简体繁体 English

OAuth2：客户端凭据流

[英]OAuth2: Client Credentials flow

原文 2021-11-09 12:22:52 8 2 oauth-2.0/ oauth/ azure-ad-b2c

Problem: I am currently working on making a REST Api available to clients (the client in this case is not the normal end user who orders the articles, but the client's Web Api that communicates with my system).问题：我目前正在致力于为客户端提供 REST Api（在这种情况下，客户端不是订购文章的普通最终用户，而是与我的系统通信的客户端的 Web Api）。 In order to order different products in my system, each customer may have several accounts for each country separately.为了在我的系统中订购不同的产品，每个客户可能针对每个国家分别拥有多个帐户。 Authentication is done by authenticating the client's WebApi application to my system (machine to machine).身份验证是通过将客户端的 WebApi 应用程序身份验证到我的系统（机器对机器）来完成的。 So it looks like this should be done using OAuth2 Client Credentials Flow based on the article https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios#scenarios- and-supported-authentication-flows, but I have doubts about the issue of client accounts for each country separately.所以看起来这应该使用基于文章https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios#scenarios- 的OAuth2 客户端凭据流来完成-supported-authentication-flows，但我对每个国家/地区的客户帐户问题分别表示怀疑。

Question: This should be solved by creating a ClientId and ClientSecret for each client account per country separately or, however, one client account should be created, while the country should be sent by the client in each request to the Api or before adding the country as a scope or claim to access token.问题：这应该通过为每个国家/地区的每个客户账户分别创建一个 ClientId 和 ClientSecret 来解决，或者，应该创建一个客户账户，而国家应该在每次请求 Api 或添加国家之前由客户发送作为访问令牌的范围或声明。 Additionally, I am not sure if Client Credentials Flow is a good choice in this situation, so I would be very grateful for any suggestions.此外，我不确定在这种情况下 Client Credentials Flow 是否是一个不错的选择，因此我将非常感谢您提供任何建议。

2 个解决方案

CLIENTS客户

Ideally each client company should have a single client credential for getting access tokens.理想情况下，每个客户公司都应该拥有一个用于获取访问令牌的客户凭证。 In sone cases, such as when there are different legal subdivisions, this can be extended.在某些情况下，例如当有不同的法律细分时，这可以扩展。 By default use a single value, but you need to understand your clients.默认情况下使用单个值，但您需要了解您的客户。

A client credentials flow between companies can involve stronger credentials if needed, such as JWT client assertions or Mutual TLS - as in this advanced tutorial .如果需要，公司之间的客户端凭据流可以涉及更强的凭据，例如 JWT 客户端断言或相互 TLS - 如本高级教程中所示。

CLAIMS索赔

In your system you should map domain specific data needed for authorization against each client ID.在您的系统中，您应该将授权所需的域特定数据映射到每个客户端 ID。 This might include country specific access to products or whatever makes sense for your scenario.这可能包括对产品的特定国家/地区访问或对您的场景有意义的任何内容。

This data can then be either included in access tokens at the time of issuance, or looked up when an access token is first received, then cached for subsequent requests with the same token.然后，该数据可以在发布时包含在访问令牌中，或者在首次收到访问令牌时进行查找，然后缓存以用于具有相同令牌的后续请求。 Step 3 of my Authorization Blog Post explains a couple of design patterns here.我的授权博客文章的第 3 步在这里解释了几个设计模式。

API REQUESTS API 请求

How the client gets data in API requests is interesting:客户端如何获取 API 请求中的数据很有趣：

Is data for all countries owned by the caller?呼叫者是否拥有所有国家/地区的数据？ If so let them select the data they want via a country parameter during API requests.如果是这样，让他们在 API 请求期间通过国家/地区参数选择他们想要的数据。
If the API client shoild never be able to see data for a country, that suggests that in at least some cases you need different clients per country.如果 API 客户端永远无法查看某个国家/地区的数据，则表明至少在某些情况下，每个国家/地区需要不同的客户端。

SUMMARY概括

Define clients in terms of what makes sense for those companies.根据对这些公司有意义的内容来定义客户。 Avoid an explosion of clients in order to manage access rights for the same data owner.避免客户端激增，以便管理同一数据所有者的访问权限。 Exact solutions depend on your domain specific requirements.确切的解决方案取决于您的领域特定要求。 OAuth is a framework that is meant to be adapted. OAuth 是一个旨在适应的框架。

If your entire existing data-model silos 'countries' by a concept of an account, then a set of credentials per account might be the easiest.如果您的整个现有数据模型孤岛都按照帐户的概念划分“国家/地区”，那么每个帐户的一组凭据可能是最简单的。

But it sounds to me that your data-model doesn't fully capture your actual business well.但在我看来，您的数据模型并没有完全捕捉到您的实际业务。 It sounds to me like you have a concept of a 'customer/client' that has access to one of more 'accounts', each representing a country.在我看来，您有一个“客户/客户”的概念，可以访问多个“帐户”中的一个，每个帐户代表一个国家/地区。

So a more correct way to model this might be to structure your API so that a single API client can access all of the related accounts, and your API should perhaps be structured so that the idea of an accountId is somehow passed (usually in the URL for REST apis).因此，一种更正确的建模方法可能是构建您的 API，以便单个 API 客户端可以访问所有相关帐户，并且您的 API 可能应该进行结构化，以便以某种方式传递accountId的想法（通常在 URL 中）用于 REST api）。 For example, each API endpoint can be prefixed with /account/123 .例如，每个 API 端点都可以以/account/123为前缀。

To me this is more of a data-modelling and API architecture question than anything OAuth2-specific.对我来说，这更像是一个数据建模和 API 架构问题，而不是任何特定于 OAuth2 的问题。