堆栈内存溢出
  简体   繁体   English

在 userinfo 端点使用 ID 令牌或访问令牌?

[英]Use an ID token or access token at userinfo endpoint?

 原文  2017-05-12 03:45:27       oauth-2.0/ openid-connect

问题描述

I have a client API, that is a confidential client.我有一个客户端 API,这是一个机密客户端。 When I authenticate with an open id provider, I am redirected to my callback with an authorization code, which is immediately exchanged to receive a refresh token, an access token, and an ID token.当我使用开放 id 提供程序进行身份验证时,我将使用授权代码重定向到我的回调,该代码会立即交换以接收刷新令牌、访问令牌和 ID 令牌。

Now, I create a session cookie that has a uuid for the authenticated user.现在,我为经过身份验证的用户创建了一个具有 uuid 的会话 cookie。 When the user makes a request, do I...当用户提出请求时,我是否...

  1. Use my access token to call the providers userinfo endpoint to get the user info.使用我的访问令牌调用提供者 userinfo 端点以获取用户信息。
  2. Read the validated ID token to get the users info.读取经过验证的 ID 令牌以获取用户信息。

When it comes to using the refresh token I see 2 options:在使用刷新令牌时,我看到 2 个选项:

  1. After reading a valid ID token or access token during a request, use the refresh token to get a new access or ID token to store at a new uuid, which is returned to the user with an updated cookie.在请求期间读取有效的 ID 令牌或访问令牌后,使用刷新令牌获取新的访问或 ID 令牌以存储在新的 uuid 中,该 uuid 将通过更新的 cookie 返回给用户。 While requiring the user to sign in more, this means the users session becomes invalid after inactivity on their part equaling the lifetime of the access or ID token.虽然要求用户登录更多,这意味着用户会话在他们不活动后变得无效,这等于访问或 ID 令牌的生命周期。 This is potentially more secure.这可能更安全。
  2. Use the ID token or access token until valid and then refresh to get a new one.使用 ID 令牌或访问令牌直到有效,然后刷新以获取新令牌。 If the refresh never expires, the user will never have to sign in again even if inactive for a long period of time ( unless cookie expiration is low ) Potentially less secure.如果刷新永不过期,即使长时间不活动,用户也永远不必再次登录(除非 cookie 过期时间很低) 可能不太安全。

Thoughts?想法?

2 个解决方案

解决方案1
 1  2017-05-12 07:32:11

A few notes first:先说几点:

  • the lifetime of the application session is (typically) independent of the lifetime of the ID token;应用程序会话的生命周期(通常)与 ID 令牌的生命周期无关; the latter is just an assertion about the user's identity, it doesn't represent a session后者只是对用户身份的断言,并不代表会话
  • your first option doesn't work with a parallel requests eg when a user has opened multiple tabs to your application or the application uses Javascript calls您的第一个选项不适用于并行请求,例如,当用户为您的应用程序打开多个选项卡或应用程序使用 Javascript 调用时

But foremost: a refresh token should not be used to get a new ID token, it should only refresh the access token;但最重要的是:刷新令牌不应该用于获取新的 ID 令牌,它应该只刷新访问令牌; a user needs to be present to get a new ID token with the same semantics as the original one.用户需要在场才能获得与原始 ID 具有相同语义的新 ID 令牌。

解决方案2
 0  2021-11-22 21:51:23

In short, you only use an authentication token to access userinfo_endpoint uri.简而言之,您只使用身份验证令牌来访问 userinfo_endpoint uri。

OpenID Connect allows the use of a "Discovery document," a JSON document found at a well-known location containing key-value pairs which provide details about the OpenID Connect provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints. OpenID Connect 允许使用“发现文档”,这是在众所周知的位置找到的 JSON 文档,其中包含提供有关 OpenID Connect 提供程序配置的详细信息的键值对,包括授权的 URI、令牌、撤销、用户信息、和公钥端点。

You can research each applications unique discovery page uri from their docs for example here is Google您可以从他们的文档中研究每个应用程序的唯一发现页面 uri,例如这里是Google

You make a get request to the discovery document uri and from this document you find the userinfo_endpoint uri.您向发现文档 uri 发出 get 请求,并从该文档中找到 userinfo_endpoint uri。

Example response from microsoft来自微软的示例响应

GET https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration

{
  "authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize",
  "token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt"
  ],
  "jwks_uri": "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys",
  "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
  "subject_types_supported": [
      "pairwise"
  ],
  ...

}

Google's discovery doc uri Google 的发现文档 uri

GET https://accounts.google.com/.well-known/openid-configuration

Get an Authorization token.获取授权令牌。 For example pull up Network -> Fetch/ XHR now look around and try to find a request header with the key 'authorization'.例如,拉起 Network -> Fetch/XHR 现在环顾四周并尝试找到带有密钥“授权”的请求标头。 Copy 'Bearer {the id}' and put in the header of a get request like the picture shown below.复制 'Bearer {the id}' 并放入一个 get 请求的头部,如下图所示。

GET or POST /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Il…

Microsoft Example Postman Request Microsoft 示例邮递员请求在此处输入图片说明

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 主题标识符和ID令牌/用户信息端点/自检端点 - Subject Identifier and ID Token/Userinfo Endpoint/Introspection Endpoint 用于身份断言的ID令牌或/ userinfo - ID token or /userinfo for Identity assertion 带用户信息的oAuth2访问令牌 - oAuth2 Access Token with userinfo Keycloak访问令牌与UserInfo令牌? - Keycloak Access Token vs UserInfo token? 我们可以使用 ID Token 作为访问令牌吗? - can we use ID Token as an Access Token? 使用访问令牌获取数据时,Googleapis userinfo 端点是否有任何限制? - Does the Googleapis userinfo endpoint have any limit when fetching data using an access token? Spring 启动 oauth2:无 userInfo 端点 - 如何直接在客户端从 JWT 访问令牌加载身份验证(主体) - Spring boot oauth2: No userInfo endpoint - How to load the authentication (Principal) from the JWT access token directly in the client Azure AD令牌终结点不返回access_token(仅是id_token和refresh_token) - Azure AD token endpoint doesn't return an access_token (just an id_token and a refresh_token) 是否可以使用 id_token 在没有身份验证的情况下请求访问令牌? - Is it possible to use id_token to request access token without authentication? OpenID Connect:将id_token用作access_token可以吗? - OpenID Connect : Is it fine to use id_token as access_token?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM