简体繁体 English

中央认证和授权服务

[英]Central Authentication and authorization service

原文 2020-08-10 07:33:36 4 1 python/ django/ authentication/ authorization/ single-sign-on

I want to design some "central authentication and authorization service" and I know that there is already a couple .我想设计一些“中央身份验证和授权服务”，我知道已经有几个. My concerns are not about the standards.我担心的不是标准。 In the following lines, I'll try to explain it.在以下几行中，我将尝试解释它。

I have created two Django client apps that have their own authentication and authorization mechanics.我创建了两个 Django 客户端应用程序，它们具有自己的身份验证和授权机制。 The two applications have different designs thus different permissions and roles.这两个应用程序具有不同的设计，因此具有不同的权限和角色。 But the users are identical.但是用户是相同的。

Now I have to create a third application through which the two former applications have to do authentication and that is OK (using for example OAuth).现在我必须创建第三个应用程序，前两个应用程序必须通过它进行身份验证，这没关系（例如使用 OAuth）。 But the third application is also responsible for authorization, ie the roles, permissions (including numerous object-level permissions) are stored by and managed in the third application.但第三应用也负责授权，即角色、权限（包括众多的对象级权限）由第三应用存储和管理。

The questions are:问题是：

How can I implement the third application so that it can support non-specific, free-style permissions?如何实现第三个应用程序，以便它可以支持非特定的、自由样式的权限？
How can I store those permissions?如何存储这些权限？
How should I transfer the permissions to the client applications?我应该如何将权限转移到客户端应用程序？
How can I query for some permissions?如何查询某些权限？
Should I store all permissions in the third application and query for them each time when I the user asks for some resource, or should I save them locally and update them at some points?我应该将所有权限存储在第三个应用程序中并在每次用户请求某些资源时查询它们，还是应该将它们保存在本地并在某些时候更新它们？

I have taken a look at OpenID Connect , SAML , XACML and others.我查看了OpenID Connect 、 SAML 、 XACML等。 SAML and XACML look promising, But I still confused and the above questions remain unanswered. SAML 和 XACML 看起来很有希望，但我仍然感到困惑，上述问题仍未得到解答。

I am aware that this question covers a wide area, but having some resources for starting and some example projects will be of great help.我知道这个问题涉及的范围很广，但是拥有一些启动资源和一些示例项目将有很大帮助。

Regards.问候。

1 个解决方案

A possible solution would be like the following:一个可能的解决方案如下：

How can I implement the third application so that it can support non-specific, free-style permissions?如何实现第三个应用程序，以便它可以支持非特定的、自由样式的权限？ Using a JWT Token that includes the user's permissions as scopes.使用包含用户权限作为范围的 JWT 令牌。

How can I store those permissions?如何存储这些权限？

Store your user Model on the third application, along with the permission/roles for each user.将您的用户 Model 以及每个用户的权限/角色存储在第三个应用程序上。
When the user log in, they will be redirected to your third application.当用户登录时，他们将被重定向到您的第三个应用程序。 On successful authentication, the third application can then generate an access_token in the form of a JWT token which includes the permissions that the user has as scopes.在成功的身份验证后，第三个应用程序可以生成一个 JWT 令牌形式的 access_token，其中包括用户拥有的权限作为范围。
You can then have your front-end include this access_token on API requests to the client applications.然后，您可以让您的前端在对客户端应用程序的 API 请求中包含此 access_token。 The client applications can validate the access_token and check the scopes/permissions for the user to determine if the user can access certain data.客户端应用程序可以验证 access_token 并检查用户的范围/权限以确定用户是否可以访问某些数据。

How should I transfer the permissions to the client applications?我应该如何将权限转移到客户端应用程序？ Your client applications can validate/read the scopes included in the JWT token on each API request您的客户端应用程序可以在每个 API 请求上验证/读取 JWT 令牌中包含的范围

How can I query for some permissions?如何查询某些权限？ Not sure what this means, I can interpret 2 different things:不知道这意味着什么，我可以解释两件事：

Take Github as an example, a Github App can specify that they need read access and email access (but not the write access), and the user can authenticate and only approve read and email access. Take Github as an example, a Github App can specify that they need read access and email access (but not the write access), and the user can authenticate and only approve read and email access. In this case, the Authorization Server (Github) would generate a JWT that only includes scopes for read and email even though the user has other permissions available.在这种情况下，授权服务器 (Github) 将生成一个 JWT 仅包括read范围和email ，即使用户具有其他可用权限。
If you're talking about the client app wanting to know if the user has certain permission, then it can just look at the scopes included in the JWT.如果您谈论的是想要知道用户是否具有某些权限的客户端应用程序，那么它可以只查看 JWT 中包含的范围。 You might need to define the required scope for each endpoint in the client application.您可能需要为客户端应用程序中的每个端点定义所需的 scope。

Should I store all permissions in the third application and query for them each time when I the user asks for some resource, or should I save them locally and update them at some points?我应该将所有权限存储在第三个应用程序中并在每次用户请求某些资源时查询它们，还是应该将它们保存在本地并在某些时候更新它们？

The permissions for each user can be stored in the third application, and the client applications just trust the scopes included in the JWT.每个用户的权限可以存储在第三个应用程序中，客户端应用程序只信任 JWT 中包含的范围。 Since the access_token should be short lived (for example it expires in 1 hour), changes on the user's permission level can be handled by renewing the access_token.由于 access_token 应该是短暂的（例如它会在 1 小时后过期），因此可以通过更新 access_token 来处理用户权限级别的更改。