Chinese, Simplified
category
身份验证提供程序使用Microsoft身份验证库实现获取令牌所需的代码,处理增量同意、密码过期和条件访问等情况下的一些潜在错误,然后设置HTTP请求授权标头。下表列出了与不同应用程序类型的方案匹配的提供程序。
| Scenario | Flow/Grant | Audience | Provider |
|---|---|---|---|
| Single Page App | Authorization Code with PKCE | Delegated Consumer/Org | Authorization code provider |
| Web App that calls web APIs | |||
| Authorization Code | Delegated Consumer/Org | Authorization code provider | |
| Client Credentials | App Only | Client credentials provider | |
| Web API that calls web APIs | |||
| On Behalf Of | Delegated Consumer/Org | On-behalf-of provider | |
| Client Credentials | App Only | Client credentials provider | |
| Desktop app that calls web APIs | |||
| Interactive | Delegated Consumer/Org | Interactive provider | |
| Integrated Windows | Delegated Org | Integrated Windows provider | |
| Resource Owner | Delegated Org | Username/password provider | |
| Device Code | Delegated Org | Device code provider | |
| Daemon app | |||
| Client Credentials | App Only | Client credentials provider | |
| Mobile app that calls web APIs | |||
| Interactive | Delegated Consumer/Org | Interactive provider |
注:
以下代码片段是使用各自SDK的最新版本编写的。如果您在这些代码段中遇到编译器错误,请确保您拥有最新版本。以下Azure Identity库提供了所使用的身份验证提供程序:
- .NET开发人员需要添加Azure。身份包。
- TypeScript和JavaScript开发人员需要添加@azure/identity库。
- Java和Android开发人员需要添加azure标识库。
授权码提供者 (Authorization code provider)
授权码流使本机和web应用程序能够安全地获取用户名中的令牌。要了解更多信息,请参阅Microsoft身份平台和OAuth 2.0授权代码流。
Java
final String clientId = "YOUR_CLIENT_ID";
final String tenantId = "YOUR_TENANT_ID"; // or "common" for multi-tenant apps
final String clientSecret = "YOUR_CLIENT_SECRET";
final String authorizationCode = "AUTH_CODE_FROM_REDIRECT";
final String redirectUrl = "YOUR_REDIRECT_URI";
final String[] scopes = new String[] { "User.Read" };
final AuthorizationCodeCredential credential = new AuthorizationCodeCredentialBuilder()
.clientId(clientId).tenantId(tenantId).clientSecret(clientSecret)
.authorizationCode(authorizationCode).redirectUrl(redirectUrl).build();
if (null == scopes || null == credential) {
throw new Exception("Unexpected error");
}
final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
客户端凭据提供程序(Client credentials provider)
客户端凭据流使服务应用程序能够在没有用户交互的情况下运行。访问基于应用程序的身份。有关更多信息,请参阅Microsoft身份平台和OAuth 2.0客户端凭据流。
使用客户端证书
final String clientId = "YOUR_CLIENT_ID";
final String tenantId = "YOUR_TENANT_ID";
final String clientCertificatePath = "MyCertificate.pem";
// The client credentials flow requires that you request the
// /.default scope, and pre-configure your permissions on the
// app registration in Azure. An administrator must grant consent
// to those permissions beforehand.
final String[] scopes = new String[] {"https://graph.microsoft.com/.default"};
final ClientCertificateCredential credential = new ClientCertificateCredentialBuilder()
.clientId(clientId).tenantId(tenantId).pemCertificate(clientCertificatePath)
.build();
if (null == scopes || null == credential) {
throw new Exception("Unexpected error");
}
final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
使用客户端密钥
final String clientId = "YOUR_CLIENT_ID";
final String tenantId = "YOUR_TENANT_ID";
final String clientSecret = "YOUR_CLIENT_SECRET";
// The client credentials flow requires that you request the
// /.default scope, and pre-configure your permissions on the
// app registration in Azure. An administrator must grant consent
// to those permissions beforehand.
