Api 网关中的用户授权
[英]User authorization in Api Gateway
问题描述
I am trying to understand the architecture of microservices and I have a question about how to properly authorize a user in the Api gateway or check for its existence if I have a separate User service for registration, login and token issuance.
我正在尝试了解微服务的架构,并且我有一个关于如何正确授权 Api 网关中的用户的问题,或者如果我有一个单独的用户服务用于注册、登录和令牌颁发,请检查它是否存在。 Let's say I have two services: a user service for registration, login and receiving tokens and an ordering service.假设我有两个服务:一个用于注册、登录和接收令牌的用户服务以及一个订购服务。 They have their own databases.他们有自己的数据库。
I have guesses:我有猜测:
- For each request to the api gateway, make a separate request to the authorization service and check the token and user role there, and only then redirect the request to the order service.对于 api 网关的每个请求,向授权服务发出单独的请求并检查那里的令牌和用户角色,然后才将请求重定向到订单服务。
- Provide Api gateway with access to the user database to verify the token and user and then redirect the request to the order service提供 Api 网关访问用户数据库以验证令牌和用户,然后将请求重定向到订单服务
- Combine Api Gateway and user service (I think it's a bad idea).结合 Api 网关和用户服务(我认为这是一个坏主意)。
Or are there better guesses?还是有更好的猜测?
2 个解决方案
解决方案1
1 2021-02-09 20:43:23
I think you have a lot of ways to do that.我认为你有很多方法可以做到这一点。
I can tell how you can do it (as I'm doing) using a serverless architecture in AWS:我可以告诉你如何使用 AWS 中的无服务器架构来做到这一点(就像我正在做的那样):
You can create your services (lambdas), configure a JWT authorizer (API Gateway), and use your authorizer for your functions, with the option to define the required permissions (scopes) for each function.您可以创建服务 (lambdas),配置 JWT 授权方(API 网关),并将授权方用于您的功能,并可以选择为每个 function 定义所需的权限(范围)。 That you can do without any custom code.您可以在没有任何自定义代码的情况下做到这一点。
here you can see a better explanation about how it works 在这里你可以看到关于它是如何工作的更好的解释
You can also write your own authorizer function, which will validate the requests.您还可以编写自己的授权方 function,它将验证请求。
ps API Gateway can cache the result so your authorizer doesn't need to be called for every single request. ps API 网关可以缓存结果,因此您的授权者不需要为每个请求调用。
Don't know if you wanna manage the infrastructure by yourself or use some service from a cloud provider, but I think it can at least give you a clue on how to design this kind of thing.不知道你是想自己管理基础设施还是使用云提供商的一些服务,但我认为它至少可以为你提供如何设计这种东西的线索。
解决方案2
1 2021-02-09 20:44:45
I will make some assumptions and say that you are talking about JWT tokens and authorization is done using OAuth2.我会做一些假设,并说您正在谈论 JWT 令牌,并且使用 OAuth2 完成授权。
After the user authentication is done, with some steps in between, the user will end up having a JWT token.用户身份验证完成后,中间有一些步骤,用户最终将拥有一个 JWT 令牌。 This JWT token contains 3 parts inside, one of them being the signature.这个 JWT 令牌内部包含 3 个部分,其中一个是签名。 This signature is encrypted and cannot be deciphered without a key while the rest of the JWT content is plain text.此签名是加密的,没有密钥就无法破译,而 JWT 内容的 rest 是纯文本。 The content of the token, together with the signature are signed on the authorization server with a key.令牌的内容与签名一起在授权服务器上使用密钥进行签名。 Anybody who owns the key can read the message.任何拥有密钥的人都可以阅读该消息。 This key is also a way of identifying who was the issuer of the token.此密钥也是识别谁是令牌发行者的一种方式。 That way you can say you trust this token because it has been emitted by someone you trust.这样你就可以说你信任这个令牌,因为它是由你信任的人发出的。 Any change in a token, without re-encryption, will result in having an invalid token.令牌中的任何更改,如果没有重新加密,将导致令牌无效。 A token contains also grants/privileges.令牌还包含授权/特权。
Be aware that the mentioned "key" may vary depending on the encryption algorithm.请注意,提到的“密钥”可能会因加密算法而异。
Based on this you don't need to check every single request against the database user.基于此,您无需针对数据库用户检查每个请求。
For a better understanding please take a look over OAuth2 protocol (and maybe OIDC).为了更好地理解,请查看 OAuth2 协议(可能还有 OIDC)。
Also https://www.taithienbo.com/how-can-you-trust-a-jwt-to-be-authentic/还有https://www.taithienbo.com/how-can-you-trust-a-jwt-to-be-authentic/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.