简体繁体 English

微服务中的身份验证

[英]Authentication in microservices

原文 2018-02-07 15:47:13 4 3 .net/ authentication/ asp.net-core/ jwt/ microservices

I am developing a microservice system for my company using ASP.NET Core. 我正在使用ASP.NET Core为我的公司开发微服务系统。 But a have faced with the following problem: when authenticated user is requesting some service, how should it check if the token is an actual (not blacklisted). 但是一个人面临以下问题：当经过身份验证的用户请求某种服务时，应该如何检查令牌是否是实际的（未列入黑名单）。 I mean the case when user takes a new token but his old token is not expired yet thus the last one is an actual and could be used for accessing the resource services. 我的意思是用户使用新令牌但旧令牌尚未过期的情况，因此最后一个是实际令牌，可用于访问资源服务。 So I gonna make all ofthe microservices ask the authentication service whether the token is an actual at each request. 因此，我将让所有微服务都向身份验证服务询问令牌是否在每个请求中都是实际的。 Perhaps there are any elegant ways to do it? 也许有什么优雅的方法可以做到这一点？

3 个解决方案

If you want to make sure that the token is valid and current on every request then you will have to ask the data source (your Authentication Provider) for that information on every request. 如果要确保令牌有效且在每个请求上都是最新的，则必须向数据源（您的身份验证提供程序）询问每个请求上的信息。

This can be done in a middleware so that your main code can stay clean. 这可以在中间件中完成，以便您的主代码可以保持干净。

There are two approaches you could take based on your services. 您可以根据服务采用两种方法。

If a service is called very frequently let him cache the token (not in the core code, but some layer above) and listen for user login logout updates, in this case worst could happen is even after logout user can call this service for a very small period of time(time between syncing) 如果经常调用某项服务，则让他缓存令牌（不在核心代码中，而是在上一层）并监听用户登录注销更新，在这种情况下，即使注销用户可以非常长时间地调用此服务，也可能发生最坏的情况短时间（同步之间的时间）

Also in this case multiple services could use the same cache on (memchahe or like) 同样在这种情况下，多个服务可以在（memchahe等）上使用相同的缓存

If a service is called less frequently or require very high consistency call every time for consistency check. 如果某个服务的调用频率较低，或者每次都需要很高的一致性调用，则需要进行一致性检查。

This is an expected behaviour when making use of tokens.Tokens once created need no further check(other than verifying the signature) and this is perhaps why they are good as they minimize the validation call to Authentication Provider each and every time a service is invoked. 这是使用令牌时的预期行为。令牌一旦创建就不需要进一步检查（除了验证签名之外），这也许就是为什么它们如此好的原因，因为它们每次调用服务时都会最小化对Authentication Provider的验证调用。

Tokens should be created for the smallest of duration with the TTL being as small as possible for you. 令牌的创建时间应最短，并且TTL对您来说应尽可能小。 In microservices this time can be kept to as small couple of minutes to may be five minutes (Every five minutes you can refresh your token). 在微服务中，此时间可以缩短到几分钟到五分钟（每五分钟可以刷新一次令牌）。 This should be enough for most applications as long as you do due diligence to keep the token safe when passing from one service to another 只要您尽职调查以确保从一种服务传递到另一种服务时令牌的安全，这对于大多数应用程序就足够了

If however its critical for you to make sure that no unintended use of tokens is their, you should rest that responsibility with Authentication Provider itself. 但是，如果对确保没有意外使用令牌至关重要，则应由身份验证提供者自己承担该责任。 Anyone else in between do not have the authority to validate the token. 介于两者之间的任何人均无权验证令牌。