什麼是 Azure Active Directory B2C?What is Azure Active Directory B2C?

Azure Active Directory (Azure AD) B2C 是一項企業對消費者身分識別管理服務。Azure Active Directory (Azure AD) B2C is a business-to-consumer identity management service. 此服務可讓您自訂和控制使用者如何安全地與您的 Web、桌面、行動或單頁應用程式互動。This service enables you to customize and control how users securely interact with your web, desktop, mobile, or single-page applications. 透過 Azure AD B2C,使用者可以註冊、登入、重設密碼及編輯設定檔。Using Azure AD B2C, users can sign up, sign in, reset passwords, and edit profiles. Azure AD B2C 可實作某種形式的 OpenID Connect 和 OAuth 2.0 通訊協定。Azure AD B2C implements a form of the OpenID Connect and OAuth 2.0 protocols. 安全性權杖及其宣告可讓您提供資源的安全存取,這是此類通訊協定實作中的關鍵要素。The important key in the implementation of these protocols is the security tokens and their claims that enable you to provide secure access to resources.

使用者旅程圖是一個指定原則的要求,可控制使用者和您的應用程式與 Azure AD B2C 互動的行為。A user journey is a request that specifies a policy, which controls the behavior of how the user and your application interact with Azure AD B2C. 您可以透過兩種途徑在 Azure AD B2C 中定義使用者旅程圖。Two paths are available to you for defining user journeys in Azure AD B2C.

如果您是應用程式開發人員,無論是否具備身分識別專業知識,您都可以選擇使用 Azure 入口網站來定義常用的身分識別使用者流程。If you're an application developer with or without identity expertise, you might choose to define common identity user flows using the Azure portal. 如果您是身分識別專業人員、系統整合者、顧問或內部身分識別小組成員,且熟悉 OpenID Connect 流程並了解識別提供者和宣告式驗證,則可以選擇以 XML 為基礎的自訂原則。If you are an identity professional, systems integrator, consultant, or on an in-house identity team, are comfortable with OpenID Connect flows, and understand identity providers and claims-based authentication, you might choose XML-based custom policies.

在定義使用者旅程圖之前,您必須先建立 Azure AD B2C 租用戶,並在租用戶中註冊您的應用程式和 API。Before you start defining a user journey, you need to create an Azure AD B2C tenant and register your application and API in the tenant. 完成這些工作後,即可開始定義具有使用者流程或自訂原則的使用者旅程圖。After you’ve completed these tasks, you can get started defining a user journey with either user flows or custom policies. 您也可以選擇性地新增或變更識別提供者,或自訂使用者體驗旅程圖的方式。You can also optionally, add or change identity providers, or customize the way the user experiences the journey.

通訊協定和權杖Protocols and tokens

Azure AD B2C 支援在使用者旅程圖中使用 OpenID Connect 和 OAuth 2.0 通訊協定Azure AD B2C supports the OpenID Connect and OAuth 2.0 protocols for user journeys. 在 Azure AD B2C 的 OpenID Connect 實作中,您的應用程式會向 Azure AD B2C 發出驗證要求,以起始使用者旅程圖。In the Azure AD B2C implementation of OpenID Connect, your application starts the user journey by issuing authentication requests to Azure AD B2C.

提出 Azure AD B2C 的要求後會產生安全性權杖,例如識別碼權杖或存取權杖The result of a request to Azure AD B2C is a security token, such as an ID token or access token. 此安全性權杖會定義使用者的身分識別。This security token defines the user's identity. 權杖接收自 Azure AD B2C 端點,例如 /token/authorize 端點。Tokens are received from Azure AD B2C endpoints, such as a /token or /authorize endpoint. 經由這些權杖,您可以存取可用來驗證身分識別和允許存取安全資源的宣告。From these tokens, you can access claims that can be used to validate an identity and allow access to secure resources.

租用戶和應用程式Tenants and applications

在 Azure AD B2C 中,租用戶代表您的組織,而實際上是一個使用者目錄。In Azure AD B2C, a tenant represents your organization and is a directory of users. 每個 Azure AD B2C 租用戶都不相同,並與其他 Azure AD B2C 租用戶分開。Each Azure AD B2C tenant is distinct and separate from other Azure AD B2C tenants. 您可能已有 Azure Active Directory 租用戶,而 Azure AD B2C 租用戶是不同的租用戶。You may already have an Azure Active Directory tenant, the Azure AD B2C tenant is a different tenant. 租用戶包含已註冊要使用您的應用程式之使用者的相關資訊。A tenant contains information about the users that have signed up to use your application. 例如,密碼、設定檔資料和權限。For example, passwords, profile data, and permissions. 如需詳細資訊,請參閱教學課程:建立 Azure Active Directory B2C 租用戶For more information, see Tutorial: Create an Azure Active Directory B2C tenant.

