OIDC、OAuth2.0 和 OAuth 客户端应用程序和资源服务器没有不同时访问令牌的作用
[英]OIDC, OAuth2.0 and role of access token when OAuth client application and resource server are not different
问题描述
I am working on the ASP.NET MVC 5 web application.
我正在开发ASP.NET MVC 5 Web 应用程序。 It has only one layer which contains views as well as business logic/operations.它只有一层包含视图以及业务逻辑/操作。 Business logic is logically separated from UI but it is not behind a separate web service/API layer.业务逻辑在逻辑上与 UI 分离,但它不在单独的 Web 服务/API 层后面。
Now when I use OIDC and OAuth2.0 for my application, there is no separate Resource Server , so to say.现在,当我将OIDC和OAuth2.0用于我的应用程序时,没有单独的Resource Server ,可以这么说。 Because Client itself has all the Resources I want to have access to.因为客户端本身拥有我想要访问的所有资源。
I am using Authorization Code Flow for authentication & authorization.我正在使用授权代码流进行身份验证和授权。
Questions:问题:
- Does
access tokenhave any role in this case?在这种情况下, access token是否有任何作用? If yes, what?如果是,是什么? - How am I going to practically use the access token?我将如何实际使用访问令牌? Since the client itself is the resource server, there is nothing to which I need to send access token to.由于客户端本身是资源服务器,因此我不需要向其发送访问令牌。
2 个解决方案
解决方案1
2 2020-02-03 08:08:23
I guess you get an ID token which contains all the information you need for authentication of a user.我猜您会得到一个 ID 令牌,其中包含验证用户所需的所有信息。 If not, you can use the access token to get the user info.如果没有,您可以使用访问令牌来获取用户信息。 If this is all the information you need, then the access token is not needed anymore.如果这是您需要的所有信息,则不再需要访问令牌。 This happens, because OAuth2 is a permission delegation protocol, not an authentication protocol in a first place.发生这种情况是因为 OAuth2 是一个权限委托协议,而不是一个身份验证协议。
When you have the user info, you can implement between the browser and your ASP.NET backend in any way.当您拥有用户信息时,您可以以任何方式在浏览器和 ASP.NET 后端之间实现。 You can take a look at the OAuth 2.0 for Browser-Based Apps RFC .您可以查看OAuth 2.0 for Browser-Based Apps RFC 。
解决方案2
1 2020-02-03 06:59:14
In this case you should use Client Credential flow instead of Authorization Code flow.在这种情况下,您应该使用客户端凭据流而不是授权代码流。 In Client Credential flow, your application would send your client id & client secret to Authorization Endpoint directly and asking for access token.在客户端凭据流中,您的应用程序会将您的客户端 ID 和客户端密码直接发送到授权端点并要求访问令牌。 Authorization Code is not needed in Client Credential flow.客户端凭据流中不需要授权代码。 Details as below详情如下
- An authorization code flow typically need your client redirect resource owner to authorization endpoint and get a authorization code from authorization endpoint, client than uses this code to get access token, at the end of the day client uses access token to access protected resource.授权代码流通常需要您的客户端将资源所有者重定向到授权端点并从授权端点获取授权代码,然后客户端使用此代码获取访问令牌,最终客户端使用访问令牌访问受保护的资源。
- In Client Crendential flow.在客户端凭据流中。 your client app is actually the owner of your resource.您的客户端应用程序实际上是您的资源的所有者。 So no need to asking for a authorization code.所以不需要要求授权码。 direct uses its own client credential to get access token from authorization endpoint and use that access token to access protected resource(Resource server) direct 使用自己的客户端凭据从授权端点获取访问令牌并使用该访问令牌访问受保护的资源(资源服务器)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.