适用于无浏览器客户端的 OIDC
[英]OIDC for browser-less clients
问题描述
I'm working on designing an OIDC Relying Party (SP), which should work with most of the popular OIDC Providers (IDPs).
我正在设计一个 OIDC 依赖方 (SP),它应该与大多数流行的 OIDC 提供商 (IDP) 一起工作。 I requested to allow authentication and authorization also for clients that are not web applications.我还请求允许对非 Web 应用程序的客户端进行身份验证和授权。 Is it recommended to work with OIDC in case there is no browser in the client?如果客户端没有浏览器,是否建议使用OIDC? Which flow is the most recommended for this case?对于这种情况,最推荐哪种流程? Are the most IDPs support such flow (with no browser)?大多数 IDP 是否支持这样的流程(没有浏览器)?
2 个解决方案
解决方案1
0 2020-03-17 08:17:36
Many OpenID Connect providers use some form of " Device Flow "许多 OpenID Connect 提供商使用某种形式的“设备流”
This is one example https://auth0.com/blog/oauth-device-flow-no-hassle-authentication-as-seen-on-tv/这是一个例子https://auth0.com/blog/oauth-device-flow-no-hassle-authentication-as-seen-on-tv/
Google for Device Flow and you can find many.谷歌搜索设备流,你可以找到很多。
解决方案2
0 2020-06-19 21:18:54
There's a draft specification for Client Initiated Backchanel Authentication (CIBA) flow ( https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html ).客户端发起的后端验证 (CIBA) 流程有一个规范草案( https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html )。
This would work from a device which doesn't have a browser.这适用于没有浏览器的设备。 Essentially the client makes an authentication request and the OpenID Provider (OP) authenticates using an Authentication Device (AD), usually a smartphone.本质上,客户端发出身份验证请求,OpenID 提供程序 (OP) 使用身份验证设备 (AD)(通常是智能手机)进行身份验证。
When the user is authenticated the client recieves the tokens either by poll, ping or push.当用户通过身份验证时,客户端通过轮询、ping 或推送接收令牌。
From the docs the flows look like this...从文档中,流程看起来像这样......
CIBA Poll Mode is illustrated in the following diagram: CIBA 轮询模式如下图所示:
+--------+ +--------+
| | | |
| |<---(1) CIBA Request-------------------------->| |
| | | |
| | +--------+ | |
| | | | | |
| Client | | AD |<--(2) User interactions---------->| OP |
| | | | | |
| | +--------+ | |
| | | |
| |----(3a) CIBA Polling Request----------------->| |
| |<---(3b) CIBA Polling Response-----------------| |
| | ... | |
| |----(3a) CIBA Polling Request----------------->| |
| |<---(3b) CIBA Polling Response-----------------| |
| | | |
+--------+ +--------+
CIBA Ping Mode is illustrated in the following diagram: CIBA Ping 模式如下图所示:
+--------+ +--------+
| | | |
| |<---(1) CIBA Request-------------------------->| |
| | | |
| | +--------+ | |
| | | | | |
| Client | | AD |<--(2) User interactions---------->| OP |
| | | | | |
| | +--------+ | |
| | | |
| |<---(3) CIBA Ping Callback---------------------| |
| | | |
| |----(4a) CIBA Token Request------------------->| |
| |<---(4b) CIBA Token Response-------------------| |
+--------+ +--------+
CIBA Push Mode is illustrated in the following diagram: CIBA 推送模式如下图所示:
+--------+ +--------+
| | | |
| |<---(1) CIBA Request-------------------------->| |
| | | |
| | +--------+ | |
| | | | | |
| Client | | AD |<--(2) User interactions---------->| OP |
| | | | | |
| | +--------+ | |
| | | |
| |<---(3) CIBA Push Callback---------------------| |
| | | |
+--------+ +--------+
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.