適用於開發人員 AD FS 案例AD FS Scenarios for Developers

適用於:Windows Server 2016Applies To: Windows Server 2016

在 Windows Server 2016 [AD FS 2016] AD FS 可讓您新增的業界標準連接的 OpenID 與 OAuth 2.0 根據驗證與您正在開發,應用程式的授權,並讓使用者直接 AD FS 進行驗證的應用程式。AD FS in Windows Server 2016 [AD FS 2016] enables you to add industry standard OpenID Connect and OAuth 2.0 based authentication and authorization to applications you are developing, and have those applications authenticate users directly against AD FS.

AD FS 2016 也支援 WS-聯盟 Ws-trust,以及 SAML 通訊協定和設定檔我們已經支援之前的版本。AD FS 2016 also supports the WS-Federation, WS-Trust, and SAML protocols and profiles we have supported in previous versions. 如果您感興趣的開發人員指南這些通訊協定,查看的文章。If you are interested in developer guidance for these protocols, see the article here. 本文會對焦於如何使用及受益較新支援的通訊協定。This article will focus on how to use and benefit from the newer protocol support.

為何現代化驗證Why Modern Authentication

時,您可以繼續使用 WS 同盟上使用 AD FS 的登入,Ws-trust,並為您 SAML 通訊協定有之前,較新的通訊協定,您會收到下列優點:While you can continue using AD FS for sign on with WS-Federation, WS-Trust, and SAML protocols just as you have before, with the newer protocols, you get the following benefits:

  • 簡單和一致性Simplicity and consistency
    • 使用相同的 Api 和的登入以便模式:Use the same set of APIs and patterns to enable sign on for:
      • 多種類型的應用程式 (伺服器、 桌面、 行動裝置版、 瀏覽器)multiple types of applications (server, desktop, mobile, browser)
      • 多個平台 (android、 iOS,Windows)multiple platforms (android, iOS, Windows)
      • 應用程式中的企業網路或裝載的雲端中applications inside the corporate network or hosted in the cloud
    • 使用您已可使用驗證使用者 Azure AD 的媒體櫃的Use the same set of libraries you can already use to authenticate users against Azure AD
  • 彈性Flexibility
    • 除了標準使用者的授權,例如讓更多複雜的案例:In addition to standard user authorization, enable more complex scenarios such as:
      • ?? 3 腳登入流向一個 web 應用程式或服務的其他網頁應用程式或服務存取資源,使用者的授權。3-legged sign on flows in which a user authorizes one web application or service to access resources that reside with another web app or service.
      • ?? 伺服器-流程中的多層服務存取端的 APIServer-to-server flows in which a mid-tier service accesses a back end API
      • ?? JavaScript 以單頁模式應用程式] 選項JavaScript based single-page applications (SPA)
  • Industry 的支援Industry support
    • OAuth 2.0 和 OpenID 連接享受寬使用量業界,讓您掌握這些模式可協助您讓驗證和以外的 Active Directory 環境授權OAuth 2.0 and OpenID Connect enjoy wide utilization across the industry, so knowledge of these patterns will help you enable authentication and authorization outside of an Active Directory environment as well

它的運作方式: 的基本資訊How it works: The Basics

您可以新增 AD FS 現代化驗證您的應用程式使用的工具,以及您已可使用驗證使用者 Azure AD 的媒體櫃。You can add AD FS modern authentication to your application using the same set of tools and libraries you can already use to authenticate users against Azure AD.

AD FS 案例中當然,是 AD FS 並不 Azure AD 作為身分提供者及授權的伺服器。In AD FS scenarios of course, it is AD FS and not Azure AD that serves as the identity provider and authorization server. 否則概念會完全相同: 使用者提供的認證,並取得權杖,直接或存取資源介透過。Otherwise the concepts are exactly the same: users provide their credentials and obtain tokens, either directly or via an intermediary, for access to resources.