在設定應用程式以使用 Azure AD B2C 之前,您必須先使用 Azure 入口網站在租用戶中註冊應用程式。Before you configure your application to use Azure AD B2C, you first need to register it in the tenant using the Azure portal. 註冊程序會收集和指派一些值給您的應用程式。The registration process collects and assigns values to your application. 這些值包括可唯一識別應用程式的應用程式識別碼,以及用來將回應傳回給應用程式的重新導向 URI。These values include an application ID that uniquely identifies the application and a redirect URI that's used to direct responses back to the application.

每個應用程式的互動都遵循類似的高階模式:The interaction of every application follows a similar high-level pattern:

  1. 應用程式引導使用者執行原則。The application directs the user to run a policy.
  2. 使用者完成根據原則定義來完成原則。The user completes the policy according to the policy definition.
  3. 應用程式接收權杖。The application receives a token.
  4. 應用程式使用權杖嘗試存取資源。The application uses the token to try to access a resource.
  5. 資源伺服器驗證權杖,以確認可授與存取權。The resource server validates the token to verify that access can be granted.
  6. 應用程式定期重新整理權杖。The application periodically refreshes the token.

若要註冊 Web 應用程式,請完成教學課程:註冊應用程式以啟用使用 Azure AD B2C 的註冊和登入中的步驟。To register a web application, complete the steps in Tutorial: Register an application to enable sign-up and sign-in using Azure AD B2C. 您也可以將 web API 應用程式新增至您的 Azure Active Directory B2C 租用戶,或將原生用戶端應用程式新增至您的 Azure Active Directory B2C 租用戶You can also add a web API application to your Azure Active Directory B2C tenant or add a native client application to your Azure Active Directory B2C tenant.

使用者旅程User journeys

使用者旅程圖中的原則可定義為使用者流程自訂原則The policy in a user journey can be defined as a user flow or a custom policy. 在 Azure 入口網站中,可以取得針對最常用身分識別工作預先定義的使用者流程,而這些工作包括註冊、登入和設定檔編輯。Predefined user flows for the most common identity tasks, such as sign-up, sign-in, and profile editing, are available in the Azure portal.

使用者旅程圖可讓您進行下列設定來控制行為:User journeys allow you to control behaviors by configuring the following settings:

  • 使用者可用來註冊應用程式的社交帳戶Social accounts that the user uses to sign up for the application
  • 對使用者收集的資料,例如名字或郵遞區號Data collected from the user such as first name or postal code
  • Multi-Factor AuthenticationMulti-factor authentication
  • 頁面的外觀與風格Look and feel of pages
  • 傳回至應用程式的資訊Information returned to the application

自訂原則是一種組態檔,可定義 Azure AD B2C 租用戶中的身分識別體驗架構的行為。Custom policies are configuration files that define the behavior of the Identity Experience Framework in your Azure AD B2C tenant. 身分識別體驗架構是建立多方信任並完成使用者旅程圖中各個步驟的基礎平台。The Identity Experience Framework is the underlying platform that establishes multi-party trust and completes the steps in a user journey.

您可變更自訂原則來完成多項工作。Custom policies can be changed to complete many tasks. 自訂原則是一個或多個 XML 格式的檔案,各檔案在階層鏈中彼此參考。A custom policy is one or several XML-formatted files that refer to each other in a hierarchical chain. 入門套件可供自訂原則用來啟用常見的身分識別工作。A starter pack is available for custom policies to enable common identity tasks.

您可以視需要在 Azure AD B2C 租用戶中使用不同類型的自訂原則或使用者流程,並且可以跨應用程式重複使用。Custom policies or user flows of different types are used in your Azure AD B2C tenant as needed and can be reused across applications. 此彈性可讓您在稍微變更或完全不變更程式碼的情況下,定義及修改使用者身分識別體驗。This flexibility enables you to define and modify user identity experiences with minimal or no changes to your code. 您可以在 HTTP 驗證要求中新增特定查詢參數,以使用原則。Policies are used by adding a special query parameter to HTTP authentication requests. 若要建立您自己的自訂原則,請參閱在 Azure Active Directory B2C 中開始使用自訂原則To create your own custom policy, see Get started with custom policies in Azure Active Directory B2C.

