简体繁体 English

每个设备是否应该让 Keycloak 中的用户通过资源所有者密码凭据进行身份验证

[英]Should each device get a user in Keycloak authenticated through Resource Owner Password Credentials

原文 2021-02-23 15:43:54 8 1 oauth/ keycloak/ openid-connect

I am implementing an authentication system in Keycloak with human users and iot devices.我正在使用人类用户和物联网设备在 Keycloak 中实现身份验证系统。

Human Users: Access the system through a spa and use the Standard Redirection Based Authentication Flow.人类用户：通过 spa 访问系统并使用基于标准重定向的身份验证流程。

IOT Devices: The use case involves a number of high value devices which not interactive and need to transmit telemetry to the backend and access their own data as well data from associated users.物联网设备：该用例涉及许多高价值设备，这些设备不具有交互性，需要将遥测数据传输到后端并访问它们自己的数据以及来自相关用户的数据。 My current plan is to use the Resource Owner Password Credentials Grant since the embedded system can be setup with credentials during provisioning.我目前的计划是使用资源所有者密码凭据授予，因为可以在配置期间使用凭据设置嵌入式系统。

My thinking is that this would enable me to use Keycloak Groups and Roles for permission management and User <-> Device Association.我的想法是，这将使我能够使用 Keycloak 组和角色进行权限管理和用户 <-> 设备关联。

Is there anything inherently wrong with this approach?这种方法有什么本质上的错误吗？

1 个解决方案

My current plan is to use the Resource Owner Password Credentials Grant since the embedded system can be setup with credentials during provisioning.我目前的计划是使用资源所有者密码凭据授予，因为可以在配置期间使用凭据设置嵌入式系统。

From source one can read:从源代码可以阅读：

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.资源所有者密码凭证授予类型适用于资源所有者与客户端具有信任关系的情况，例如设备操作系统或高特权应用程序。 The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.授权服务器在启用此授权类型时应特别小心，并且仅在其他流程不可行时才允许它。

This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form).此授权类型适用于能够获取资源所有者凭据（用户名和密码，通常使用交互式表单）的客户端。 It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token:它还用于使用直接身份验证方案（例如 HTTP Basic 或 Digest 身份验证）将现有客户端迁移到 OAuth，方法是将存储的凭据转换为访问令牌：

Does your use-case meets those constrains?您的用例是否满足这些限制？

If no, consider using The Client Credentials Grant instead:如果不是，请考虑改用客户端凭据授予：

With machine-to-machine (M2M) applications, such as CLIs, daemons, or services running on your back-end, the system authenticates and authorizes the app rather than a user.使用机器对机器 (M2M) 应用程序（例如 CLI、守护程序或在后端运行的服务）时，系统会验证和授权应用程序而不是用户。 For this scenario, typical authentication schemes like username + password or social logins don't make sense.对于这种情况，用户名 + 密码或社交登录等典型身份验证方案没有意义。 Instead, M2M apps use the Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4), in which they pass along their Client ID and Client Secret to authenticate themselves and get a token.相反，M2M 应用程序使用客户端凭据流（在 OAuth 2.0 RFC 6749，第 4.4 节中定义），其中它们传递其客户端 ID 和客户端密钥来验证自己并获取令牌。

So in the latter instead of using the username and password for authentication you would be using a client secret instead.因此，在后者中，您将使用客户端密码而不是使用用户名和密码进行身份验证。

My thinking is that this would enable me to use Keycloak Groups and Roles for permission management and User <-> Device Association.我的想法是，这将使我能够使用 Keycloak 组和角色进行权限管理和用户 <-> 设备关联。

You can still add claims to the confidential client as well and use them for permission management.您仍然可以向机密客户端添加声明并将其用于权限管理。