最基本案例所組成的使用者或 「 資源擁有者 」,存取 web 應用程式的瀏覽器與互動:The most basic scenario consists of a user or "resource owner", interacting with a browser to access a web application:

AD FS 適用於開發人員

Web 應用程式稱為 「 client 」,因為為止資源存取權杖授權伺服器 (AD FS) 的要求。The web application is called a "client" because it initiates the request to the authorization server (AD FS) for an access token to the resource. 資源可能裝載本身 web 應用程式,或是那樣 web API 網路或網際網路上的地方。The resource may be hosted by the web app itself or may be accessible as a web API somewhere on the network or internet. 「 資源擁有者 」 的使用者授權 client web 應用程式提供授權伺服器的憑證會收到該存取預付碼。The user or "resource owner" authorizes the client web app to receive that access token by providing credentials to the authorization server.

它的運作方式: 元件How it works: components

OAuth 2.0 和 OpenID 連接案例中請 AD FS 使用的工具與您使用 Azure AD 時身分提供者的媒體櫃。OAuth 2.0 and OpenID Connect scenarios in AD FS make use of the same set of tools and libraries you use when Azure AD is the identity provider. 這些元件︰These components are:

  • Active Directory 驗證媒體櫃 (ADAL): client 的媒體櫃,幫助收集使用者的認證,建立提交權杖要求及擷取的結果權杖。Active Directory Authentication Library (ADAL): client libraries that facilitate collecting user credentials, creating and submitting token requests and retrieving the resulting tokens.
  • (開放式網路介面.NET) OWIN 介軟體: 時 OWIN 是根據社群專案時,Microsoft 已伺服器的一組側邊的程式庫保護 web 應用程式與 web 連接 OpenID 與 OAuth 2.0 與 ApiOWIN (Open Web Interface for .NET) middleware: While OWIN is a community based project, Microsoft has created a set of server side libraries that for protecting web applications and web APIs with OpenID Connect and OAuth 2.0

這些元件的角色是如下圖所示:The roles of these components are shown in the diagram below:

AD FS 適用於開發人員

AD FS 2016 中建模這些案例Modeling these scenarios in AD FS 2016

應用程式群組Application Groups

若要表示 AD FS 原則在這些案例中的,我們已經引入新的概念稱為 「 應用程式群組。To represent these scenarios in AD FS policy, we have introduced a new concept called Application Groups. 應用程式群組可以包含任何數字和組合應用程式的基本人權以下列類型:An application group can contain any number and combination of the following fundamental types of application:

應用程式群組 / 應用程式類型Application Group / Application Type 描述Description 角色Role
原生應用程式Native application 有時稱為公用 client,這被要 client 應用程式執行部電腦或裝置並使用的使用者互動。Sometimes called a public client, this is intended to be a client app that runs on a pc or device and with which the user interacts. 從授權伺服器 (AD FS) 為使用者存取要求權杖資源。Requests tokens from the authorization server (AD FS) for user access to resources. 將 HTTP 要求傳送給受保護的資源,使用權杖 HTTP 標頭。Sends HTTP requests to protected resources, using the tokens as HTTP headers.
伺服器應用程式Server application Web 應用程式的伺服器上執行,並透過瀏覽器使用者通常可以存取。A web application that runs on a server and is generally accessible to users via a browser. 因為它是維護自己 client '密碼' 或認證的功能,它通常稱為機密 client。Because it is capable of maintaining its own client 'secret' or credential, it is sometimes called a confidential client. 從授權伺服器 (AD FS) 為使用者存取要求權杖資源。Requests tokens from the authorization server (AD FS) for user access to resources. 將 HTTP 要求傳送給受保護的資源,使用權杖 HTTP 標頭。Sends HTTP requests to protected resources, using the tokens as HTTP headers.
Web APIWeb API 結束資源使用者存取。The end resource the user is accessing. 這些稱為 「 信賴派對 」 的代表新的想法。Think of these as the new representation of "relying parties". 使用權杖取得用Consumes tokens obtained by clients

AD FS 2012 R2 的不同Differences from AD FS 2012 R2

應用程式群組結合信任和授權 AD FS 2012 R2 另行購買,公開信賴派對、 戶端,以及應用程式權限的項目。Application groups combine trust and authorization elements that AD FS 2012 R2 exposed separately, as relying parties, clients, and application permissions.

