Azure Active Directory 驗證程式庫Azure Active Directory Authentication Libraries

警告

本內容適用於較舊的 Azure AD v1.0 端點。This content is for the older Azure AD v1.0 endpoint. Microsoft 身分識別平台用於新專案。Use the Microsoft identity platform for new projects.

Azure Active Directory 驗證程式庫 (ADAL) v1.0 可讓應用程式開發人員向雲端或內部部署 Active Directory (AD) 驗證使用者,並取得權杖來保護 API 呼叫。The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls. ADAL 透過下列功能使開發人員更容易驗證:ADAL makes authentication easier for developers through features such as:

  • 儲存存取權杖和重新整理權杖的可設定權杖快取Configurable token cache that stores access tokens and refresh tokens
  • 存取權杖到期而有重新整理權杖可用時的自動權杖重新整理Automatic token refresh when an access token expires and a refresh token is available
  • 支援非同步方法呼叫Support for asynchronous method calls

注意

在尋找 Azure AD v2.0 程式庫 (MSAL) 嗎?Looking for the Azure AD v2.0 libraries (MSAL)? 請參閱 MSAL 程式庫指南Checkout the MSAL library guide.

Microsoft 支援的用戶端程式庫Microsoft-supported Client Libraries

平台Platform 程式庫Library 下載Download 原始程式碼Source Code 範例Sample 參考Reference
.NET 用戶端、Windows 市集、UWP、Xamarin iOS 和 Android.NET Client, Windows Store, UWP, Xamarin iOS and Android ADAL .NET v3ADAL .NET v3 NuGetNuGet GitHubGitHub 傳統型應用程式Desktop app 參考Reference
JavaScriptJavaScript ADAL.jsADAL.js GitHubGitHub GitHubGitHub 單一頁面應用程式Single-page app
iOS、macOSiOS, macOS ADALADAL GitHubGitHub GitHubGitHub iOS 應用程式iOS app 參考Reference
AndroidAndroid ADALADAL MavenMaven GitHubGitHub Android AppAndroid app JavaDocsJavaDocs
Node.jsNode.js ADALADAL npm (英文)npm GitHubGitHub Node.js web 應用程式Node.js web app 參考Reference
JavaJava ADAL4JADAL4J MavenMaven GitHubGitHub Java Web 應用程式Java web app 參考Reference
PythonPython ADALADAL GitHubGitHub GitHubGitHub Python Web 應用程式Python web app 參考Reference

Microsoft 支援的伺服器程式庫Microsoft-supported Server Libraries

平台Platform 程式庫Library 下載Download 原始程式碼Source Code 範例Sample 參考Reference
.NET.NET 適用於 AzureAD 的 OWINOWIN for AzureAD NuGetNuGet GitHubGitHub MVC 應用程式MVC App
.NET.NET 適用於 OpenIDConnect 的 OWINOWIN for OpenIDConnect NuGetNuGet GitHubGitHub Web 應用程式Web App
.NET.NET 適用於 WS-同盟的 OWINOWIN for WS-Federation NuGetNuGet GitHubGitHub MVC Web 應用程式MVC Web App
.NET.NET 適用於 .NET 4.5 的身分識別通訊協定延伸模組Identity Protocol Extensions for .NET 4.5 NuGetNuGet GitHubGitHub
.NET.NET 適用於 .NET 4.5 的 JWT 處理常式JWT Handler for .NET 4.5 NuGetNuGet GitHubGitHub
Node.jsNode.js Azure AD PassportAzure AD Passport npm (英文)npm GitHubGitHub Web APIWeb API

案例Scenarios

以下為三種在存取遠端資源的用戶端中使用 ADAL 的常見案例:Here are three common scenarios for using ADAL in a client that accesses a remote resource:

驗證在裝置上執行原生用戶端應用程式的使用者Authenticating users of a native client application running on a device

在此案例中,開發人員具有的行動用戶端或桌面應用程式必須存取遠端資源,例如 Web API。In this scenario, a developer has a mobile client or desktop application that needs to access a remote resource, such as a web API. Web API 不允許匿名呼叫,而且必須在通過驗證之使用者的內容中呼叫。The web API does not allow anonymous calls and must be called in the context of an authenticated user. Web API 會預先設定成信任由特定 Azure AD 租用戶發出的存取權杖。The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD 會預先設定成發行該資源的存取權杖。Azure AD is pre-configured to issue access tokens for that resource. 若要從用戶端叫用 Web API,則開發人員會使用 ADAL 來協助向 Azure AD 驗證。To invoke the web API from the client, the developer uses ADAL to facilitate authentication with Azure AD. 使用 ADAL 最安全的方法,就是讓其提供用來收集使用者認證的使用者介面 (顯示為瀏覽器視窗)。The most secure way to use ADAL is to have it render the user interface for collecting user credentials (rendered as browser window).

