[英]Central Authentication and authorization service
I want to design some "central authentication and authorization service" and I know that there is already a couple .我想设计一些“中央身份验证和授权服务”,我知道已经有几个. My concerns are not about the standards.我担心的不是标准。 In the following lines, I'll try to explain it.在以下几行中,我将尝试解释它。
I have created two Django client apps that have their own authentication and authorization mechanics.我创建了两个 Django 客户端应用程序,它们具有自己的身份验证和授权机制。 The two applications have different designs thus different permissions and roles.这两个应用程序具有不同的设计,因此具有不同的权限和角色。 But the users are identical.但是用户是相同的。
Now I have to create a third application through which the two former applications have to do authentication and that is OK (using for example OAuth).现在我必须创建第三个应用程序,前两个应用程序必须通过它进行身份验证,这没关系(例如使用 OAuth)。 But the third application is also responsible for authorization, ie the roles, permissions (including numerous object-level permissions) are stored by and managed in the third application.但第三应用也负责授权,即角色、权限(包括众多的对象级权限)由第三应用存储和管理。
The questions are:问题是:
How can I implement the third application so that it can support non-specific, free-style permissions?如何实现第三个应用程序,以便它可以支持非特定的、自由样式的权限?
How can I store those permissions?如何存储这些权限?
How should I transfer the permissions to the client applications?我应该如何将权限转移到客户端应用程序?
How can I query for some permissions?如何查询某些权限?
Should I store all permissions in the third application and query for them each time when I the user asks for some resource, or should I save them locally and update them at some points?我应该将所有权限存储在第三个应用程序中并在每次用户请求某些资源时查询它们,还是应该将它们保存在本地并在某些时候更新它们?
I have taken a look at OpenID Connect , SAML , XACML and others.我查看了OpenID Connect 、 SAML 、 XACML等。 SAML and XACML look promising, But I still confused and the above questions remain unanswered. SAML 和 XACML 看起来很有希望,但我仍然感到困惑,上述问题仍未得到解答。
I am aware that this question covers a wide area, but having some resources for starting and some example projects will be of great help.我知道这个问题涉及的范围很广,但是拥有一些启动资源和一些示例项目将有很大帮助。
Regards.问候。
A possible solution would be like the following:一个可能的解决方案如下:
How can I implement the third application so that it can support non-specific, free-style permissions?如何实现第三个应用程序,以便它可以支持非特定的、自由样式的权限? Using a JWT Token that includes the user's permissions as scopes.使用包含用户权限作为范围的 JWT 令牌。
How can I store those permissions?如何存储这些权限?
How should I transfer the permissions to the client applications?我应该如何将权限转移到客户端应用程序? Your client applications can validate/read the scopes included in the JWT token on each API request您的客户端应用程序可以在每个 API 请求上验证/读取 JWT 令牌中包含的范围
How can I query for some permissions?如何查询某些权限? Not sure what this means, I can interpret 2 different things:不知道这意味着什么,我可以解释两件事:
read
access and email
access (but not the write
access), and the user can authenticate and only approve read
and email
access. Take Github as an example, a Github App can specify that they need read
access and email
access (but not the write
access), and the user can authenticate and only approve read
and email
access. In this case, the Authorization Server (Github) would generate a JWT that only includes scopes for read
and email
even though the user has other permissions available.在这种情况下,授权服务器 (Github) 将生成一个 JWT 仅包括read
范围和email
,即使用户具有其他可用权限。Should I store all permissions in the third application and query for them each time when I the user asks for some resource, or should I save them locally and update them at some points?我应该将所有权限存储在第三个应用程序中并在每次用户请求某些资源时查询它们,还是应该将它们保存在本地并在某些时候更新它们?
The permissions for each user can be stored in the third application, and the client applications just trust the scopes included in the JWT.每个用户的权限可以存储在第三个应用程序中,客户端应用程序只信任 JWT 中包含的范围。 Since the access_token should be short lived (for example it expires in 1 hour), changes on the user's permission level can be handled by renewing the access_token.由于 access_token 应该是短暂的(例如它会在 1 小时后过期),因此可以通过更新 access_token 来处理用户权限级别的更改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.