下表比較用對應應用程式信任中建立物件 AD FS 2012 R2 與 AD FS 2016 方法:The following tables compares the methods by which corresponding application trust objects are created in AD FS 2012 R2 vs AD FS 2016:

在 Windows Server 2012 R2 AD FSAD FS in Windows Server 2012 R2 在 [PowerShellIn PowerShell AD FS 管理AD FS Management
新增原生 clientAdd native client 新增 AdfsClientAdd-AdfsClient NANA
為 client 新增伺服器應用程式Add server application as client 新增 AdfsClientAdd-AdfsClient NANA
新增 Web API / 資源Add Web API / resource 新增 AdfsRelyingPartyTrustAdd-AdfsRelyingPartyTrust 建立信賴派對信任Create Relying Party Trust
AD FS 2016AD FS 2016 在 [PowerShellIn PowerShell AD FS 管理AD FS Management
新增原生 clientAdd native client 新增 AdfsNativeClientApplicationAdd-AdfsNativeClientApplication 新增原生應用程式群組Add Native Application to Application Group
為 client 新增伺服器應用程式Add server application as client 新增 AdfsServerApplicationAdd-AdfsServerApplication 新增伺服器應用程式群組Add Server Application to Application Group
新增 Web API / 資源Add Web API / resource 新增 AdfsWebApiApplicationAdd-AdfsWebApiApplication 新增 Web API 」 應用程式群組Add Web API Application to Application Group

根據預設,在 [應用程式群組戶端已獲授權存取相同的群組中的資源。By default, the clients in an application group are allowed to access the resources in the same group. 系統管理員不必設定特定應用程式權限。The administrator does not have to configure specific application permissions. 應用程式群組也可讓系統管理員,若要指定,例如 openid 或 user_impersonation 允許的範圍。Application groups also allow administrators to specify the scopes allowed, such as openid or user_impersonation. 下方的案例描述指定確切的範圍所需的案例。The scenario descriptions below specify exactly which scopes are required for which scenario.

因為 AD FS 使用的系統管理員同意型號,所以不會提示使用者同意時存取資源。Because AD FS uses a model of administrator consent, users are not prompted for consent when accessing resources. 藉由設定的應用程式群組,系統管理員作用中提供代表所有應用程式使用者同意。By configuring the application group, the administrator in effect provides consent on behalf of all application users.

支援的案例Supported Scenarios

下一節告訴您,我們在更多詳細資料中支援的案例。The following section describes the scenarios we support in more detail.

使用發行Tokens used

將這些案例中使用權杖的三種類型:These scenarios make use of three token types:

  • id_token:用來表示的使用者身分 A JWT 預付碼。id_token: A JWT token used to represent the identity of the user. Id_token 宣告 'aud' 或對象符合 client ID 的原生或伺服器應用程式。The 'aud' or audience claim of the id_token matches the client ID of the native or server application.
  • access_token:使用 A JWT 權杖 Oauth,OpenID 連接案例和想来使用的資源。access_token: A JWT token used in Oauth and OpenID connect scenarios and intended to be consumed by the resource. 此預付碼 'aud' 或對象宣告必須符合的識別碼或多個 Web API。The 'aud' or audience claim of this token must match the identifier of the resource or Web API.
  • refresh_token:此預付碼提交來取代收集使用者的認證單一登入提供的體驗。refresh_token: This token is submitted in place of collecting user credentials to provide a single sign on experience. 此預付碼是同時發行,並由 AD FS,且目前並非讀取戶端或資源。This token is both issued and consumed by AD FS, and is not readable by clients or resources.

原生 client Web apiNative client to Web API

本案例可讓使用者的原生 client 應用程式呼叫 AD FS 保護 2016 Web API。This scenario enables the user of a native client application to call an AD FS 2016 protected Web API.

  • 原生 client 應用程式使用 ADAL 傳送授權,並要求 AD FS,並提示您輸入的必要時,使用者的認證預付碼,然後傳送為 HTTP 標頭 Web api 要求的結果權杖The native client application uses ADAL to send authorization and token requests to AD FS, prompting for credentials from the user as necessary, then sends the resulting token as an HTTP header on the request to the Web API
  • [此組件會僅供示範]Web API 讀取宣告從存取權杖傳送 client、 從結果並將其傳送到 client ClaimsPrincipal 物件。[This part is for demonstration purposes only] The web API reads the claims from the ClaimsPrincipal object that results from the access token sent by the client, and sends them back to the client.