識別提供者Identity providers

在您的應用程式中,您可以讓使用者使用不同的識別提供者登入。In your applications, you may want to enable users to sign in with different identity providers. 識別提供者可建立、維護及管理身分識別資訊,同時對應用程式提供驗證服務。An identity provider creates, maintains, and manages identity information while providing authentication services to applications. 您可以使用 Azure 入口網站新增 Azure AD B2C 支援的識別提供者。You can add identity providers that are supported by Azure AD B2C using the Azure portal.

您在應用程式中通常只會使用一個識別提供者,但您可以選擇新增更多個。You typically use only one identity provider in your application, but you have the option to add more. 若要在您的 Azure AD B2C 租用戶中設定身分識別提供者,您必須先在識別提供者開發人員網站上建立應用程式,然後從您建立的識別提供者應用程式中記下應用程式識別碼或用戶端識別碼以及密碼或用戶端密碼。To configure an identity provider in your Azure AD B2C tenant, you first create an application on the identity provider developer site, and then you record the application identifier or client identifier and the password or client secret from the identity provider application that you create. 此識別碼和密碼後續將用來設定您的應用程式。This identifier and password are then used to configure your application.

下列文章說明將一些常見的識別提供者新增至使用者流程的步驟:The following articles describe the steps to add some of the common identity providers to user flows:

下列文章說明將一些常見的識別提供者新增至自訂原則的步驟:The following articles describe the steps to add some of the common identity providers to custom policies:

如需詳細資訊,請參閱教學課程:在 Azure Active Directory B2C 中將識別提供者新增至您的應用程式For more information, see Tutorial: Add identity providers to your applications in Azure Active Directory B2C.

自訂頁面Page customization

在使用者旅程圖中對客戶呈現的多數 HTML 和 CSS 內容都是可控制的。Most of the HTML and CSS content that's presented to customers in a user journey is controllable. 您可以使用頁面自訂功能,自訂任何自訂原則或使用者流程的外觀與風格。By using page customization, you can customize the look and feel of any custom policy or user flow. 您可以使用此自訂功能來維護應用程式與 Azure AD B2C 之間的品牌和視覺一致性。You maintain brand and visual consistency between your application and Azure AD B2C by using this customization feature.

Azure AD B2C 會在使用者的瀏覽器中執行程式碼,並使用名為「跨原始資源共用 (CORS)」的新式方法。Azure AD B2C runs code in the user's browser and uses a modern approach called Cross-Origin Resource Sharing (CORS). 首先,您必須在原則中使用自訂 HTML 內容指定 URL。First, you specify a URL in a policy with customized HTML content. Azure AD B2C 會合併使用者介面元素與從您 URL 載入的 HTML 內容,然後對使用者顯示此頁面。Azure AD B2C merges user interface elements with the HTML content that's loaded from your URL and then displays the page to the user.

您可以在查詢字串中將參數傳送至 Azure AD B2C。You send parameters to Azure AD B2C in a query string. 將參數傳遞至您的 HTML 端點,即可動態變更網頁內容。By passing the parameter to your HTML endpoint, the page content is dynamically changed. 例如,您可以根據您從 Web 或行動裝置應用程式傳遞的參數,變更註冊或登入頁面的背景影像。For example, you change the background image on the sign-up or sign-in page based on a parameter that you pass from your web or mobile application.

若要自訂使用者流程中的頁面,請參閱教學課程:在 Azure Active Directory B2C 中自訂使用者介面體驗To customize pages in a user flow, see Tutorial: Customize the interface of user experiences in Azure Active Directory B2C. 若要對自訂原則中的頁面進行自訂,請參閱在 Azure Active Directory B2C 中使用自訂原則來自訂應用程式的使用者介面在 Azure Active Directory B2C 中使用自訂原則設定具有動態內容的 UITo customize pages in a custom policy, see Customize the user interface of your application using a custom policy in Azure Active Directory B2C or Configure the UI with dynamic content by using custom policies in Azure Active Directory B2C.

