堆栈内存溢出
  简体   繁体   English

选择一个OpenID Connect提供商

[英]Choosing an OpenID Connect Provider

 原文  2017-07-07 18:01:49       spring-security/ oauth-2.0/ single-sign-on/ wso2is/ openid-connect

问题描述

I need to implement SSO in my JAVA Web App with OpenID Connect. 我需要使用OpenID Connect在我的JAVA Web应用程序中实现SSO。 I already have experience in SSO with SAML 2.0 with WSO2 as Identity Provider. 我已经在使用SAML 2.0和WSO2作为身份提供者的SSO中积累了经验。

I am clear on the client part, and planning to implement the same with Spring Security. 我在客户端方面很明确,并计划在Spring Security中实现相同的功能。

My question is, does it make sense to build my own Identity provider for OpenID Connect? 我的问题是, 为OpenID Connect构建自己的身份提供程序是否有意义? For some reasons, I do not want to use any third party IDP (like WSO2). 由于某些原因,我不想使用任何第三方IDP(例如WSO2)。

If yes, is there any library that can help? 如果是,是否有任何图书馆可以提供帮助? If no, what are the best IDP I can use for OpenIDConnect? 如果没有, 我可以为OpenIDConnect使用的最佳IDP是什么? Ofcourse, WSO2 is on top of my list because I have already implemented SAML SSO with WSO2 and it also supports OpenID connect. 当然,WSO2是我的首选,因为我已经用WSO2实现了SAML SSO,它还支持OpenID连接。

Any experience or suggestion is most welcome. 任何经验或建议都是最欢迎的。

1 个解决方案

解决方案1
 3 已采纳  2017-07-09 13:36:08

An answer for this question is not that straightforward. 这个问题的答案不是那么简单。 But I will try to summarise some key points which will be helpful in making a decision. 但是,我将尝试总结一些关键点,这将有助于做出决定。

Implementing in-house identity provider 实施内部身份提供商

  • Cost and effort 成本和精力

You will have to develop and maintain everything by yourself. 您将必须自行开发和维护所有内容。 This means implementing the specification ( OpenID Connect ) adhering to RFC6749 . 这意味着实施遵循RFC6749的规范( OpenID Connect )。 Adding to that you need to register clients, issue tokens, validate tokens and maintain token state (ex- issued refresh token). 此外,您还需要注册客户端,发行令牌,验证令牌并维护令牌状态(已发布的刷新令牌)。 Indeed some libraries like Nimbus would come in handy. 确实,像Nimbus这样的某些图书馆会派上用场。

If you are dealing with third parties you are bound to strictly follow specifications. 如果您与第三方打交道,则必须严格遵守规范。 And it could be a higher development cost and effort depending on the talent pool 取决于人才库,这可能是较高的开发成本和精力

  • Maintenance and support 维护与支持

Any internal development will come with support and maintenance. 任何内部开发都将附带支持和维护。 Bug fixes, issues and new feature requirements will be costly over time and could involve valuable developer time 错误修复,问题和新功能要求会随着时间的流逝而耗费大量成本,并可能会花费宝贵的开发时间

  • Performance and reliability 性能与可靠性

As you have mentioned, implementing your own identity provider and making it to perform as any existing product is challenging. 正如您已经提到的,实现自己的身份提供者并使之能够像任何现有产品一样发挥作用是一项挑战。 Besides, identity provider should be reliable. 此外,身份提供者应该可靠。 It must be secure enough to sustain security attacks (specially if you are exposing it to internet). 它必须足够安全以承受安全攻击(特别是如果您将其暴露在互联网上)。 And implementation should be done with security in mind from ground up (ex:- Secure certificates for token signing, access token and refresh token entropy) 实施时应从头开始考虑安全性(例如:用于令牌签名,访问令牌和刷新令牌熵的安全证书)

Using a third party product 使用第三方产品

  • Cost and effort 成本和精力

Depending on the provider, it could be free and open source or paid tool. 根据提供者的不同,它可能是免费的开放源代码或付费工具。 And if it is an established product there will be less implementation effort 如果这是一个既定产品,则实施工作将更少

  • Maintenance and support 维护与支持

Now this depends on the service agreement. 现在,这取决于服务协议。 You might have to pay for support. 您可能需要支付支持费用。 But you get rid of maintenance. 但是您无需进行维护。 A product might lack some features you expect it to have (ex- RFC7662 - token introspection endpoint). 产品可能缺少您期望的某些功能(例如RFC7662-令牌自省端点)。 For example MS Azure AD lacks an introspection endpoint. 例如,MS Azure AD缺少自省端点。

  • Performance and reliability 性能与可靠性

Given that it's a product you purchase or available openly and used by many, commercial products tend to have optimum performance. 鉴于它是您购买的产品,或者是许多公司可以公开使用的产品,因此商业产品往往具有最佳性能。 And indeed they are developed by domain experts (ex:- A dedicated team who have gone through all the specs) and could include higher reliability. 实际上,它们是由领域专家开发的(例如:经过所有规格检验的专业团队),并且可能包括更高的可靠性。

PS - PS-

Regardless of all of these considerations, there could be a requirement to develop and maintain an internal identity provider. 无论所有这些考虑因素如何,都可能需要开发和维护内部身份提供者。 If that's the case you have to implement it according to related specifications and make it secure. 如果是这种情况,则必须根据相关规范实施它并使其安全。 Hope this helped with your decision. 希望这对您的决定有所帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 OpenId Connect身份提供程序启动的反向通道注销无法正常工作 - OpenId Connect Identity Provider initiated backchannel logout not working 使用OpenID Connect Gluu身份验证提供程序来保护Spring Boot Web App客户端 - Use OpenID Connect Gluu authentication provider to secure Spring Boot Web App client 带有 OpenId 提供程序的 Java Spring Security - Java Spring Security with OpenId Provider 使用带有OpenID Connect提供程序的spring-security-oauth2客户端时,如何访问“id_token”和“refresh_token”? - How to access the “id_token” and “refresh_token” when using spring-security-oauth2 client with OpenID Connect provider? Oauth2 和 OpenId 连接实现 - Oauth2 and OpenId Connect Implementation Spring Security 和 OpenID Connect (OIDC) - Spring Security and OpenID Connect (OIDC) Spring Security和Google OpenID Connect迁移 - Spring Security and Google OpenID Connect migration OpenID Connect 的 Spring Security 5 XML 配置 - Spring Security 5 XML configuration for OpenID Connect OpenID Connect 使用 Office 365 和 spring security 登录 - OpenID Connect log in in with Office 365 and spring security OpenId连接Spring Security 5和Spring Boot - OpenId connect Spring security 5 and Spring Boot
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM