[英]Using SAML/OpenID Connect to implement SSO for two websites. How to authenticate Swing client?
I am trying to implement SSO for two websites and have currently looked into SAML
and OpenID Connect
. 我正在尝试为两个网站实施SSO,目前正在研究
SAML
和OpenID Connect
。 But I need to authenticate a Swing based desktop client using the same credentials. 但我需要使用相同的凭据来验证基于Swing的桌面客户端。
I have read about the implicit flow of OpenID Connect but it still needs to open a browser it seems. 我已经了解了OpenID Connect的隐含流程,但它仍然需要打开浏览器。
SAML Enhanced Client or Proxy profile which seems to solve this kind of problem seems to not be implemented by most idps I have tried out. 似乎解决了这类问题的SAML增强型客户端或代理配置文件似乎没有被我尝试过的大多数idps实现。 (Only Shibboleth supports it and the documentation for Shibboleth is not that good).
(只有Shibboleth支持它,而Shibboleth的文档并不那么好)。
OpenID Connect tries to solve the problem of sharing user authentication between two parties : the identity provider (OP) and a client. OpenID Connect尝试解决双方之间共享用户身份验证的问题:身份提供商(OP)和客户端。
This is not clearly stated in the OIDC docs, but based on my experience OIDC doesn't try to solve how you authenticate your own users accross different platforms (web, mobile/desktop). 这在OIDC文档中没有明确说明,但根据我的经验, OIDC并不试图解决您如何在不同平台 (Web,移动/桌面)上验证自己的用户 。
That's one of the very few valid use cases for the OAuth 2.0 " Resource Owner Password Credentials grant ", where the client exchanges the user credentials for a token. 这是OAuth 2.0“ 资源所有者密码凭据授权 ”的极少数有效用例之一,其中客户端交换令牌的用户凭据。
Here you are inside your own system, your mobile/desktop application cannot be considered a third party, it only provides a trusted way for the user to send you its credentials. 您在自己的系统中,您的移动/桌面应用程序不能被视为第三方,它只为用户提供可靠的方式向您发送其凭据。
You can make sure the app does not store them since you have control over the codebase. 您可以确保应用程序不存储它们,因为您可以控制代码库。
EDIT : The mobile app instances can share (unless you manage to dynamically assign client IDs) a client ID/secret that cannot be kept confidential . 编辑:移动应用程序实例可以共享(除非您设法动态分配客户端ID) 客户端ID /机密,不能保密 。 It makes up a really thin client authentication layer, trying to make sure that the requests do come from your mobile/desktop application :
它组成了一个非常瘦的客户端身份验证层,试图确保请求确实来自您的移动/桌面应用程序:
POST /oauth/token HTTP/1.1
Authorization: Basic ${BASE64_ENCODED_CLIENTID_CLIENTSECRET}
grant_type=password&
username=${USERNAME}&
password=${PASSWORD}
Some people dislike that it specifies how to authenticate a user, and some companies may have additional credentials than username+password, for example when using 2-factor authentication. 有些人不喜欢它指定如何验证用户,并且某些公司可能具有除用户名+密码之外的其他凭据,例如在使用双因素身份验证时。 Also, some people used the ROPC grant wrong, as it is only valid inside an organization, allowing a client to request your own user credentials is killing the point of having an SSO/authorization protocol.
此外,有些人使用ROPC授予错误,因为它只在组织内有效,允许客户端请求您自己的用户凭据正在扼杀SSO /授权协议。
OIDC is still OAuth 2.0 , which means you are free to implement your own "user credentials" flow to obtain an access token + ID Token from your desktop/mobile app. OIDC仍然是OAuth 2.0 ,这意味着您可以自由地实施自己的“用户凭据”流,以从您的桌面/移动应用程序获取访问令牌+ ID令牌。 It's outside the scope of OIDC though.
但它超出了OIDC的范围。
BTW, SAML was created at a time when mobile apps were not really in the picture : 顺便说一句, SAML是在移动应用程序不是真的出现的时候创建的:
SAML 2.0 was ratified as an OASIS Standard in March 2005
SAML 2.0于2005年3月被批准为OASIS标准
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.