通訊協定流程的描述

  1. 原生 client 應用程式初始化通話 ADAL 文件庫與流程。The native client application initiates the flow with a call to the ADAL library. 這樣會觸發瀏覽器為基礎 AD FS HTTP 取得授權端點:This triggers a browser based HTTP GET to the AD FS authorize endpoint:

授權要求:Authorization request:
取得 https://fs.contoso.com/adfs/oauth2/authorize?GET https://fs.contoso.com/adfs/oauth2/authorize?

參數Parameter 值。Value
response_typeresponse_type 「 程式碼 」"code"
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id client Id 應用程式群組中的原生應用程式client Id of the native application in the application group
redirect_uriredirect_uri 重新導向應用程式群組中的應用程式原生的 URIRedirect URI of native application in application group

授權要求回應:Authorization request response:
如果使用者有未登入前提示使用者的認證。If the user has not signed in before, the user is prompted for credentials.
AD FS 回應,以 「 程式碼 」 中的參數 redirect_uri 的查詢元件退貨授權的程式碼。AD FS responds by returning an authorization code as the "code" parameter in the query component of the redirect_uri. 例如: HTTP 1.1 302 找到位置: http://redirect_uri:80 日? 程式碼 =<的程式碼>。For example: HTTP/1.1 302 Found Location: http://redirect_uri:80/?code=<code>;.

  1. 原生 client 然後將驗證碼,下列參數,以及傳送給 AD FS 權杖端點:The native client then sends the code, along with the following parameters, to the AD FS token endpoint:

權杖要求:Token Request:
張貼 https://fs.contoso.com/adfs/oautincludesPOST https://fs.contoso.com/adfs/oautincludes

參數Parameter 值。Value
grant_typegrant_type 「 authorization_code 」"authorization_code"
程式碼code 1 授權的程式碼authorization code from 1
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id client Id 應用程式群組中的原生應用程式client Id of the native application in the application group
redirect_uriredirect_uri 重新導向應用程式群組中的應用程式原生的 URIRedirect URI of native application in application group

權杖要求回應:Token request response:
AD FS 使用 access_token、 refresh_token 和本文 id_token HTTP 200 回應。AD FS responds with an HTTP 200 with the access_token, refresh_token, and id_token in the body.

  1. 然後原生的應用程式會 web API,以在 HTTP 要求授權標頭傳送上述回應 access_token 部分。The native application then sends the access_token part of the above response as the Authorization header in the HTTP request to the web API.

單一登入的行為Single sign on behavior

1 小時 (預設) access_token 仍然會有效快取,且不會有新的邀請觸發 AD FS 任何流量後續 client 會要求中。Subsequent client requests within 1 hour (by default) the access_token will still be valid in the cache, and a new request will not trigger any traffic to AD FS. 自動將由 ADAL 快取從擷取 access_token。The access_token will automatically be fetched from the cache by ADAL.

ADAL 將會自動傳送給 AD FS 權杖端點 (略過授權要求自動) 重新整理權杖根據的要求存取權杖到期之後。After the access token expires, ADAL will automatically send a refresh token based request to the AD FS token endpoint (skipping the authorization request automatically).
重新整理權杖要求:Refresh token request:
張貼 https://fs.contoso.com/adfs/oautincludesPOST https://fs.contoso.com/adfs/oautincludes

參數Parameter 值。Value
grant_typegrant_type 「 refresh_token 」"refresh_token"
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id client Id 應用程式群組中的原生應用程式client Id of the native application in the application group
refresh_tokenrefresh_token 重新整理權杖發行的初始權杖要求因應日光 AD FSthe refresh token issued by AD FS in response to the initial token request

重新整理權杖要求回應:Refresh token request response:
< SSO_period > 在重新整理預付碼時,會在新的憑證存取要求。If the refresh token is within <SSO_period>, the request will result in a new access token. 使用者不會提示輸入認證。The user is not prompted for credentials. 如需有關 SSO 設定查看AD FS 單一登入設定For more information on SSO settings see AD FS Single Sign On Settings

要求重新整理預付碼已過期時,是否會導致錯誤 」 invalid_grant 」 與 「 error_description 「 HTTP 401 」 MSIS9615: 收到 refresh_token 參數重新整理預付碼已過期 」。If the refresh token has expired, the request results in an HTTP 401 with error "invalid_grant" and "error_description" "MSIS9615: The refresh token received in refresh_token parameter has expired". 在這種情形下,會自動 ADAL 送出新的授權要求看起來很像上述 #1。In this case, ADAL automatically submits a new authorization request that looks just like #1 above.

