline.com/{tenant}/ where tenant is either the guid representing the tenant ID or a domain associated with the tenant).
  • 适用于任何工作和学校帐户(https://login.microsoftonline.com/organizations/)。For any work and school accounts (https://login.microsoftonline.com/organizations/). 不支持 Microsoft 个人帐户(不能使用 /common/consumers 租户)。Microsoft personal accounts are not supported (you can't use /common or /consumers tenants).

由于 IWA 是一个静默流,因此必须满足以下条件之一:Because IWA is a silent flow, one of the following must be true:

  • 应用程序的用户必须事先同意使用该应用程序。The user of your application must have previously consented to use the application.
  • 租户管理员之前必须同意租户中的所有用户使用该应用程序。The tenant admin must have previously consented to all users in the tenant to use the application.

这意味着满足以下条件之一:This means that one of the following is true:

  • 你作为开发人员选择了对 Azure 门户的授权You as a developer have selected Grant on the Azure portal for yourself.
  • 租户管理员已在应用程序注册的 " API 权限" 选项卡中选择了 "授予/撤消管理员许可" (请参阅添加访问 web api 的权限)。A tenant admin has selected Grant/revoke admin consent for {tenant domain} in the API permissions tab of the registration for the application (see Add permissions to access web APIs).
  • 你为用户提供了同意应用程序的方式(请参阅请求单个用户同意)。You have provided a way for users to consent to the application (see Requesting individual user consent).
  • 你为租户管理员提供了向应用程序授予许可的方式(请参阅管理员许可)。You have provided a way for the tenant admin to consent for the application (see admin consent).

为 .NET 桌面、.NET Core 和 Windows 通用平台应用启用 IWA 流。The IWA flow is enabled for .NET desktop, .NET Core, and Windows Universal Platform apps. 在 .NET Core 上,必须提供 IWA 的用户名,因为 .NET Core 无法从操作系统获取用户名。On .NET Core you must provide the username to IWA, because .NET Core can't obtain usernames from the operating system.

有关许可的详细信息,请参阅 v2.0权限和许可For more information on consent, see v2.0 permissions and consent.

用户名/密码Username/password

MSAL 支持OAuth 2 资源所有者密码凭据授予,这允许应用程序通过直接处理密码来登录用户。MSAL supports the OAuth 2 resource owner password credentials grant, which allows an application to sign in the user by directly handling their password. 在桌面应用程序中,可以使用用户名/密码流以无提示方式获取令牌。In your desktop application, you can use the username/password flow to acquire a token silently. 使用应用程序时,不需要用户界面。No UI is required when using the application.

用户名/密码流示意图

在上图中,应用程序:In the preceding diagram, the application:

  1. 通过向标识提供程序发送用户名和密码获取令牌。Acquires a token by sending the username and password to the identity provider.
  2. 使用令牌来调用 web API。Calls a web API by using the token.

警告

不建议使用此流。This flow isn't recommended. 它需要高度的信任和用户公开。It requires a high degree of trust and user exposure. 仅当其他更安全的流不能使用时,才应使用此流。You should only use this flow when other, more secure, flows can't be used. 有关详细信息,请参阅不断增长的密码问题的解决方案?For more information, see What's the solution to the growing problem of passwords?.

在已加入域的 Windows 计算机上以无提示方式获取令牌的首选流程是集成的 Windows 身份验证The preferred flow for acquiring a token silently on Windows domain-joined machines is Integrated Windows Authentication. 否则,还可以使用设备代码流Otherwise, you can also use Device code flow.

尽管这在某些情况下(DevOps 方案)很有用,但如果你想要在提供自己的 UI 的交互方案中使用用户名/密码,请尝试避免出现这种情况。Although this is useful in some cases (DevOps scenarios), if you want to use username/password in interactive scenarios where you provide your own UI, try to avoid it. 使用用户名/密码:By using username/password:

  • 需要进行多重身份验证的用户将无法登录(因为没有交互)。Users who need to do multi-factor authentication won't be able to sign in (as there is no interaction).
  • 用户无法进行单一登录。Users won't be able to do single sign-on.

约束Constraints

除了集成的Windows 身份验证约束以外,以下约束也适用:Apart from the Integrated Windows Authentication constraints, the following constraints also apply:

  • 用户名/密码流与条件性访问和多重身份验证不兼容。The username/password flow isn't compatible with Conditional Access and multi-factor authentication. 因此,如果你的应用程序在租户管理员需要多重身份验证的 Azure AD 租户中运行,则无法使用此流。As a consequence, if your app runs in an Azure AD tenant where the tenant admin requires multi-factor authentication, you can't use this flow. 许多组织都会这样做。Many organizations do that.
  • 它仅适用于工作和学校帐户(而不是 Microsoft 帐户)。It works only for work and school accounts (not Microsoft accounts).
  • 流在 .NET desktop 和 .NET Core 中可用,但在通用 Windows 平台上不可用。The flow is available on .NET desktop and .NET Core, but not on Universal Windows Platform.

Azure AD B2C 细节Azure AD B2C specifics

有关使用 MSAL.NET 和 Azure AD B2C 的详细信息,请参阅将ROPC 与 Azure AD B2C 结合使用(MSAL.NET)For more information on using MSAL.NET and Azure AD B2C, see Using ROPC with Azure AD B2C (MSAL.NET).