简体繁体 English

我的 ASP.NET 核心应用程序应该使用哪种类型的授权？

[英]What sort of grant type I should use for my ASP.NET Core app?

原文 2020-12-06 07:17:40 5 2 asp.net/ oauth-2.0/ oauth/ identityserver4/ restapi

I have an ASP.NET Core application and also a REST API as a resource which I want to protect.我有一个 ASP.NET 核心应用程序和一个 REST API 作为我想要保护的资源。

I use IdentityServer4 for getting an access token and use that token for requests from the API.我使用 IdentityServer4 获取访问令牌，并将该令牌用于来自 API 的请求。

But my problem is, which type of grant types I should use for this scenario?但我的问题是，我应该在这种情况下使用哪种类型的授权类型？

Client credentials?客户端凭据？ Machine to Machine?机器对机器？
Password grant?密码授予？

I am new to this topic and I got confused:(我是这个话题的新手，我很困惑:(

2 个解决方案

Client Credentials客户凭证

The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user.客户端使用客户端凭据授予类型来获取用户上下文之外的访问令牌。

This is most often used by clients to access internal data which is not considered to be private user data.客户端最常使用它来访问不被视为私人用户数据的内部数据。

Password grant密码授予

The Password grant is a legacy grant type type which was a way to exchange a user's credentials for an access token.密码授权是一种传统授权类型，它是一种将用户凭据交换为访问令牌的方式。 Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.因为客户端应用程序必须收集用户的密码并将其发送到授权服务器，所以不建议再使用此授权。

This flow provides no mechanism for things like multifactor authentication or delegated accounts, so is quite limiting in practice.此流程没有为多因素身份验证或委托帐户等机制提供任何机制，因此在实践中非常有限。

The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely.最新的 OAuth 2.0 安全最佳当前实践完全不允许密码授予。

Authorization Code授权码

Assuming that the data you accessing user data you should consider using Authorization code.假设您访问用户数据的数据应该考虑使用授权码。

The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.授权代码授权类型由机密和公共客户端用于交换访问令牌的授权代码。

After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.用户通过重定向URL返回客户端后，应用程序会从URL获取授权码，并用它来请求访问令牌。

It is recommended that all clients use the PKCE extension with this flow as well to provide better security.建议所有客户端也将此流程与 PKCE 扩展一起使用，以提供更好的安全性。

Spec规格

I recommend reviewing Grant types Most of the information above comes directly from the SPECS.我建议查看Grant types上面的大部分信息直接来自 SPECS。

Today there are only two flows that you should consider, the authorization code flow and the client credentials flow.今天，您应该考虑的只有两个流程，授权代码流程和客户端凭据流程。

If there is a user involved (user with browser), then you should use the authorization code flow.如果涉及用户（使用浏览器的用户），那么您应该使用授权码流。

If it is a machine to machine communication (no user involved), then you should use the client credentials flow.如果它是机器对机器的通信（不涉及用户），那么您应该使用客户端凭据流。

all other flows are deprecated and not recomended.所有其他流程均已弃用且不推荐使用。