網頁瀏覽器 Web 應用程式Web Browser to Web App

在本案例中,瀏覽器使用者需要存取資源裝載的 web 應用程式。In this scenario, a user with a browser needs to access resources hosted by a web application.
有兩個案例完成這項工作。There are two scenarios that accomplish this.

Oauth 機密 clientOauth confidential client

本案例是類似上述中已授權的要求,後面權杖換貨的程式碼。This scenario is similar to the above in that there is an authorization request, followed by a code for token exchange. Web 應用程式 (以做為 AD FS 伺服器應用程式) 的初始授權要求透過瀏覽器,並交換權杖的程式碼 (,直接連接 AD FS)The web app (modeled as a Server Application in AD FS) initiates the authorization request via the browser and exchanges the code for the token (by connecting directly to AD FS)

通訊協定流程的描述

  1. 授權要求傳送給 AD FS 的 [HTTP 取得的瀏覽器,透過 Web 應用程式初始化授權端點The Web App initiates an authorization request via the browser, which sends an HTTP GET to the AD FS authorize endpoint
    要求授權:Authorization request:
    取得 https://fs.contoso.com/adfs/oauth2/authorize?GET https://fs.contoso.com/adfs/oauth2/authorize?
參數Parameter 值。Value
response_typeresponse_type 「 程式碼 」"code"
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id Client 來電顯示應用程式群組中的原生應用程式Client Id of the native application in the application group
redirect_uriredirect_uri 重新導向 URI web 應用程式 (伺服器應用程式) 在 [應用程式群組Redirect URI of web app (server application) in application group

授權要求回應:Authorization request response:
如果使用者有未登入前提示使用者的認證。If the user has not signed in before, the user is prompted for credentials.
AD FS 回應,例如 「 程式碼 」 中的參數 redirect_uri 的查詢元件為退貨授權的程式碼: HTTP 日 1.1 302 找到位置: https://webapp.contoso.com/?code=<的程式碼>。AD FS responds by returning an authorization code as the "code" parameter in the query component of the redirect_uri, for example: HTTP/1.1 302 Found Location: https://webapp.contoso.com/?code=<code>;.

  1. 根據上述 302,瀏覽器開始 HTTP 取得 web 應用程式,例如: 取得 http://redirect_uri:80 日? 程式碼 =<的程式碼>。As a result of the above 302, the browser initiates an HTTP GET to the web app, for example: GET http://redirect_uri:80/?code=<code>;.

  2. Web 應用程式,有收到的驗證碼,此時初始化給 AD FS 權杖端點,傳送下列要求At this point the web app, having received the code, initiates a request to the AD FS token endpoint, sending the following
    權杖要求:Token request:
    張貼 https://fs.contoso.com/adfs/oautincludesPOST https://fs.contoso.com/adfs/oautincludes

參數Parameter 值。Value
grant_typegrant_type 「 authorization_code 」"authorization_code"
程式碼code 從 2 上述授權的程式碼authorization code from 2 above
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id Client 來電顯示的應用程式群組中的 web 應用程式 (伺服器應用程式)Client Id of the web app (server application) in the application group
redirect_uriredirect_uri 重新導向 URI web 應用程式 (伺服器應用程式) 在 [應用程式群組Redirect URI of web app (server application) in application group
client_secretclient_secret Web 應用程式 (伺服器應用程式) 中的應用程式群組的密碼。Secret of the web app (server application) in the application group. 注意: Client 的認證不需要將 client_secret。Note: The client's credential does not need to be a client_secret. AD FS 支援,以及使用憑證] 或 [Windows 整合式驗證的能力。AD FS supports the ability to use certificates or Windows Integrated Authentication as well.

權杖要求回應:Token request response:
AD FS 使用 access_token、 refresh_token 和本文 id_token HTTP 200 回應。AD FS responds with an HTTP 200 with the access_token, refresh_token, and id_token in the body.
宣告claims

  1. 網站或應用程式可能會消耗 access_token 回應的一部分上述 (範例中的 [網路] app 本身主控資源),然後將它傳送為 HTTP 要求授權首 web API。The web application then either consumes the access_token part of the above response (in the case in which the web app itself hosts the resource), or otherwise sends it as the Authorization header in the HTTP request to the web API.