開發人員資源Developer resources

用戶端應用程式Client applications

您可以選擇 iOSAndroid 和 .NET 等平台的應用程式。You have the choice of applications for iOS, Android, and .NET, among others. Azure AD B2C 可讓您的使用者執行這些動作,同時保護其身分識別。Azure AD B2C enables these actions while protecting your user identities at the same time.

如果您是 ASP.NET Web 應用程式開發人員,請使用教學課程:使用 Azure AD B2C 讓 Web 應用程式透過帳戶進行驗證中的步驟設定您的應用程式,以進行帳戶驗證。If you're an ASP.NET web application developer, set up your application to authenticate accounts using the steps in Tutorial: Enable a web application to authenticate with accounts using Azure AD B2C.

如果您是桌面應用程式開發人員,請使用教學課程:使用 Azure AD B2C 讓桌面應用程式透過帳戶進行驗證中的步驟設定您的應用程式,以進行帳戶驗證。If you're a desktop application developer, set up your application to authenticate accounts using the steps in Tutorial: Enable a desktop application to authenticate with accounts using Azure AD B2C.

如果您是使用 Node.js 的單頁應用程式開發人員,請使用教學課程:使用 Azure AD B2C 讓單頁應用程式透過帳戶進行驗證中的步驟設定您的應用程式,以進行帳戶驗證。If you're a single-page application developer using Node.js, set up your application to authenticate accounts using the steps in Tutorial: Enable a single-page application to authenticate with accounts using Azure AD B2C.

APIAPIs

如果您的用戶端或 Web 應用程式需要呼叫 API,您可以在 Azure AD B2C 中設定這些資源的安全存取。If your client or web applications need to call APIs, you can set up secure access to those resources in Azure AD B2C.

如果您是 ASP.NET Web 應用程式開發人員,請使用教學課程:使用 Azure Active Directory B2C 授與存取 ASP.NET Web API 的權限中的步驟設定您的應用程式,以呼叫受保護的 API。If you're an ASP.NET web application developer, set up your application to call a protected API using the steps in Tutorial: Grant access to an ASP.NET web API using Azure Active Directory B2C.

如果您是桌面應用程式開發人員,請使用教學課程:使用 Azure Active Directory B2C 授與從桌面應用程式存取 Node.js Web API 的權限中的步驟設定您的應用程式,以呼叫受保護的 API。If you're a desktop application developer, set up your application to call a protected API using the steps in Tutorial: Grant access to a Node.js web API from a desktop app using Azure Active Directory B2C.

如果您是使用 Node.js 的單頁應用程式開發人員,請使用教學課程:使用 Azure Active Directory B2C 授與從單頁應用程式存取 ASP.NET Core Web API 的權限中的步驟設定您的應用程式,以進行帳戶驗證。If you are a single-page application developer using Node.js, set up your application to authenticate accounts using the steps in Tutorial: Grant access to an ASP.NET Core web API from a single-page application using Azure Active Directory B2C.

JavaScriptJavaScript

您可以將自己的 JavaScript 用戶端程式碼新增至 Azure AD B2C 中的應用程式。You can add your own JavaScript client-side code to your applications in Azure AD B2C. 若要在您的應用程式中設定 JavaScript,您可以定義頁面合約,並在使用者流程或自訂原則中啟用 JavaScriptTo set up JavaScript in your application, you define a page contract and enable JavaScript in your user flows or custom policies.

使用者帳戶User accounts

有許多常見的租用戶管理工作需要以程式設計方式執行。Many common tenant management tasks need to be performed programmatically. 使用者管理是主要範例。A primary example is user management. 您可能需要將現有的使用者存放區移轉至 Azure AD B2C 租用戶。You might need to migrate an existing user store to an Azure AD B2C tenant. 您希望在自己的頁面上裝載使用者註冊,並在幕後的 Azure AD B2C 目錄中建立使用者帳戶。You may want to host user registration on your own page and create user accounts in your Azure AD B2C directory behind the scenes. 這類工作需要能夠建立、讀取、更新和刪除使用者帳戶。These types of tasks require the ability to create, read, update, and delete user accounts. 這些工作都可以透過 Azure AD 圖形 API 來完成。You can do these tasks by using the Azure AD Graph API.

後續步驟Next steps

繼續進行教學課程,開始為您的應用程式進行註冊和登入體驗的設定。Start configuring your application for the sign-up and sign-in experience by continuing to the tutorial.