您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

方案:登录用户的 Web 应用Scenario: Web app that signs in users

了解生成使用 Microsoft 标识平台登录用户所需的所有信息。Learn all you need to build a web app that uses the Microsoft identity platform to sign in users.

必备组件Prerequisites

阅读本文之前,应熟悉以下概念:Before reading this article, you should be familiar with the following concepts:

入门Getting started

若要创建登录用户的第一个可移植(ASP.NET Core) web 应用,请按照以下快速入门:If you want to create your first portable (ASP.NET Core) web app that signs in users, follow this quickstart:

概述Overview

向 web 应用添加身份验证,以便它可以登录用户。You add authentication to your web app so that it can sign in users. 通过添加身份验证,web 应用可以访问有限的配置文件信息,以自定义用户体验。Adding authentication enables your web app to access limited profile information in order to customize the experience for users.

Web 应用在 web 浏览器中对用户进行身份验证。Web apps authenticate a user in a web browser. 在此方案中,web 应用将指示用户的浏览器登录到 Azure Active Directory (Azure AD)。In this scenario, the web app directs the user's browser to sign them in to Azure Active Directory (Azure AD). Azure AD 通过用户的浏览器返回一个登录响应,该浏览器在安全令牌中包含有关用户的声明。Azure AD returns a sign-in response through the user's browser, which contains claims about the user in a security token. 用户登录时,将利用OPEN ID Connect标准协议,通过使用中间件简化。Signing in users takes advantage of the Open ID Connect standard protocol, simplified by the use of middleware libraries.

通过 Web 应用让用户登录

作为第二个阶段,你可以让应用程序代表已登录用户调用 web Api。As a second phase, you can enable your application to call web APIs on behalf of the signed-in user. 下一阶段是一个不同的方案,你会在用于调用 Web api 的 web 应用中找到该方案。This next phase is a different scenario, which you'll find in Web app that calls web APIs.

备注

将登录添加到 web 应用的目的是保护 web 应用并验证用户令牌,这是中间件库的用途。Adding sign-in to a web app is about protecting the web app and validating a user token, which is what middleware libraries do. 对于 .NET,此方案还不需要 Microsoft 身份验证库(MSAL),这是为了获取令牌来调用受保护的 Api。In the case of .NET, this scenario does not yet require the Microsoft Authentication Library (MSAL), which is about acquiring a token to call protected APIs. 当 web 应用需要调用 web Api 时,将在跟进方案中引入身份验证库。Authentication libraries will be introduced in the follow-up scenario, when the web app needs to call web APIs.

细节Specifics

  • 在应用程序注册过程中,你需要提供一个或多个(如果你将应用程序部署到多个位置)的回复 Uri。During the application registration, you'll need to provide one or several (if you deploy your app to several locations) reply URIs. 在某些情况下(ASP.NET 和 ASP.NET Core),需要启用 ID 令牌。In some cases (ASP.NET and ASP.NET Core), you'll need to enable the ID token. 最后,你将需要设置注销 URI,使你的应用程序向用户注销。Finally, you'll want to set up a sign-out URI so that your application reacts to users signing out.
  • 在应用程序的代码中,需要提供 web 应用委托登录的权限。In the code for your application, you'll need to provide the authority to which your web app delegates sign-in. 你可能需要自定义令牌验证(特别是在合作伙伴方案中)。You might want to customize token validation (in particular, in partner scenarios).
  • Web 应用程序支持任何帐户类型。Web applications support any account types. 有关详细信息,请参阅支持的帐户类型For more information, see Supported account types.

后续步骤Next steps