final String[] scopes = new String[] { "https://graph.microsoft.com/.default" };
final ClientSecretCredential credential = new ClientSecretCredentialBuilder()
.clientId(clientId).tenantId(tenantId).clientSecret(clientSecret).build();
if (null == scopes || null == credential) {
throw new Exception("Unexpected error");
}
final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
代表供应商 (On-behalf-of provider)
当应用程序调用服务/web API(调用Microsoft Graph API)时,代理流适用。通过阅读Microsoft身份平台和OAuth 2.0代表流来了解更多信息
final String clientId = "YOUR_CLIENT_ID";
final String tenantId = "YOUR_TENANT_ID"; // or "common" for multi-tenant apps
final String clientSecret = "YOUR_CLIENT_SECRET";
final String[] scopes = new String[] {"https://graph.microsoft.com/.default"};
// This is the incoming token to exchange using on-behalf-of flow
final String oboToken = "JWT_TOKEN_TO_EXCHANGE";
final OnBehalfOfCredential credential = new OnBehalfOfCredentialBuilder()
.clientId(clientId).tenantId(tenantId).clientSecret(clientSecret)
.userAssertion(oboToken).build();
if (null == scopes || null == credential) {
throw new Exception("Unexpected error");
}
final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
隐式提供者
由于隐式身份验证流的缺点,不建议使用它。公共客户端,如本机应用程序和单页应用程序,现在应该使用带有PKCE扩展的授权代码流。参考。
设备代码提供程序
设备代码流允许通过另一个设备登录设备。有关详细信息,请参阅Microsoft身份平台和OAuth 2.0设备代码流。
final String clientId = "YOUR_CLIENT_ID";
final String tenantId = "YOUR_TENANT_ID"; // or "common" for multi-tenant apps
final String[] scopes = new String[] {"User.Read"};
final DeviceCodeCredential credential = new DeviceCodeCredentialBuilder()
.clientId(clientId).tenantId(tenantId).challengeConsumer(challenge -> {
// Display challenge to the user
System.out.println(challenge.getMessage());
}).build();
if (null == scopes || null == credential) {
throw new Exception("Unexpected error");
}
final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
集成Windows提供商
集成的Windows流允许Windows计算机在静默加入域时获取访问令牌。有关详细信息,请参阅集成Windows身份验证。
注:
集成Windows身份验证有特定要求。请参阅使用SOAP。NET与集成Windows身份验证(IWA)的详细信息。
互动提供商
移动应用程序(Xamarin和UWP)和桌面应用程序使用交互流以用户的名义调用Microsoft Graph。有关详细信息,请参阅交互式获取令牌。
final String clientId = "YOUR_CLIENT_ID";
final String tenantId = "YOUR_TENANT_ID"; // or "common" for multi-tenant apps
final String redirectUrl = "YOUR_REDIRECT_URI";
final String[] scopes = new String[] {"User.Read"};
final InteractiveBrowserCredential credential = new InteractiveBrowserCredentialBuilder()
.clientId(clientId).tenantId(tenantId).redirectUrl(redirectUrl).build();
if (null == scopes || null == credential) {
throw new Exception("Unexpected error");
}
final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
用户名/密码提供程序
用户名/密码提供程序允许应用程序使用用户的用户名和密码登录用户。仅当您无法使用任何其他OAuth流时,才使用此流。有关更多信息,请参阅Microsoft身份平台和OAuth 2.0资源所有者密码凭据
final String clientId = "YOUR_CLIENT_ID";
final String tenantId = "YOUR_TENANT_ID"; // or "common" for multi-tenant apps
final String userName = "YOUR_USER_NAME";
final String password = "YOUR_PASSWORD";
final String[] scopes = new String[] {"User.Read"};
final UsernamePasswordCredential credential = new UsernamePasswordCredentialBuilder()
.clientId(clientId).tenantId(tenantId).username(userName).password(password)
.build();
if (null == scopes || null == credential) {
throw new Exception("Unexpected error");
}
final GraphServiceClient graphClient = new GraphServiceClient(credential, scopes);
下一步
- For code samples that show you how to use the Microsoft identity platform to secure different application types, see Microsoft identity platform code samples (v2.0 endpoint).
- Authentication providers require a client ID. You'll want to register your application after you set up your authentication provider.
- Let us know if a required OAuth flow isn't currently supported by voting for or opening a Microsoft Graph feature request.
- 登录 发表评论
- 3 次浏览
发布日期
星期一, 八月 5, 2024 - 18:16
最后修改
星期一, 八月 5, 2024 - 18:16
Tags
Article
最新内容
- 2 days 12 hours ago
- 2 days 12 hours ago
- 2 days 13 hours ago
- 2 days 13 hours ago
- 2 days 13 hours ago
- 2 days 13 hours ago
- 2 days 14 hours ago
- 2 days 14 hours ago
- 4 days 2 hours ago
- 4 days 2 hours ago