Microsoft 身分識別平台的應用程式類型Application types for Microsoft identity platform

Microsoft 身分識別平台 (v2.0) 端點支援各種新型應用程式架構,全部都符合業界標準通訊協定為基礎的驗證OAuth 2.0 或 OpenID ConnectThe Microsoft identity platform (v2.0) endpoint supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols OAuth 2.0 or OpenID Connect. 此文章說明您可以使用 Microsoft 身分識別平台,不論您偏好的語言或平台建置的應用程式類型。This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. 資訊設計來協助您了解高階的案例,您才開始使用程式碼The information is designed to help you understand high-level scenarios before you start working with the code.

注意

Microsoft 身分識別平台端點不支援所有的 Azure Active Directory (Azure AD) 案例和功能。The Microsoft identity platform endpoint doesn't support all Azure Active Directory (Azure AD) scenarios and features. 若要判斷您是否應該使用 Microsoft 身分識別平台的端點,請參閱Microsoft 身分識別平台限制To determine whether you should use the Microsoft identity platform endpoint, read about Microsoft identity platform limitations.

基本概念The basics

您必須註冊每個應用程式使用在新的 Microsoft 身分識別平台 endpoint應用程式註冊入口網站You must register each app that uses the Microsoft identity platform endpoint in the new App registrations portal. 應用程式註冊程序會為您的應用程式收集和指派下列值:The app registration process collects and assigns these values for your app:

  • 應用程式 (用戶端) 識別碼可唯一識別您的應用程式An Application (client) ID that uniquely identifies your app
  • 可用來將回應導回到應用程式的「重新導向 URI」 A Redirect URI that you can use to direct responses back to your app
  • 一些其他案例特定的值,例如支援帳戶類型A few other scenario-specific values such as supported account types

如需詳細資訊,請了解如何註冊應用程式For details, learn how to register an app.

註冊 app 之後,應用程式會將要求傳送到端點與 Microsoft 身分識別平台通訊。After the app is registered, the app communicates with Microsoft identity platform by sending requests to the endpoint. 我們提供開放原始碼架構,以及可處理這些要求詳細資料的程式庫。We provide open-source frameworks and libraries that handle the details of these requests. 您也可以選擇建立對這些端點的要求,來自行實作驗證邏輯:You also have the option to implement the authentication logic yourself by creating requests to these endpoints:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token

單頁應用程式 (JavaScript)Single-page apps (JavaScript)

許多新式應用程式都有一個單頁應用程式前端,主要是以 JavaScript 撰寫。Many modern apps have a single-page app front end that primarily is written in JavaScript. 通常,它會寫入使用 Angular、 React 或 Vue 這類的架構。Often, it's written by using a framework like Angular, React, or Vue. Microsoft 身分識別平台端點支援這些應用程式使用OAuth 2.0 隱含流程The Microsoft identity platform endpoint supports these apps by using the OAuth 2.0 implicit flow.

應用程式在此流程中,直接從 Microsoft 身分識別平台收到權杖授權端點,而不需要任何伺服器對伺服器交換。In this flow, the app receives tokens directly from the Microsoft identity platform authorize endpoint, without any server-to-server exchanges. 所有驗證邏輯和工作階段處理都完全在 JavaScript 用戶端中進行,而不需要執行額外的頁面重新導向。All authentication logic and session handling takes place entirely in the JavaScript client, without extra page redirects.

顯示隱含的驗證流程

若要查看此案例的實際運作,請嘗試在單一頁面應用程式程式碼範例開始使用 Microsoft 身分識別平台一節。To see this scenario in action, try one of the single-page app code samples in the Microsoft identity platform getting started section.