ADAL 使得驗證使用者變得輕鬆,只需取得存取權杖並從 Azure AD 重新整理權杖,然後使用該存取權杖呼叫 Web API。ADAL makes it easy to authenticate the user, obtain an access token and refresh token from Azure AD, and then call the web API using the access token.

如需示範如何向 Azure AD 進行驗證的程式碼範例,請參閱 原生用戶端 WPF 應用程式至 Web APIFor a code sample that demonstrates this scenario using authentication to Azure AD, see Native Client WPF Application to Web API.

驗證網頁伺服器上執行的機密用戶端應用程式Authenticating a confidential client application running on a web server

在此案例中,開發人員具有在伺服器上執行且需要存取遠端資源 (例如 Web API) 的應用程式。In this scenario, a developer has an application running on a server that needs to access a remote resource, such as a web API. Web API 不允許匿名呼叫,且必須從授權的服務呼叫。The web API does not allow anonymous calls, so it must be called from an authorized service. Web API 會預先設定成信任由特定 Azure AD 租用戶發出的存取權杖。The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant. Azure AD 預先設定成將該資源的存取權杖發給具有用戶端認證 (用戶端 ID 和祕密) 的服務。Azure AD is pre-configured to issue access tokens for that resource to a service with client credentials (client ID and secret). ADAL 可促進透過 Azure AD 進行服務驗證,Azure AD 會傳回可用於呼叫 Web API 的存取權杖。ADAL facilitates authentication of the service with Azure AD returning an access token that can be used to call the web API. ADAL 也會處理存取權杖的存留期的管理,方法是快取它並視需要更新。ADAL also handles managing the lifetime of the access token by caching it and renewing it as necessary. 如需示範此案例的程式碼範例,請參閱精靈主控台應用程式至 Web APIFor a code sample that demonstrates this scenario, see Daemon console Application to Web API.

代表使用者,驗證伺服器上執行的機密用戶端應用程式Authenticating a confidential client application running on a server, on behalf of a user

在此案例中,開發人員具有在伺服器上執行的 Web 應用程式,需要存取由 Azure AD 所保護的遠端資源,例如 Web API。In this scenario, a developer has a web application running on a server that needs to access a remote resource, such as a web API. Web API 不允許匿名呼叫,因此必須從代表經驗證使用者的授權服務呼叫。The web API does not allow anonymous calls, so it must be called from an authorized service on behalf of an authenticated user. Web API 預先設定為信任由特定 Azure AD 租用戶所發出的存取權杖,Azure AD 則預先設定為將該資源的存取權杖發給具有用戶端認證的服務。The web API is pre-configured to trust access tokens issued by a specific Azure AD tenant, and Azure AD is pre-configured to issue access tokens for that resource to a service with client credentials. 一旦在 Web 應用程式中驗證了使用者,應用程式便可以從 Azure AD 取得使用者的授權碼。Once the user is authenticated in the web application, the application can get an authorization code for the user from Azure AD. 然後,Web 應用程式可以使用 ADAL 代表使用者,利用與應用程式相關聯的授權碼和用戶端認證從 Azure AD 取得存取權杖和更新權杖。The web application can then use ADAL to obtain an access token and refresh token on behalf of a user using the authorization code and client credentials associated with the application from Azure AD. 在 Web 應用程式取得存取權杖之後,它可以呼叫 Web API,直到權杖到期。Once the web application is in possession of the access token, it can call the web API until the token expires. 權杖到期時,Web 應用程式可以使用 ADAL 透過先前收到的更新權杖來取得新的存取權杖。When the token expires, the web application can use ADAL to get a new access token by using the refresh token that was previously received. 如需示範此案例的程式碼範例,請參閱原生用戶端至 Web APIFor a code sample that demonstrates this scenario, see Native client to Web API to Web API.

另請參閱See Also