[英]How to use multifactor authentication with OAuth Resource Owner Password Credentials Grant?
You almost certainly don't need the Resource Owner Password Credentials Grant (ROPC).您几乎肯定不需要资源所有者密码凭据授予 (ROPC)。 Why do I want to?为什么我想要?
I am working on a browserless device.我正在使用无浏览器的设备。 The device is the Resource Server and uses an Authorization Server.该设备是资源服务器并使用授权服务器。 In this use case (I say this use case because the device also supports other access methods), the device proxies credentials for the user and requests a token (a token to access itself) from the Authorization Server.在这个用例中(我说这个用例是因为设备还支持其他访问方法),设备代理用户的凭据并从授权服务器请求令牌(用于访问自身的令牌)。 Thus, the device proxies credentials for both authentication and authorization.因此,设备代理身份验证和授权的凭据。 It essentially says, "I am Device A. Here are User B's credentials. Please give me a token that allows Device A to access Device A on User B's behalf."它本质上说,“我是设备 A。这是用户 B 的凭据。请给我一个令牌,允许设备 A 代表用户 B 访问设备 A。”
Again, the device has no browser.同样,该设备没有浏览器。 Based on Scott Brady's don't ever use OAuth article , this is about the only application for which the Resource Owner Password Credentials Grant (RFC 6749 § 4.3) is be a reasonable choice.基于Scott Brady 的不要使用 OAuth 文章,这是关于资源所有者密码凭据授予 (RFC 6749 § 4.3) 是合理选择的唯一应用程序。
But I want to use multifactor authentication.但我想使用多因素身份验证。
Neither RFC 6749 nor the documentation support sending a second factor. RFC 6749 和文档都不支持发送第二个因素。 And that Scott Brady article says multifactor authentication is deliberately not supported. Scott Brady 的那篇文章称,故意不支持多因素身份验证。
So:所以:
I'm basically asking, is it recommended to go off-standard in this case, or does this case mean I did something else wrong already?我基本上是问,在这种情况下是否建议不符合标准,或者这种情况是否意味着我已经做错了什么?
To be clear on what I have in mind, this case requires two bits of added functionality:为了清楚我的想法,这种情况需要两个附加功能:
My non-standard plan is to:我的非标准计划是:
For the error response, I came upon "interaction_required".对于错误响应,我遇到了“interaction_required”。 I found one example where this seems to be used in relation to multifactor authentication, but in a different way.我发现了一个示例,其中这似乎与多因素身份验证相关,但以不同的方式使用。
Tagged with identityserver4 because I'm also interested in relevant best practices if there is nothing standard.标记为 identityserver4 因为如果没有标准,我也对相关的最佳实践感兴趣。
I found this related question but it concerns a different flow.我发现了这个相关的问题,但它涉及不同的流程。
Prior to the OAuth 2.0 Device Flow for Browserless and Input Constrained Devices spec, you may have needed ROPC.在OAuth 2.0 Device Flow for Browserless and Input Constrained Devices规范之前,您可能需要 ROPC。 But now you don't.但现在你没有。 The RFC (still in draft) is made for exactly this situation. RFC(仍在草案中)正是针对这种情况制定的。
Instead of the Device handling the user's password, the Device contacts the Authorization Server and gets an end-user code.设备不是处理用户密码,而是联系授权服务器并获取最终用户代码。 The user uses this code to log in to the Authorization Server and authorize the Device.用户使用此代码登录授权服务器并对设备进行授权。
Figure 1 from the Draft RFC (v. 07):图 1 来自 RFC (v. 07) 草案:
+----------+ +----------------+
| |>---(A)-- Client Identifier --->| |
| | | |
| |<---(B)-- Verification Code, --<| |
| | User Code, | |
| | & Verification URI | |
| Device | | |
| Client | Client Identifier & | |
| |>---(E)-- Verification Code --->| |
| | polling... | |
| |>---(E)-- Verification Code --->| |
| | | Authorization |
| |<---(F)-- Access Token --------<| Server |
+----------+ (w/ Optional Refresh Token) | |
v | |
: | |
(C) User Code & Verification URI | |
: | |
v | |
+----------+ | |
| End-user | | |
| at |<---(D)-- User authenticates -->| |
| Browser | | |
+----------+ +----------------+
Figure 1: Device Flow.
A few obvious differences:几个明显的区别:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.