Openid connect/ Oauth2 for Rest APIs
[英]Openid connect/ Oauth2 for Rest APIs
问题描述
I have different web applications which are registered on IDM (vmware IDM https://github.com/vmware/idm/wiki/Integrating-Webapp-with-OAuth2#authentication-response )
我在 IDM 上注册了不同的 web 应用程序(vmware IDM https://github.com/vmware/idm/wiki/Integrating-Webapp-with-OAuth2#authentication-response )
As obvious, all applications are registered with there own client id and client secret.很明显,所有应用程序都使用自己的客户端 ID 和客户端密码进行注册。 When a user tries to access webapp "A" (webappa.com), it redirects to my IDM login page and after authentication comes back with code that can be exchanged with access and refresh token.当用户尝试访问 webapp“A”(webappa.com) 时,它会重定向到我的 IDM 登录页面,并且在身份验证后返回代码,该代码可以与访问和刷新令牌交换。 Similar thing happens with webapp "B" etc. This works well. webapp“B”等也会发生类似的事情。这很有效。 Now I am confused with following 2 use cases?现在我对以下 2 个用例感到困惑?
a.一种。 I want to use some API (webappa.com/api/v1/get_user_projects) from webapp "A" for some scripting purpose.我想使用来自 webapp“A”的一些 API (webappa.com/api/v1/get_user_projects) 用于某些脚本目的。 So my question is how I can authenticate these APIs against the user?所以我的问题是如何针对用户验证这些 API? Can I get the tokens for the user from IDM provider by passing his credentials (using some APIs?).我可以通过传递用户凭据(使用某些 API 吗?)从 IDM 提供商处获取用户的令牌。 If answer to it is NO, then how usually it is handled?如果答案是否定的,那么通常如何处理?
b. b. Can webapp A and webaap B will have same access/ refresh token at a time against a user? webapp A 和 webaap B 能否一次对用户具有相同的访问/刷新令牌?
1 个解决方案
解决方案1
2 2021-06-24 18:53:56
a.一种。 When a user authenticates it is with certain permissions and for a certain period of time.当用户通过特定权限并在特定时间段内进行身份验证时。 OAuth is designed so that you can just forward tokens between microservices - but you cannot elevate the permissions or time for a user token. OAuth 旨在让您可以在微服务之间转发令牌 - 但您不能提升用户令牌的权限或时间。 Depending on your use case you may want to consider a different token with different privileges for background tasks.根据您的用例,您可能需要考虑对后台任务具有不同权限的不同令牌。
b. b. It is possible but not advisable to follow the Google model via a cookie scoped to a web domain that hosts multiple apps, which is how Google do it (mail.google.com / drive.google.com).可以但不建议通过范围为托管多个应用程序的 web 域的 cookie 跟踪 Google model,Google 就是这样做的(mail.google.com / drive.google.com)。 So there is a dependency on hosting and domains所以依赖于托管和域
The preferred option is for the user to authenticate at App A and then single sign on to App B. The different apps then get separate tokens with different permissions and can more easily evolve separately.首选选项是用户在应用程序 A 上进行身份验证,然后单点登录到应用程序 B。然后,不同的应用程序将获得具有不同权限的单独令牌,并且可以更轻松地单独发展。
This also depends on how the app is implemented and your technology choices:这还取决于应用程序的实施方式和您的技术选择:
An 'old style' web app using a server side technology will expect to issue separate auth cookies per app
使用服务器端技术的“旧式”web 应用程序将期望为每个应用程序发出单独的身份验证 cookiesAn SPA following an intelligent Back End for Front End design could support this model via SameSite cookies if it made sense for a set of related micro-UIs
遵循 前端智能后端设计的 SPA 可以通过 SameSite 支持此 model cookies 如果它对一组相关的微 UI 有意义
In the latter case you would need to use a single OAuth client with multiple redirect URIs - eg for mail and drive - since the user could sign in to either of these first.在后一种情况下,您需要使用具有多个重定向 URI 的单个 OAuth 客户端(例如,用于邮件和驱动器),因为用户可以先登录到其中任何一个。
Apologies for the complicated answer - but it is a very architectural topic with the potential for hidden costs.为复杂的答案道歉 - 但它是一个非常具有隐性成本的建筑主题。 From a stakeholder viewpoint it is very simple - make it work like Google.从利益相关者的角度来看,这非常简单——让它像谷歌一样工作。 Hopefully this answer helps you in your conversations...希望这个答案对您的对话有所帮助...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.