授权端点如何知道用户已登录?
[英]How authorization endpoint knows user is logged in?
问题描述
I am implementing single sign-in with OAuth2 and OpenID Connect for a distributed web application.
我正在为分布式 web 应用程序使用 OAuth2 和 OpenID Connect 实现单点登录。 The Authorization Server is running on its own.授权服务器自行运行。 I've implemented the access token endpoint and currently trying to implement the authorization endpoint (for Authorization Code flow).我已经实现了访问令牌端点,目前正在尝试实现授权端点(用于授权代码流)。
This is my understanding of what should happen这是我对应该发生的事情的理解
GET http://authserver/authorize?client_id=1&
state=BB&
_________ scope=read_user& ____________
| | redirect_uri=myapp/callback | |
| |----------------------------------------------------------------> | |
| Browser | | AuthServer |
| |<-----------------------------------------------------------------| |
|_________| 302 myapp/callback?code=AAA&state=BB |____________|
At this point the browser simply need to make a second request to the access token endpoint with the code and it will receive the access token.此时,浏览器只需要使用代码向访问令牌端点发出第二次请求,它就会收到访问令牌。
However before all this happens, I'm a bit confused on how the Authorization Server really knows that the user is logged in但是在这一切发生之前,我对授权服务器如何真正知道用户已登录感到有些困惑
- Shouldn't the Authorization Server verify that the user is logged in somehow?授权服务器不应该验证用户以某种方式登录吗?
- If at a previous step, say the user logged in and got a cookie from another server, how could that be verified from the Authorization Server's point of view?如果在上一步中,假设用户登录并从另一台服务器获取 cookie,那么如何从授权服务器的角度进行验证? How does the server know that the user requesting the code is John and not Bob or someone anonymous?服务器如何知道请求代码的用户是 John 而不是 Bob 或匿名用户?
1 个解决方案
解决方案1
1 2019-11-14 11:42:36
I will try to answer your questions with RFC6749 The OAuth 2.0 Authorization Framework .我将尝试使用RFC6749 The OAuth 2.0 授权框架来回答您的问题。 Note that this is valid for OpenID Connect as it is an extension to OAuth 2.0请注意,这对 OpenID Connect 有效,因为它是 OAuth 2.0 的扩展
1 Shouldn't the Authorization Server verify that the user is logged in somehow? 1 授权服务器不应该验证用户以某种方式登录吗?
3.1. 3.1。 Authorization Endpoint states following,授权端点状态如下,
The authorization endpoint is used to interact with the resource owner and obtain an authorization grant.
Before the redirect authorization server perform end user authorization for the request.在重定向授权服务器对请求执行最终用户授权之前。 This is done in form of a user login or a desired mechanism as given above.这是以用户登录或上述所需机制的形式完成的。 This is the point where actual end user validation happens.这是实际最终用户验证发生的地方。 From your question perspective this is the login.从您的问题的角度来看,这是登录。
2 If at a previous step, say the user logged in and got a cookie from another server, how could that be verified from the Authorization Server's point of view? 2 如果在上一步中,假设用户登录并从另一台服务器获取 cookie,那么从授权服务器的角度如何验证?
I hope you know basics about cookies.我希望您了解有关 cookies 的基础知识。 They help browser based web applications to maintain state between front end and backend.它们帮助基于浏览器的 web 应用程序在前端和后端之间维护 state。
Depending on authorization server configurations, one could ask end user to mark the logged in state remembered.根据授权服务器配置,可以要求最终用户将登录的 state 标记为已记住。 Then what your browser get is a secure cookie, which get stored in the browser.然后你的浏览器得到的是一个安全的cookie,它被存储在浏览器中。 This is a string, which does not have a meaning to end user, but in the backend there is a correlation (think about an index key) against logged in user (ex:- A1 - Bob, A2 - Alex).这是一个字符串,对最终用户没有任何意义,但在后端存在与登录用户(例如:- A1 - Bob,A2 - Alex)的相关性(考虑索引键)。
So the next time user opens the browser and use your application, authorization server get the cookie with the authorization request.因此,下次用户打开浏览器并使用您的应用程序时,授权服务器会获取带有授权请求的 cookie。 If cookie is not expired/invalidated, authorization server can skip login dialog.如果 cookie 没有过期/失效,授权服务器可以跳过登录对话框。 And as highlighted in first section, end user grant occur through cookie.正如第一部分所强调的,最终用户授权是通过 cookie 发生的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.