[英]OAuth 2 - how to define dynamic resource authorization?
As a resource server, I'd like to give users more control over their resources.作为资源服务器,我想让用户更多地控制他们的资源。
For example, consider I have a cloud file system supporting OAuth 2.例如,考虑我有一个支持 OAuth 2 的云文件系统。
The user may provide permission to access the files to a client on his behalf.用户可以代表他向客户提供访问文件的权限。
I'd like the resource server to offer access to specific folder, for example, just photos and not documents.我希望资源服务器提供对特定文件夹的访问,例如,只有照片而不是文档。
The names of the folders is a dynamic resource, as it varies among users.文件夹的名称是一种动态资源,因为它因用户而异。
How can I handle dynamic resource authorization?如何处理动态资源授权? Dynamic scopes?
动态范围?
Also, if the scope is dynamic, how does the client know to request it?此外,如果范围是动态的,客户端如何知道请求它?
The document rfc6749 which is the OAuth 2.0 spec, defines a way to extend OAuth 2 by using additional parameters(rfc6749#section-8.2).作为 OAuth 2.0 规范的文档 rfc6749 定义了一种通过使用附加参数来扩展 OAuth 2 的方法(rfc6749#section-8.2)。 So, if you want to solve this with OAuth, you could use this approach or something similar:
所以,如果你想用 OAuth 解决这个问题,你可以使用这种方法或类似的方法:
Bear in Mind that such approach works better if the amount of resources per user is not very big (otherwise you can be flooded of scopes).请记住,如果每个用户的资源量不是很大(否则您可能会被范围淹没),这种方法效果更好。
Another method could be to add an extra layer of Authorization behind the OAuth Layer.另一种方法是在 OAuth 层后面添加额外的授权层。 This additional layer keeps track of the relation client/accessible resources.
这个附加层跟踪关系客户端/可访问资源。
Just recently I had to familiarize myself with OAuth/OIDC, and now I am facing the same question - here's what I could think of so far -就在最近,我不得不熟悉 OAuth/OIDC,现在我面临着同样的问题——这是我目前能想到的——
This is the way I am going to try doing it for my own app anyway - it is indeed surprising not to find any resources about this online.无论如何,这就是我要尝试为我自己的应用程序执行此操作的方式 - 没有在网上找到有关此的任何资源确实令人惊讶。
Resurrecting a pretty old question here, but I think the problem is still current.在这里复活一个很老的问题,但我认为这个问题仍然存在。
One useful detail to bear in mind is that the scope requested by the client and the scope allowed by the Resource Owner don't have to be equal.要记住的一个有用的细节是客户端请求的范围和资源所有者允许的范围不必相等。 In fact, the scope allowed by the RO doesn't even have to be a subset of the requested scope.
事实上,RO 允许的范围甚至不必是请求范围的子集。
In your case, the scope allowed by the RO can be a set of resource URLs, selected by the RO at grant step depending on the requested scope.在您的情况下,RO 允许的范围可以是一组资源 URL,由 RO 在授权步骤根据请求的范围选择。 Then, by looking at the values in the access token and understanding their meaning, the Resource Server will be able to serve the requested resources dynamically.
然后,通过查看访问令牌中的值并理解它们的含义,资源服务器将能够动态地为请求的资源提供服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.