單一登入的行為Single sign on behavior

同時存取權杖仍有效的 1 小時 (預設) client 的快取中,您可能會認為的第二個要求能與上述的原生 client 案例相同的新的邀請將不會觸發 AD FS 任何流量為存取預付碼將會自動讀取的快取 ADAL 來。While the access token will still be valid for 1 hour (by default) in the client's cache, you may think that the second request will work as in the native client scenario above - that a new request will not trigger any traffic to AD FS as the access token will automatically be fetched from the cache by ADAL. 不過,則可能 web 應用程式可傳送不同授權和權杖要求,透過不同的 URL 先前的連結,如範例所示。However, it is possible that the web app can sends distinct authorization and token requests, the former via distinct URL link, as in our sample.

這是 AD FS 瀏覽器 SSO cookie 可讓 AD FS 不會提示使用者提供的認證發出新授權的程式碼。In this case, it is the AD FS browser SSO cookie that enables AD FS to issue a new authorization code without prompting the user for credentials. Web 應用程式,然後 AD FS 對換貨新的程式碼授權取得新的憑證存取。The web app then calls to AD FS to exchange the new authorization code for a new access token. 使用者不會提示輸入認證。The user is not prompted for credentials.

或者,如果 web 應用程式智慧足以知道是否已驗證使用者時,可以略過授權要求和任一:Otherwise, if the web app is smart enough to know if the user is already authenticated, the authorize request can be skipped and either:

  • 快取的存取預付碼未過期,如果是擷取和使用,或the cached access token, if not expired, is retrieved and used, or
  • 可以要求權杖根據的要求傳送給 AD FS 權杖端點,如下所述a request token based request can be sent to the AD FS token endpoint, as described below

重新整理權杖要求:Refresh token request:
張貼 https://fs.contoso.com/adfs/oautincludesPOST https://fs.contoso.com/adfs/oautincludes

參數Parameter 值。Value
grant_typegrant_type 「 refresh_token 」"refresh_token"
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id Client 來電顯示的應用程式群組中的 web 應用程式 (伺服器應用程式)Client Id of the web app (server application) in the application group
refresh_tokenrefresh_token 重新整理發行的初始權杖要求因應日光 AD FS 預付碼Refresh token issued by AD FS in response to the initial token request
client_secretclient_secret Web 應用程式 (伺服器應用程式) 中的應用程式群組的密碼Secret of the web app (server application) in the application group

重新整理權杖要求回應:Refresh token request response:
< SSO_period > 在重新整理預付碼時,會在新的憑證存取要求。If the refresh token is within <SSO_period>, the request will result in a new access token. 使用者不會提示輸入認證。The user is not prompted for credentials. 如需有關 SSO 設定查看AD FS 單一登入設定For more information on SSO settings see AD FS Single Sign On Settings

要求重新整理預付碼已過期時,是否會導致錯誤 」 invalid_grant 」 與 「 error_description 「 HTTP 401 」 MSIS9615: 收到 refresh_token 參數重新整理預付碼已過期 」。If the refresh token has expired, the request results in an HTTP 401 with error "invalid_grant" and "error_description" "MSIS9615: The refresh token received in refresh_token parameter has expired". 在這種情形下,會自動 ADAL 送出新的授權要求看起來很像上述 #1。In this case, ADAL automatically submits a new authorization request that looks just like #1 above.

OpenID 連接: 混合流程OpenID Connect: Hybrid flow

本案例中有類似上述的授權要求起始網頁瀏覽器重新導向,以及權杖 exchange AD FS 來自 web 應用程式的程式碼 app。This scenario is similar to the above in that there is an authorization request initiated by the web app via browser redirect, and a code for token exchange from the web app to AD FS. 本案例中的不同的是,AD FS 問題 id_token 初始授權要求回應的一部分。The difference in this scenario is that AD FS issues an id_token as part of the initial authorization request response.

通訊協定流程的描述

  1. 授權要求傳送給 AD FS 的 [HTTP 取得的瀏覽器,透過 Web 應用程式初始化授權端點The Web App initiates an authorization request via the browser, which sends an HTTP GET to the AD FS authorize endpoint

授權要求:Authorization request:
取得 https://fs.contoso.com/adfs/oauth2/authorize?GET https://fs.contoso.com/adfs/oauth2/authorize?

