使用SAML / OpenID Connect为两个网站实施SSO。 如何验证Swing客户端?
[英]Using SAML/OpenID Connect to implement SSO for two websites. How to authenticate Swing client?
问题描述
I am trying to implement SSO for two websites and have currently looked into SAML and OpenID Connect . 
我正在尝试为两个网站实施SSO,目前正在研究SAML和OpenID Connect 。 But I need to authenticate a Swing based desktop client using the same credentials. 但我需要使用相同的凭据来验证基于Swing的桌面客户端。
I have read about the implicit flow of OpenID Connect but it still needs to open a browser it seems. 我已经了解了OpenID Connect的隐含流程,但它仍然需要打开浏览器。
SAML Enhanced Client or Proxy profile which seems to solve this kind of problem seems to not be implemented by most idps I have tried out. 似乎解决了这类问题的SAML增强型客户端或代理配置文件似乎没有被我尝试过的大多数idps实现。 (Only Shibboleth supports it and the documentation for Shibboleth is not that good). (只有Shibboleth支持它,而Shibboleth的文档并不那么好)。
- What kind of solution works for this problem? 什么样的解决方案适用于这个问题?
- Are there any other SSO mechanisms that support both native and web apps? 是否有其他支持本机和Web应用程序的SSO机制?
- Are there workarounds for OpenID Connect/SAML for this kind of problem? OpenID Connect / SAML是否存在针对此类问题的解决方法?
- Would it be a good idea to just expose a REST API that authenticates the Swing client using the same credentials as the SSO IdP? 仅使用与SSO IdP相同的凭据公开REST API来验证Swing客户端是不是一个好主意?
1 个解决方案
解决方案1
2 2015-07-31 14:23:41
OpenID Connect tries to solve the problem of sharing user authentication between two parties : the identity provider (OP) and a client. OpenID Connect尝试解决双方之间共享用户身份验证的问题:身份提供商(OP)和客户端。
This is not clearly stated in the OIDC docs, but based on my experience OIDC doesn't try to solve how you authenticate your own users accross different platforms (web, mobile/desktop). 这在OIDC文档中没有明确说明,但根据我的经验, OIDC并不试图解决您如何在不同平台 (Web,移动/桌面)上验证自己的用户 。
That's one of the very few valid use cases for the OAuth 2.0 " Resource Owner Password Credentials grant ", where the client exchanges the user credentials for a token. 这是OAuth 2.0“ 资源所有者密码凭据授权 ”的极少数有效用例之一,其中客户端交换令牌的用户凭据。
Here you are inside your own system, your mobile/desktop application cannot be considered a third party, it only provides a trusted way for the user to send you its credentials. 您在自己的系统中,您的移动/桌面应用程序不能被视为第三方,它只为用户提供可靠的方式向您发送其凭据。
You can make sure the app does not store them since you have control over the codebase. 您可以确保应用程序不存储它们,因为您可以控制代码库。
EDIT : The mobile app instances can share (unless you manage to dynamically assign client IDs) a client ID/secret that cannot be kept confidential . 编辑:移动应用程序实例可以共享(除非您设法动态分配客户端ID) 客户端ID /机密,不能保密 。 It makes up a really thin client authentication layer, trying to make sure that the requests do come from your mobile/desktop application : 它组成了一个非常瘦的客户端身份验证层,试图确保请求确实来自您的移动/桌面应用程序:
POST /oauth/token HTTP/1.1
Authorization: Basic ${BASE64_ENCODED_CLIENTID_CLIENTSECRET}
grant_type=password&
username=${USERNAME}&
password=${PASSWORD}
Some people dislike that it specifies how to authenticate a user, and some companies may have additional credentials than username+password, for example when using 2-factor authentication. 有些人不喜欢它指定如何验证用户,并且某些公司可能具有除用户名+密码之外的其他凭据,例如在使用双因素身份验证时。 Also, some people used the ROPC grant wrong, as it is only valid inside an organization, allowing a client to request your own user credentials is killing the point of having an SSO/authorization protocol. 此外,有些人使用ROPC授予错误,因为它只在组织内有效,允许客户端请求您自己的用户凭据正在扼杀SSO /授权协议。
OIDC is still OAuth 2.0 , which means you are free to implement your own "user credentials" flow to obtain an access token + ID Token from your desktop/mobile app. OIDC仍然是OAuth 2.0 ,这意味着您可以自由地实施自己的“用户凭据”流,以从您的桌面/移动应用程序获取访问令牌+ ID令牌。 It's outside the scope of OIDC though. 但它超出了OIDC的范围。
BTW, SAML was created at a time when mobile apps were not really in the picture : 顺便说一句, SAML是在移动应用程序不是真的出现的时候创建的:
SAML 2.0 was ratified as an OASIS Standard in March 2005
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.