[英]Use an ID token or access token at userinfo endpoint?
I have a client API, that is a confidential client.我有一个客户端 API,这是一个机密客户端。 When I authenticate with an open id provider, I am redirected to my callback with an authorization code, which is immediately exchanged to receive a refresh token, an access token, and an ID token.
当我使用开放 id 提供程序进行身份验证时,我将使用授权代码重定向到我的回调,该代码会立即交换以接收刷新令牌、访问令牌和 ID 令牌。
Now, I create a session cookie that has a uuid for the authenticated user.现在,我为经过身份验证的用户创建了一个具有 uuid 的会话 cookie。 When the user makes a request, do I...
当用户提出请求时,我是否...
When it comes to using the refresh token I see 2 options:在使用刷新令牌时,我看到 2 个选项:
Thoughts?想法?
A few notes first:先说几点:
But foremost: a refresh token should not be used to get a new ID token, it should only refresh the access token;但最重要的是:刷新令牌不应该用于获取新的 ID 令牌,它应该只刷新访问令牌; a user needs to be present to get a new ID token with the same semantics as the original one.
用户需要在场才能获得与原始 ID 具有相同语义的新 ID 令牌。
In short, you only use an authentication token to access userinfo_endpoint uri.简而言之,您只使用身份验证令牌来访问 userinfo_endpoint uri。
OpenID Connect allows the use of a "Discovery document," a JSON document found at a well-known location containing key-value pairs which provide details about the OpenID Connect provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints. OpenID Connect 允许使用“发现文档”,这是在众所周知的位置找到的 JSON 文档,其中包含提供有关 OpenID Connect 提供程序配置的详细信息的键值对,包括授权的 URI、令牌、撤销、用户信息、和公钥端点。
You can research each applications unique discovery page uri from their docs for example here is Google您可以从他们的文档中研究每个应用程序的唯一发现页面 uri,例如这里是Google
You make a get request to the discovery document uri and from this document you find the userinfo_endpoint uri.您向发现文档 uri 发出 get 请求,并从该文档中找到 userinfo_endpoint uri。
Example response from microsoft来自微软的示例响应
GET https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
{
"authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize",
"token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt"
],
"jwks_uri": "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys",
"userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
"subject_types_supported": [
"pairwise"
],
...
}
Google's discovery doc uri Google 的发现文档 uri
GET https://accounts.google.com/.well-known/openid-configuration
Get an Authorization token.获取授权令牌。 For example pull up Network -> Fetch/ XHR now look around and try to find a request header with the key 'authorization'.
例如,拉起 Network -> Fetch/XHR 现在环顾四周并尝试找到带有密钥“授权”的请求标头。 Copy 'Bearer {the id}' and put in the header of a get request like the picture shown below.
复制 'Bearer {the id}' 并放入一个 get 请求的头部,如下图所示。
GET or POST /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Il…
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.