简体繁体 English

在 angular 8 中授权资源的最佳方式是什么

[英]What is the best way to authorize to a resource in angular 8

原文 2020-01-24 16:30:28 6 2 angular/ casl

I am trying to handle resource (or claim) based authorization in angular 8. I found an CASL angular actions abilitiy management.我正在尝试在 angular 8 中处理基于资源（或声明）的授权。我发现了一个CASL角度操作能力管理。

So,I want to protect all crud actionswith using action based authorization in angular 8.所以，我想在 angular 8 中使用基于动作的授权来保护所有 crud 动作。

It should be also claims based authorization.它也应该是基于声明的授权。 But, I don't know which is the best way to use.但是，我不知道哪个是最好的使用方法。

What is the best way to make action based authroization in angular 8?在 angular 8 中进行基于动作的授权的最佳方法是什么？

Thanks谢谢

2 个解决方案

CASL seems to be ACL and is done on the server side. CASL好像是ACL，是在服务器端完成的。 It defines permission per resource server side.它定义了每个资源服务器端的权限。 Angular is a client side framework. Angular 是一个客户端框架。

"What is the best way" questions usually get closed pretty quickly as it's subjective. “什么是最好的方法”问题通常很快就会结束，因为它是主观的。

There is no difference how you access a resource if it's protected by ACL, RBAC or whatever.如果资源受 ACL、RBAC 或其他任何保护，则访问资源的方式没有区别。 If the http request returns an error, you might handle the response and output whatever messages you wish.如果 http 请求返回错误，您可以处理响应并输出您希望的任何消息。 "claims" based auth you're probably thinking openid-connect/oauth2 or your own JWT claim sending auth that is on the server side.基于“声明”的身份验证您可能正在考虑 openid-connect/oauth2 或您自己的 JWT 声明发送服务器端的身份验证。

Your own implementation is simpler to understand since you wrote it, right?自从您编写它以来，您自己的实现更容易理解，对吗？ But it takes longer to write and do right.但是写和做正确需要更长的时间。

I'm only aware of 2 open source openid connect servers, that's keycloak and identityserver4我只知道 2 个开源 openid 连接服务器，即keycloak和identityserver4

There are libraries for Angular, but it's all very shaky.有用于 Angular 的库，但它们都非常不稳定。 There's a general purpose oidc/oauth2 library for Angular by Manfred Steyer, but it has issues with code flow, only password flow and implicit flow really work and then it gets more and more complicated finding out why silent refresh doesn't work. Manfred Steyer为 Angular 提供了一个通用的 oidc/oauth2 库，但它存在代码流问题，只有密码流和隐式流才真正起作用，然后越来越复杂，找出为什么静默刷新不起作用。 Chrome doing a cookie security SameSite update soonTM which will break many sites. Chrome 正在执行 cookie 安全 SameSite 更新，这将破坏许多站点。

There's a keycloak js adapter and a ngx-keycloak repo but they also have their issues, especially again token refresh before expiration.有一个 keycloak js 适配器和一个 ngx-keycloak repo，但它们也有它们的问题，尤其是在到期前再次刷新令牌。

There are commercial providers with their libraries that I have not tested, like auth0 and okta.有些商业供应商的库我没有测试过，比如 auth0 和 okta。

Developing your own auth thing, which is separate from the ACL and/or RBAC, takes time on both the server and the client side, but you have control over everything.开发您自己的身份验证事物，它与 ACL 和/或 RBAC 分开，在服务器端和客户端都需要时间，但您可以控制一切。 You could mimic some of the oauth2/oidc features, like a token info endpoint, since you're sending out JsonWebTokens (JWT).您可以模仿一些 oauth2/oidc 功能，例如令牌信息端点，因为您要发送 JsonWebTokens (JWT)。

The more distributed, the less monolithic your app is the more complicated it also is.你的应用程序越分散，越单一，它也就越复杂。

What is the best?哪个最好？ It always depends.这总是取决于。

CASL is isomorphic, so can be used on both backend and frontend. CASL 是同构的，因此可以在后端和前端使用。 There is a separate package for Angular @casl/angular which helps to integrate CASL easier. Angular @casl/angular有一个单独的包，它有助于更轻松地集成 CASL。

Currently the overall phylosophy of CASL is spinning around actions (or claims) and subjects.目前，CASL 的整体哲学围绕着行动（或主张）和主题展开。 I'm working right now on CASL v4 which will have better TypeScript support and will have support for claim based authorization.我现在正在研究 CASL v4，它将有更好的 TypeScript 支持，并将支持基于声明的授权。

You can use CASL even right now, look at this comment for information of how to configure Ability to use claim base authorization您现在甚至可以使用 CASL，有关如何配置使用声明基础授权的Ability信息，请查看此评论

Update : by the way there is an example of integration between CASL and Angular .更新：顺便说一下，有一个 CASL 和 Angular 之间集成的例子。 Related article is in README相关文章在自述文件中