[英]How to organize communication in an asp.net web application using separate authorization server, web api, ui?
ui
, api
, IdentityServer
( IS
) ( client
, resource
, IS
in terms of IdentityServer
)ui
、 api
、 IdentityServer
( IS
) ( client
、 resource
、 IS
在IdentityServer
)IS
and api
)IS
和api
单独数据库)api
is stateless (all the needed auth info got from tokens) api
是无状态的(所有需要的身份验证信息都来自令牌)api
will have resources like \\projects
, \\users
, etc. api
将拥有\\projects
、 \\users
等资源。another-ui
which will communicate with the IS
and api
and will have its own claimsanother-ui
,它将与IS
和api
通信并拥有自己的声明The main problem is that the resources of api
like \\projects\\12345
, \\users\\
, \\projects\\123456\\users
, etc. may also be needed as claims in IS
.主要问题是
api
的资源,如\\projects\\12345
、 \\users\\
、 \\projects\\123456\\users
等,也可能需要作为IS
。 For example, api
module reads the access token of authorized user and see the claim projects
that equals ["222", "12345"]
, so the resource \\projects\\12345
or \\projects\\123456\\users
are allowed for that user.例如,
api
模块读取授权用户的访问令牌并查看等于["222", "12345"]
的声明projects
,因此该\\projects\\123456\\users
允许资源\\projects\\12345
或\\projects\\123456\\users
。 Users are identities in IS
and resources in api
at the same time.用户同时是
IS
中的身份和api
中的资源。 Projects are claims in IS
and resources in api
at the same time.项目同时是
IS
中的声明和api
中的资源。
I thought of book-keeping these entities that are represented in both modules through the ids (guids).我想通过 ids (guids) 来记录这些在两个模块中表示的实体。 But ids won`t solve all the problems.
但是 id 并不能解决所有问题。
Some of them are:他们之中有一些是:
IS
api to create that claim for that user and then proceed with project creation.IS
api 为该用户创建该声明,然后继续创建项目。 How the communication between the two ( IS
and api
) should be organized?IS
和api
)之间的通信? Do we need to register the api
as another client in IS
?IS
中将api
注册为另一个客户端?IS
like changing the email, phone (the values one may log in with) will update the api
. IS
中用户的更新应该如何更新,例如更改电子邮件、电话(可能登录的值)将更新api
。 I thought of showing warnings that the auth email (got from token) does not match the info email. Could you, please, explain how modern systems coupe with the per resource access?请您解释一下现代系统如何与每个资源访问相结合?
Thank you for your time.感谢您的时间。
First you need to make sure what a claim is.首先,您需要确定索赔是什么。
Claim is not a permission or a role, it's what the user is.声明不是权限或角色,而是用户。 Based on what the user is, then you can assume the permissions.
根据用户是什么,然后您可以承担权限。
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-3.0 https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-3.0
A claim is a name value pair that represents what the subject is, not what the subject can do.
声明是一个名称值对,表示主题是什么,而不是主题可以做什么。
So starting from that, you can get the claims and do the following.因此,从那里开始,您可以获得声明并执行以下操作。
Let's say that a user is the owner of a project.假设用户是项目的所有者。 When the new project is created, the project api can update the identity server and add a claim to the user saying he is the owner.
创建新项目时,项目 api 可以更新身份服务器并向用户添加声明,说明他是所有者。
In your apis the owner of a project has a set of permissions and based in those, access to specific resources在您的 api 中,项目的所有者拥有一组权限,并基于这些权限访问特定资源
In the DDD Domain driven design world, a little bit of data duplication does not matter.在 DDD 领域驱动的设计世界中,一点点的数据重复并不重要。 So duplicating the possible claims that your application needs in terms of roles (again, not ids but a mapping of one or more claims to specific roles) is not a bad practice.
因此,复制您的应用程序在角色方面需要的可能声明(同样,不是 id,而是一个或多个声明到特定角色的映射)并不是一个坏习惯。
When you update some kind of claim from your api, you should do so in a transactional way.当您从 api 更新某种声明时,您应该以事务性的方式进行。 Think first if you need the email to be saved in both.
首先考虑是否需要将电子邮件保存在两者中。 You will get the user data from the claims anyway on every request.
无论如何,您将在每个请求中从声明中获取用户数据。 Is it even something you need as a claim?
它甚至是您需要的东西作为索赔吗? If not have it in your api only.
如果没有它只在你的 api 中。
Communication between apis is organized in many ways. api 之间的通信以多种方式进行组织。 If you need transactions or eventual consistency is something you should also consider.
如果您需要事务或最终一致性,您还应该考虑。 Communicating with events or queues is the microservices way to go, with patterns like the SAGA being the coordinator.
与事件或队列通信是微服务的方式,像 SAGA 这样的模式是协调器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.