身份服务器4如何实现Json Web令牌
[英]How Identity server 4 implements Json Web Tokens
问题描述
I am very confused about the difference between oauth2 tokens and json web tokens. 
我对oauth2令牌和json网络令牌之间的区别感到非常困惑。 I have searched about these technologies and the result is ; 我搜索了这些技术,结果是:
Open Id is a protocol and It uses JSON Web tokens to ensure the requests are coming from a trusted user. Open Id是一种协议,它使用JSON Web令牌来确保请求来自受信任的用户。
A Json web token contains a few user information ( claims ) as encrypted with a private key of sts. Json Web令牌包含一些用sts私钥加密的用户信息(声明)。
Oauth2 is a framework and we can manage the login operations between our users , clients and resources and third-party applications. Oauth2是一个框架,我们可以管理用户,客户端和资源以及第三方应用程序之间的登录操作。
Identity Framework 4 is an Open Id connect implementations .net MVC library. Identity Framework 4是一个开放式ID连接实现.net MVC库。 The library has written with oauth2 specs and it implements Open Id. 该库使用oauth2规范编写,并实现了Open Id。
This is the point I didn't understand. 这是我不明白的问题。 The Oauth2 framework already has its token implementation. Oauth2框架已经具有其令牌实现。
Where is the place of JSON web tokens in this scenario? 在这种情况下,JSON Web令牌的位置在哪里? For example, we have a simple web application and a server which implements identity server 4. 例如,我们有一个简单的Web应用程序和一个实现身份服务器4的服务器。
When a user requested a page from web application user will be redirected to our identity server to login operation. 当用户从Web应用程序请求页面时,用户将被重定向到我们的身份服务器以进行登录操作。 After successful login Identity server adds a cookie to our response and these cookıe contains a token. 成功登录后,身份服务器将向我们的响应中添加一个cookie,并且这些cookie中包含一个令牌。 We wıll use that token when requests the other secure resources . 当请求其他安全资源时,我们将使用该令牌。
These steps are clear for me. 这些步骤对我来说很清楚。 Where is the Jason Web token in this schenio ? 此schenio中的Jason Web令牌在哪里? How can I use JSON web tokens in my client app? 如何在客户端应用程序中使用JSON Web令牌? Where can I reach my user claims? 我在哪里可以找到我的用户要求?
2 个解决方案
解决方案1
0 2017-11-03 12:45:24
The reason for JWT is given in the specs of OAuth2 在OAuth2的规范中给出了JWT的原因
Since OAuth 2.0 does not define a protocol for the resource server to learn meta-information about a token that it has received from an
authorization server, several different approaches have been
developed to bridge this gap.
formats such as JWT [RFC7519] or proprietary inter-service
communication mechanisms (such as shared databases and protected
enterprise service buses) that convey token information.
Being an open-standard JWT has been largely adopted in security-related technology and protocols. 作为一种开放标准,JWT已在与安全相关的技术和协议中广泛采用。 It defines a compact and self-contained way for securely transmitting information between parties as a JSON object. 它定义了一种紧凑且自包含的方式,用于在各方之间作为JSON对象安全地传输信息。 This information can be verified and trusted because it is digitally signed 此信息可以进行验证和信任,因为它是经过数字签名的
Let's explain some concepts of this definition further. 让我们进一步解释该定义的一些概念。
Compact : Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header.
紧凑 :由于尺寸较小,可以通过URL,POST参数或HTTP标头发送JWT。 Additionally, the smaller size means transmission is fast. 此外,较小的尺寸意味着传输速度很快。 Self-contained : The payload contains all the required information about the user, avoiding the need to query the database more than once.
自包含的 :有效负载包含有关用户的所有必需信息,从而避免了多次查询数据库的需求。
There are a lot of sites explaining these things as well as numerous technology providers. 有很多网站解释这些问题,并且有许多技术提供商。
- https://jwt.io/introduction/ for providing tutorials and free e-book https://jwt.io/introduction/提供教程和免费电子书
- https://oauth.net/2/ for in-depth stuff https://oauth.net/2/了解更多内容
- https://openid.net/connect/ for the new kid on the block https://openid.net/connect/为街上的新孩子
To answer your IdentityServer related questions. 回答与IdentityServer有关的问题。 Authentication & authorization related information are usually encoded 认证和授权相关信息通常经过编码
The application-specific information/payload in these tokens is encoded using JWT. 这些令牌中的特定于应用程序的信息/有效负载使用JWT进行编码。 JWT is mostly transparent to application developers if good libraries are provided - as is the case for IdentityServer. 如果提供了良好的库,那么JWT对应用程序开发人员几乎是透明的-与IdentityServer一样。 You will find answers to your questions in the excellent documentation for IdentityServer . 您可以在出色的IdentityServer文档中找到问题的答案。 How to extract user claims is covered as well. 还介绍了如何提取用户声明。 The project provides numerous client examples that cover typical AuthX setups out there. 该项目提供了许多客户端示例 ,其中涵盖了典型的AuthX设置。 It takes time and commitment to get through it. 它需要时间和精力来克服。
解决方案2
0 2017-11-04 14:16:22
JSON Web Token (JWT) ( RFC 7519 ) itself is independent of OAuth 2.0 and OpenID Connect. JSON Web令牌 (JWT)( RFC 7519 )本身独立于OAuth 2.0和OpenID Connect。 You can use JWT wherever you like. 您可以在任何喜欢的地方使用JWT。
OAuth 2.0 is a specification as to how to request and issue access tokens . OAuth 2.0是有关如何请求和颁发访问令牌的规范。 The specification does not say anything about how access tokens should be represented. 该规范没有说明应如何表示访问令牌。 Therefore, access tokens may be random strings or may be JWTs. 因此,访问令牌可以是随机字符串,也可以是JWT。 Some authorization server implementations generate random strings and issue them as access tokens, and other implementations generate JWTs and issue them as access tokens. 一些授权服务器实现生成随机字符串并将其作为访问令牌颁发,而其他实现生成JWT并将其作为访问令牌颁发。 See “7. 参见“ 7。 Access Token” in “ Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings ” for further discussion. “ OToken和OpenID Connect的完全实现者谈发现 ”中的“ 访问令牌”进行进一步讨论。
OpenID Connect is a specification as to how to request and issue ID tokens . OpenID Connect是有关如何请求和发行ID令牌的规范。 The specification says an ID token is a kind of JWT. 规范说ID令牌是一种JWT。 In addition, JWT is used in other places in the specification. 另外,JWT在规范中的其他地方使用。 Responses from UserInfo Endpoint are either plain JSON or JWT. 来自UserInfo Endpoint的响应是纯JSON或JWT。 Request Objects are JWT. 请求对象是JWT。
In normal cases, a server which supports OpenID Connect can issue both ID tokens (which are JWTs) and access tokens (which are either random strings or JWTs) . 在正常情况下, 支持OpenID Connect的服务器可以发布ID令牌(为JWT)和访问令牌(为随机字符串或JWT) 。 This may be making you confused. 这可能会让您感到困惑。 Reading the following articles may be of help. 阅读以下文章可能会有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.