根据应用场景选择 Microsoft Graph 身份验证提供程序Choose a Microsoft Graph authentication provider based on scenario

身份验证提供程序实现使用 Microsoft 身份验证库(MSAL)获取令牌所需的代码;处理一些可能的错误,如增量许可、过期密码和有条件访问等情况。,然后设置 HTTP 请求授权标头。Authentication providers implement the code required to acquire a token using the Microsoft Authentication Library (MSAL); handle a number of potential errors for cases like incremental consent, expired passwords, and conditional access; and then set the HTTP request authorization header. 下表列出了与不同应用程序类型的方案相匹配的提供程序集。The following table lists the set of providers that match the scenarios for different application types.

方案Scenario 流/授予Flow/Grant 受众Audience 提供程序Provider
单页面应用程序Single Page App
隐式Implicit 委派的消费者/组织Delegated Consumer/Org 隐式提供程序Implicit Provider
调用 web Api 的 web 应用程序Web App that calls web APIs
授权代码Authorization Code 委派的消费者/组织Delegated Consumer/Org 授权代码提供程序Authorization Code Provider
客户端凭据Client Credentials 仅限应用App Only 客户端凭据提供程序Client Credentials Provider
调用 web Api 的 Web APIWeb API that calls web APIs
代表On Behalf Of 委派的消费者/组织Delegated Consumer/Org 代表提供程序On Behalf Of Provider
客户端凭据Client Credentials 仅限应用App Only 客户端凭据提供程序Client Credentials Provider
调用 web Api 的桌面应用程序Desktop app that calls web APIs
InteractiveInteractive 委派的消费者/组织Delegated Consumer/Org 交互式提供程序Interactive Provider
集成的 WindowsIntegrated Windows 委派的组织Delegated Org 集成 Windows 提供程序Integrated Windows Provider
资源所有者Resource Owner 委派的组织Delegated Org 用户名/密码提供程序Username / Password Provider
设备代码Device Code 委派的组织Delegated Org 设备代码提供程序Device Code Provider
守护程序应用Daemon app
客户端凭据Client Credentials 仅限应用App Only 客户端凭据提供程序Client Credentials Provider
调用 web Api 的移动应用程序Mobile app that calls web APIs
InteractiveInteractive 委派的消费者/组织Delegated Consumer/Org 交互式提供程序Interactive Provider

授权代码提供程序Authorization code provider

授权代码流使本机应用程序和 web 应用能够安全地获取用户名称中的令牌。The authorization code flow enables native and web apps to securely obtain tokens in the name of the user. 若要了解详细信息,请参阅Microsoft identity platform 和 OAuth 2.0 授权代码流To learn more, see Microsoft identity platform and OAuth 2.0 authorization code flow.

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithRedirectUri(redirectUri)
    .WithClientSecret(clientSecret) // or .WithCertificate(certificate)
    .Build();

AuthorizationCodeProvider authProvider = new AuthorizationCodeProvider(confidentialClientApplication, scopes);

客户端凭据提供程序Client credentials provider

客户端凭据流使服务应用程序可以在没有用户交互的情况下运行。The client credential flow enables service applications to run without user interaction. 访问基于应用程序的标识。Access is based on the identity of the application. 有关详细信息,请参阅Microsoft identity platform 和 OAuth 2.0 客户端凭据流For more information, see Microsoft identity platform and the OAuth 2.0 client credentials flow.

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithTenantId(tenantID)
    .WithClientSecret(clientSecret)
    .Build();

ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

代表提供程序On-behalf-of provider

当应用程序调用在其中打开 Microsoft Graph API 的服务/web API 时,代表流是适用的。The on-behalf-of flow is applicable when your application calls a service/web API which in turns calls the Microsoft Graph API. 若要了解详细信息,请阅读Microsoft identity platform 和 OAuth 2.0 代表流Learn more by reading Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithRedirectUri(redirectUri)
    .WithClientSecret(clientSecret)
    .Build();

OnBehalfOfProvider authProvider = new OnBehalfOfProvider(confidentialClientApplication, scopes);

隐式提供程序Implicit provider

隐式授予流在基于浏览器的应用程序中使用。The implicit grant flow is used in browser-based applications. 有关详细信息,请参阅Microsoft identity platform 和隐式授予流For more information, see Microsoft identity platform and Implicit grant flow.

不适用。Not applicable.

设备代码提供程序Device code provider

设备代码流允许通过其他设备登录设备。The device code flow enables sign in to devices by way of another device. 有关详细信息,请参阅Microsoft identity platform 和 OAuth 2.0 设备代码流For details, see Microsoft identity platform and the OAuth 2.0 device code flow.

IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
            .Create(clientId)
            .Build();

Func<DeviceCodeResult, Task> deviceCodeReadyCallback = async dcr => await Console.Out.WriteLineAsync(dcr.Message);

DeviceCodeProvider authProvider = new DeviceCodeProvider(publicClientApplication, scopes, deviceCodeReadyCallback);

集成 Windows 提供程序Integrated Windows provider

集成的 Windows 流为 Windows 计算机提供了一种在加入域时无提示地获取访问令牌的方法。The integrated Windows flow provides a way for Windows computers to silently acquire an access token when they are domain joined. 有关详细信息,请参阅集成 Windows 身份验证For details, see Integrated Windows authentication.

IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
            .Create(clientId)
            .WithTenantId(tenantID)
            .Build();

IntegratedWindowsAuthenticationProvider authProvider = new IntegratedWindowsAuthenticationProvider(publicClientApplication, scopes);

交互式提供程序Interactive provider

移动应用程序(Xamarin 和 UWP)和桌面应用程序使用交互流,以在用户的名称中调用 Microsoft Graph。The interactive flow is used by mobile applications (Xamarin and UWP) and desktops applications to call Microsoft Graph in the name of a user. 有关详细信息,请参阅以交互方式获取令牌For details, see Acquiring tokens interactively.

IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
            .Create(clientId)
            .Build();

InteractiveAuthenticationProvider authProvider = new InteractiveAuthenticationProvider(publicClientApplication, scopes);

用户名/密码提供程序Username/password provider

用户名/密码提供程序允许应用程序使用用户名和密码登录用户。The username/password provider allows an application to sign in a user by using their username and password. 仅当您不能使用任何其他 OAuth 流时,才使用此流。Use this flow only when you cannot use any of the other OAuth flows. 有关详细信息,请参阅Microsoft identity platform 和 OAuth 2.0 资源所有者密码凭据For more information, see Microsoft identity platform and the OAuth 2.0 resource owner password credential

IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
            .Create(clientId)
            .WithTenantId(tenantID)
            .Build();

UsernamePasswordProvider authProvider = new UsernamePasswordProvider(publicClientApplication, scopes);

GraphServiceClient graphClient = new GraphServiceClient(authProvider);

User me = await graphClient.Me.Request()
                .WithUsernamePassword(email, password)
                .GetAsync();

后续步骤Next steps