Web 應用程式Web apps

針對使用者透過瀏覽器存取的 Web 應用程式 (.NET、PHP、Java、Ruby、Python、Node),您可以使用 OpenID Connect 來執行使用者登入。For web apps (.NET, PHP, Java, Ruby, Python, Node) that the user accesses through a browser, you can use OpenID Connect for user sign-in. 在 OpenID Connect 中,Web 應用程式會收到識別碼權杖。In OpenID Connect, the web app receives an ID token. 識別碼權杖是一個安全性權杖,可驗證使用者的身分識別並以宣告形式提供使用者的相關資訊:An ID token is a security token that verifies the user's identity and provides information about the user in the form of claims:

// Partial raw ID token
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cd...

// Partial content of a decoded ID token
{
    "name": "John Smith",
    "email": "john.smith@gmail.com",
    "oid": "d9674823-dffc-4e3f-a6eb-62fe4bd48a58"
    ...
}

中有進一步的詳細資料的不同類型的 Microsoft 身分識別平台端點中使用 token存取權杖參考和id_token 參考Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the access token reference and id_token reference

在 Web 伺服器應用程式中,登入驗證流程會採用下列概要步驟:In web server apps, the sign-in authentication flow takes these high-level steps:

顯示 web 應用程式驗證流程

您可以使用接收自 Microsoft 身分識別平台端點的公開簽署金鑰驗證識別碼權杖,以確保使用者的身分識別。You can ensure the user's identity by validating the ID token with a public signing key that is received from the Microsoft identity platform endpoint. 系統會設定工作階段 Cookie,這可在後續的頁面要求上用來識別使用者。A session cookie is set, which can be used to identify the user on subsequent page requests.

若要查看此案例的實際運作,請嘗試在 web 應用程式登入程式碼範例開始使用 Microsoft 身分識別平台一節。To see this scenario in action, try one of the web app sign-in code samples in the Microsoft identity platform getting started section.

除了簡易登入之外,Web 伺服器應用程式可能也需要存取其他 Web 服務,例如 REST API。In addition to simple sign-in, a web server app might need to access another web service, such as a REST API. 在此情況下,Web 伺服器應用程式可以使用 OAuth 2.0 授權碼流程,參與結合了 OpenID Connect 與 OAuth 2.0 的流程。In this case, the web server app engages in a combined OpenID Connect and OAuth 2.0 flow, by using the OAuth 2.0 authorization code flow. 如需有關此案例的詳細資訊,請參閱開始使用 Web 應用程式和 Web APIFor more information about this scenario, read about getting started with web apps and Web APIs.

Web APIWeb APIs

您可以使用 Microsoft 身分識別平台端點來保護 web 服務,例如您的應用程式的 RESTful Web API。You can use the Microsoft identity platform endpoint to secure web services, such as your app's RESTful Web API. Web API 使用 OAuth 2.0 存取權杖來保護其資料及驗證連入要求,而不是使用識別碼權杖和工作階段 Cookie。Instead of ID tokens and session cookies, a Web API uses an OAuth 2.0 access token to secure its data and to authenticate incoming requests. Web API 的呼叫端會在 HTTP 要求的授權標頭中附加存取權杖,就像這樣:The caller of a Web API appends an access token in the authorization header of an HTTP request, like this:

GET /api/items HTTP/1.1
Host: www.mywebapi.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6...
Accept: application/json
...

Web API 會使用這個存取權杖來驗證 API 呼叫端的身分識別,並從存取權杖中所編碼的宣告擷取呼叫端的相關資訊。The Web API uses the access token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the access token. 中有進一步的詳細資料的不同類型的 Microsoft 身分識別平台端點中使用 token存取權杖參考和id_token 參考Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the access token reference and id_token reference

Web API 可透過公開權限的方式 (亦稱為範圍),讓使用者能夠選擇加入或退出特定的功能或資料。A Web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as scopes. 為了讓發出呼叫的應用程式取得範圍的權限,使用者必須在流程中對範圍表示同意。For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. Microsoft 身分識別平台端點要求使用者提供權限,並再記錄在 Web API 收到的所有存取權杖中的 權限。The Microsoft identity platform endpoint asks the user for permission, and then records permissions in all access tokens that the Web API receives. Web API 會驗證它在每次呼叫所收到的存取權杖,並執行授權檢查。The Web API validates the access tokens it receives on each call and performs authorization checks.