參數Parameter 值。Value
response_typeresponse_type 「 程式碼 + id_token]"code+id_token"
response_moderesponse_mode 「 form_post 」"form_post"
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id Client 來電顯示的應用程式群組中的 web 應用程式 (伺服器應用程式)Client Id of the web app (server application) in the application group
redirect_uriredirect_uri 重新導向 URI web 應用程式 (伺服器應用程式) 中的應用程式群組Redirect URI of web app (server application) in the application group

授權要求回應:Authorization request response:
如果使用者有未登入前提示使用者的認證。If the user has not signed in before, the user is prompted for credentials.
AD FS 看 HTTP 200 和表單包含下列為隱藏的項目:AD FS responds with an HTTP 200 and form containing the below as hidden elements:

  • 程式碼: 授權的程式碼code: the authorization code
  • id_token: JWT 權杖包含描述使用者驗證宣告id_token: a JWT token containing claims describing the user authentication
  • 表單自動將張貼到 redirect_uri web 應用程式,傳送驗證碼與 id_token web 應用程式。The form automatically posts to the redirect_uri of the web app, sending the code and the id_token to the web app.
  1. Web 應用程式,有收到的驗證碼,此時初始化給 AD FS 權杖端點,傳送下列要求At this point the web app, having received the code, initiates a request to the AD FS token endpoint, sending the following

權杖要求:Token request:
張貼 https://fs.contoso.com/adfs/oautincludesPOST https://fs.contoso.com/adfs/oautincludes

參數Parameter 值。Value
grant_typegrant_type 「 authorization_code 」"authorization_code"
程式碼code 上述授權的程式碼authorization code from above
資源resource Web API 應用程式群組中的資源點數 ID (識別碼)RP ID (Identifier) of Web API in application group
client_idclient_id Client 來電顯示的應用程式群組中的 web 應用程式 (伺服器應用程式)Client Id of the web app (server application) in the application group
redirect_uriredirect_uri 重新導向 URI web 應用程式 (伺服器應用程式) 在 [應用程式群組Redirect URI of web app (server application) in application group
client_secretclient_secret Web 應用程式 (伺服器應用程式) 中的應用程式群組的密碼Secret of the web app (server application) in the application group

權杖要求回應:Token request response:
AD FS 使用 access_token、 refresh_token 和本文 id_token HTTP 200 回應。AD FS responds with an HTTP 200 with the access_token, refresh_token, and id_token in the body.

  1. 網站或應用程式可能會消耗 access_token 回應的一部分上述 (範例中的 [網路] app 本身主控資源),然後將它傳送為 HTTP 要求授權首 web API。The web application then either consumes the access_token part of the above response (in the case in which the web app itself hosts the resource), or otherwise sends it as the Authorization header in the HTTP request to the web API.

單一登入的行為Single Sign on behavior

單一登入行為是與 Oauth 2.0 機密 client 流程上述相同。The single sign on behavior is the same as for the Oauth 2.0 confidential client flow above.

代表On Behalf Of

在本案例中,web 應用程式會使用原始存取權杖使用者要求和其他 web 應用程式將會再存取與使用者的 Web api 取得其他存取預付碼。In this scenario, a web app uses the original access token from a user to request and obtain another access token for another Web API, which the web app will then access as the end user. 這稱為 」 的代表的 「 流程。This is called an "on behalf of" flow.

通訊協定流程的描述

步驟 1 到 2 一樣步驟 3、 4 中的上一個流程。Steps 1 and 2 work just like steps 3 and 4 in the previous flow.
在執行 「 步驟 3 金鑰需求是 client_id 參數,client ID Web 應用程式 2,必須符合資源點數 ID 的 Web API a。亦即的對象交換取得新的憑證存取權杖必須符合實體要求的新權杖 client 的 ID。In Step 3, the key requirement is that the client_id parameter, the client ID of the Web app 2, must match the RP ID of Web API A. In other words, the audience of the access token being exchanged for the new token must match the client ID of the entity requesting the new token.

查看AD FS 開發的完整清單解說文章中,這將提供逐步指示上使用的相關的流程。See AD FS Development for the complete list of walk-through articles, which provide step-by-step instructions on using the related flows.