WSO2 API Manager(和Identity Server)上的令牌验证
[英]Token validation at WSO2 API Manager (and Identity Server)
问题描述
We building our API with wso2 API manager + separate identity server. 
我们使用wso2 API管理器+单独的身份服务器构建API。
For implementation of resource server we need to 为了实现资源服务器,我们需要
- validate token (that it's valid) 验证令牌(有效)
- get information about user (roles, username, full name etc.) 获取有关用户的信息(角色,用户名,全名等)
- details of authentication through OAuth (scope) 通过OAuth进行身份验证的详细信息(范围)
User roles and auth scope are necessary to do determine user capabilities and apply security settings (as an intersection of user roles and granted scopes) 用户角色和身份验证范围是确定用户功能和应用安全设置所必需的(作为用户角色和授予的范围的交集)
Currently it seems that I can get all necessary information with 2 requests: 目前看来,我可以通过2个请求获得所有必要的信息:
call " validate " method at SOAP web service, that is located at /services/OAuth2TokenValidationService/ (IS or ApiManager in case of no dedicated IS)
在/ services / OAuth2TokenValidationService / (在没有专用IS的情况下为IS或ApiManager)的SOAP Web服务上调用“ 验证 ”方法 Response contains information about token validity, expiration data and user scopes.
响应包含有关令牌有效性,到期数据和用户范围的信息。 do GET on /oauth2/userinfo?schema=openid
在/ oauth2 / userinfo上执行GET ?schema = openid Response contains JSON with information about user (roles, username etc.)
响应包含带有有关用户(角色,用户名等)信息的JSON
First request requires a basic auth with the credentials of user, registered at wso2 IS server. 首次请求需要在wso2 IS服务器上注册的具有用户凭据的基本身份验证。 The second one requires only OAuth token that a resource server obtained from a client. 第二个仅需要资源服务器从客户端获得的OAuth令牌。
So the question is : are this 2 requests with the different technologies are necessary for this use case (to get scopes and user info at resource server) or maybe I'm missing something? 因此,问题是 :对于此用例(在资源服务器上获取作用域和用户信息),使用不同技术的这2个请求是否必要?或者我可能遗漏了一些东西?
The second request is almost good, but it does not contains information about token scope, thus the server can't restrict access to resource if a user, in general, has access to it (according to his roles) 第二个请求几乎是正确的,但是它不包含有关令牌范围的信息,因此,如果用户通常有权访问资源(根据其角色),则服务器将无法限制对资源的访问
If 2 request are necessary what are the minimum system roles at wso2 app the user should have to access SoapService? 如果需要2个请求,则用户在wso2 app上必须具有的最低系统角色是什么? Using admin credentials (like default admin/admin) seems too unsecure to me and I'd like to create user for token validation with minimum permissions. 使用管理员凭据(例如默认的admin / admin)对我来说似乎不太安全,我想创建用户以最少的权限进行令牌验证。
1 个解决方案
解决方案1
0 已采纳 2014-09-30 00:16:08
do GET on /oauth2/userinfo?schema=openid This is an rest endpoint which is secured with OAuth you need to use access token to authenticate and get user info.
在/ oauth2 / userinfo上执行GET?schema = openid这是一个由OAuth保护的其余端点,您需要使用访问令牌进行身份验证并获取用户信息。 call "validate" method at SOAP web service, that is located at /services/OAuth2TokenValidationService/ This service is an admin service where you can invoke using any authentication mechanism allowed to invoke admin services like Basic-Auth, Mutual ssl etc
在/ services / OAuth2TokenValidationService /上的SOAP Web服务上调用“验证”方法。此服务是一种管理服务,您可以在其中使用允许调用诸如Basic-Auth,Mutual ssl等管理服务的任何身份验证机制进行调用
In your scenario you can use mutual ssl authenticator to authenticate with Identity server [1] here you can find more information on that. 在您的方案中,您可以使用双向ssl身份验证器对Identity Server [1]进行身份验证,在这里您可以找到有关此信息的更多信息。
Apart from that without calling to userinfo endpoint you can configure Identity server to send JWT token with token validation response. 除了不调用userinfo端点,您还可以配置身份服务器以发送带有令牌验证响应的JWT令牌。 Then you can get user information from JWT token. 然后,您可以从JWT令牌获取用户信息。 [2] here you will find more information on this. [2]在这里您将找到更多有关此的信息。
[1] http://isharaaruna.blogspot.com/2014/01/oauth-20-playground-sample-with-mutual.html [1] http://isharaaruna.blogspot.com/2014/01/oauth-20-playground-sample-with-mutual.html
[2] http://blog.shelan.org/2013/07/how-to-get-user-profile-for-oauth-token.html [2] http://blog.shelan.org/2013/07/how-to-get-user-profile-for-oauth-token.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.