如何通过 OAuth Resource Owner Password Credentials Grant 使用多因素身份验证?
[英]How to use multifactor authentication with OAuth Resource Owner Password Credentials Grant?
问题描述
Why the Resource Owner Password Credentials Grant?
为什么要授予资源所有者密码凭据?
You almost certainly don't need the Resource Owner Password Credentials Grant (ROPC).您几乎肯定不需要资源所有者密码凭据授予 (ROPC)。 Why do I want to?为什么我想要?
I am working on a browserless device.我正在使用无浏览器的设备。 The device is the Resource Server and uses an Authorization Server.该设备是资源服务器并使用授权服务器。 In this use case (I say this use case because the device also supports other access methods), the device proxies credentials for the user and requests a token (a token to access itself) from the Authorization Server.在这个用例中(我说这个用例是因为设备还支持其他访问方法),设备代理用户的凭据并从授权服务器请求令牌(用于访问自身的令牌)。 Thus, the device proxies credentials for both authentication and authorization.因此,设备代理身份验证和授权的凭据。 It essentially says, "I am Device A. Here are User B's credentials. Please give me a token that allows Device A to access Device A on User B's behalf."它本质上说,“我是设备 A。这是用户 B 的凭据。请给我一个令牌,允许设备 A 代表用户 B 访问设备 A。”
Again, the device has no browser.同样,该设备没有浏览器。 Based on Scott Brady's don't ever use OAuth article , this is about the only application for which the Resource Owner Password Credentials Grant (RFC 6749 § 4.3) is be a reasonable choice.基于Scott Brady 的不要使用 OAuth 文章,这是关于资源所有者密码凭据授予 (RFC 6749 § 4.3) 是合理选择的唯一应用程序。
But I want to use multifactor authentication.但我想使用多因素身份验证。
Neither RFC 6749 nor the documentation support sending a second factor. RFC 6749 和文档都不支持发送第二个因素。 And that Scott Brady article says multifactor authentication is deliberately not supported. Scott Brady 的那篇文章称,故意不支持多因素身份验证。
So:所以:
- Does the one use case where ROPC makes sense necessarily imply that multifactor authentication is a bad idea or useless? ROPC 有意义的一个用例是否一定意味着多因素身份验证是一个坏主意或无用? Or或者
- Is this a valid use case that the standard deliberately ignores to discourage people from abusing ROPC?这是标准故意忽略以阻止人们滥用 ROPC 的有效用例吗? Or或者
- Is this a valid use case that is simply out of scope of the standard?这是一个完全超出标准范围的有效用例吗?
I'm basically asking, is it recommended to go off-standard in this case, or does this case mean I did something else wrong already?我基本上是问,在这种情况下是否建议不符合标准,或者这种情况是否意味着我已经做错了什么?
Multifactor Requirements多因素要求
To be clear on what I have in mind, this case requires two bits of added functionality:为了清楚我的想法,这种情况需要两个附加功能:
- A way to send a "second factor" to the Authorization endpoint.一种向授权端点发送“第二个因素”的方法。
- A way for the Authorization endpoint to respond to a normal request saying that multifactor authentication is required.授权端点响应表示需要多因素身份验证的正常请求的一种方式。
My non-standard plan is to:我的非标准计划是:
- Add a custom parameter to the ROPC (eg "second_factor").向 ROPC 添加自定义参数(例如“second_factor”)。
- Use a special "error" parameter in the error response to signal that a second factor is needed.在错误响应中使用特殊的“错误”参数来表示需要第二个因素。
For the error response, I came upon "interaction_required".对于错误响应,我遇到了“interaction_required”。 I found one example where this seems to be used in relation to multifactor authentication, but in a different way.我发现了一个示例,其中这似乎与多因素身份验证相关,但以不同的方式使用。
Tagged with identityserver4 because I'm also interested in relevant best practices if there is nothing standard.标记为 identityserver4 因为如果没有标准,我也对相关的最佳实践感兴趣。
I found this related question but it concerns a different flow.我发现了这个相关的问题,但它涉及不同的流程。
1 个解决方案
解决方案1
2 已采纳 2018-02-27 21:45:14
Prior to the OAuth 2.0 Device Flow for Browserless and Input Constrained Devices spec, you may have needed ROPC.在OAuth 2.0 Device Flow for Browserless and Input Constrained Devices规范之前,您可能需要 ROPC。 But now you don't.但现在你没有。 The RFC (still in draft) is made for exactly this situation. RFC(仍在草案中)正是针对这种情况制定的。
Instead of the Device handling the user's password, the Device contacts the Authorization Server and gets an end-user code.设备不是处理用户密码,而是联系授权服务器并获取最终用户代码。 The user uses this code to log in to the Authorization Server and authorize the Device.用户使用此代码登录授权服务器并对设备进行授权。
Figure 1 from the Draft RFC (v. 07):图 1 来自 RFC (v. 07) 草案:
+----------+ +----------------+
| |>---(A)-- Client Identifier --->| |
| | | |
| |<---(B)-- Verification Code, --<| |
| | User Code, | |
| | & Verification URI | |
| Device | | |
| Client | Client Identifier & | |
| |>---(E)-- Verification Code --->| |
| | polling... | |
| |>---(E)-- Verification Code --->| |
| | | Authorization |
| |<---(F)-- Access Token --------<| Server |
+----------+ (w/ Optional Refresh Token) | |
v | |
: | |
(C) User Code & Verification URI | |
: | |
v | |
+----------+ | |
| End-user | | |
| at |<---(D)-- User authenticates -->| |
| Browser | | |
+----------+ +----------------+
Figure 1: Device Flow.
A few obvious differences:几个明显的区别:
- More secure: Device does not handle credentials.更安全:设备不处理凭据。 Less room for abuse or exploitation of Device vulnerabilities.滥用或利用设备漏洞的空间较小。
- Easier on "Input Constrained" Devices since nothing needs to be entered on the Device.在“输入受限”设备上更容易,因为不需要在设备上输入任何内容。
- User needs a secondary device with a browser.用户需要带有浏览器的辅助设备。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.