Web API 可以從所有類型的應用程式接收存取權杖,包括 Web 伺服器應用程式、傳統型應用程式和行動應用程式、單頁應用程式、伺服器端精靈,甚至是其他的 Web API。A Web API can receive access tokens from all types of apps, including web server apps, desktop and mobile apps, single-page apps, server-side daemons, and even other Web APIs. Web API 的概要流程看起來像這樣:The high-level flow for a Web API looks like this:

顯示 web API 驗證流程

若要了解如何使用 OAuth2 存取權杖來保護 Web API,請參閱中的 Web API 程式碼範例開始使用 Microsoft 身分識別平台一節。To learn how to secure a Web API by using OAuth2 access tokens, check out the Web API code samples in the Microsoft identity platform getting started section.

在許多情況下,web Api 也需要對其他下游的 web Api 會受到 Microsoft 身分識別平台發出傳出要求。In many cases, web APIs also need to make outbound requests to other downstream web APIs secured by Microsoft identity platform. 若要這樣做,web Api 可以充分善用代表的流程,可讓 web API 來交換另一個用於輸出要求的存取權杖的傳入存取權杖。To do so, web APIs can take advantage of the On-Behalf-Of flow, which allows the web API to exchange an incoming access token for another access token to be used in outbound requests. 如需詳細資訊,請參閱 < Microsoft 身分識別平台和 OAuth 2.0 代理者流程For more info, see Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow.

行動和原生應用程式Mobile and native apps

裝置安裝的應用程式 (例如行動應用程式和傳統型應用程式) 通常需要存取儲存資料及代表使用者執行功能的後端服務或 Web API。Device-installed apps, such as mobile and desktop apps, often need to access back-end services or Web APIs that store data and perform functions on behalf of a user. 這些應用程式可以使用 OAuth 2.0 授權碼流程,將登入和授權新增至後端服務。These apps can add sign-in and authorization to back-end services by using the OAuth 2.0 authorization code flow.

在此流程中,應用程式收到授權碼的 Microsoft 身分識別平台端點使用者登入時。In this flow, the app receives an authorization code from the Microsoft identity platform endpoint when the user signs in. 授權碼代表應用程式具備權限,可代表登入的使用者呼叫後端服務。The authorization code represents the app's permission to call back-end services on behalf of the user who is signed in. 應用程式可以在背景中以授權碼交換 OAuth 2.0 存取權杖和重新整理權杖。The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. 應用程式可以使用存取權杖在 HTTP 要求中向 Web API 進行驗證,以及在舊存取權杖到期時,使用重新整理權杖來取得新的存取權杖。The app can use the access token to authenticate to Web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire.

顯示原生應用程式驗證流程

精靈和伺服器端應用程式Daemons and server-side apps

應用程式如果含有長時間執行的程序,或其運作方式不需要與使用者互動,就也需要一個存取受保護資源 (例如 Web API) 的方法。Apps that have long-running processes or that operate without interaction with a user also need a way to access secured resources, such as Web APIs. 這些應用程式可以使用應用程式的身分識別 (而非使用者委派的身分識別) 搭配 OAuth 2.0 用戶端認證流程,來驗證及取得權杖。These apps can authenticate and get tokens by using the app's identity, rather than a user's delegated identity, with the OAuth 2.0 client credentials flow. 您可以使用用戶端密碼或憑證來提供應用程式的身分識別。You can prove the app's identity using a client secret or certificate. 如需詳細資訊,請參閱 < 驗證 Microsoft 身分識別平台,在精靈應用程式使用憑證For more info, see Authenticating to Microsoft identity platform in daemon apps with certificates.

在此流程中,應用程式則是直接與互動/token端點,以取得存取權:In this flow, the app interacts directly with the /token endpoint to obtain access:

顯示精靈的應用程式驗證流程

若要建置精靈應用程式,請參閱用戶端認證文件,或試試 .NET 範例應用程式To build a daemon app, see the client credentials documentation, or try a .NET sample app.