OAuth2 - 从现有网络应用程序启动 SPA,无需用户再次进行身份验证
[英]OAuth2 - launching an SPA from an existing web-app without requiring the user to authenticate again
问题描述
Background
背景
We have an existing traditional webapp (Wicket/Java/Spring/Tomcat) that we are incrementally migrating to a Vue.js application/SPA.我们有一个现有的传统网络应用程序(Wicket/Java/Spring/Tomcat),我们正在逐步迁移到 Vue.js 应用程序/SPA。 So when the user navigates to certain parts of the application we serve the SPA which the user interacts with until they navigate to a old part of the application again.因此,当用户导航到应用程序的某些部分时,我们会提供用户与之交互的 SPA,直到他们再次导航到应用程序的旧部分。
All user authentication is currently handled by the traditional webapp which results in a tomcat session (JSESSIONID cookie).所有用户身份验证目前都由传统的 webapp 处理,这会产生 tomcat session (JSESSIONID cookie)。
The SPA currently talks to the API on the main java monolith application. SPA 目前在主要的 java 单体应用程序上与 API 进行对话。 This is the same application serving the traditional webapp.这是服务于传统网络应用程序的同一个应用程序。 So currently we handle authentication by checking for the presence of the JSESSIONID cookie/tomcat http session in the request from the SPA.因此,目前我们通过检查来自 SPA 的请求中是否存在 JSESSIONID cookie/tomcat http session 来处理身份验证。
┌──────────────┐
│ Browser │
│ │ ┌────────────┐
│ ┌──────┐ │ │ Monolith │
──────┼─►│ HTML │◄───┼─────────►│ java ├──────────────┐
│ └──────┘ │ └────────────┘ ▼
│ │ ▲ ┌──────────────────────┐
│ ┌─────────┐ │ │ │ OAuth2 Authorization │
│ │ SPA │◄─┼─────────────┘ │ Server │
│ │ (VueJs) │ │ └──────────────────────┘
│ └────┬────┘ │ ▲
│ │ │ │
└──────┼───────┘ ┌──────────────┐ │
│ │ Microservice │ │
└──────────────────────►│ java ├───────┘
└──────────────┘
Requirement要求
We are building new microservices (with APIs) that we wish the SPA to be able to talk to.我们正在构建我们希望 SPA 能够与之对话的新微服务(使用 API)。 So our approach of sharing the JSESSIONID cookie is not going to work.所以我们共享 JSESSIONID cookie 的方法是行不通的。
We'd like to use OAuth2 to protect our new microservices meaning that they will require valid access tokens for all incoming requests.我们想使用 OAuth2 来保护我们的新微服务,这意味着它们将需要对所有传入请求有效的访问令牌。
Question问题
All the documentation and examples we've found are concerned with implementing the standard solutions whereby you choose the OAuth2 grant flow you want to use (implicit or authroization code with PKCE) and get the SPA to prompt the user to authenticate.我们发现的所有文档和示例都与实施标准解决方案有关,您可以通过这些解决方案选择要使用的 OAuth2 授权流程(使用 PKCE 的隐式或授权代码)并让 SPA 提示用户进行身份验证。
This is not going to work for us while we are still in this hybrid situation and all user authentication is handled by the traditional webapp.当我们仍然处于这种混合情况并且所有用户身份验证都由传统的 Web 应用程序处理时,这对我们来说是行不通的。
- What are some approaches that people use in situations like these?人们在这种情况下使用哪些方法?
- How can the SPA be given enough information when it is loaded in order to make (pre)authenticated calls to the new microservice API? SPA 在加载时如何获得足够的信息,以便对新微服务 API 进行(预)身份验证调用?
We are happy to consider moving the traditional webapps login flow to an OAuth based flow but still aren't clear how to solve the problem with the SPA.我们很高兴考虑将传统的 webapps 登录流程移动到基于 OAuth 的流程,但仍然不清楚如何解决 SPA 的问题。
2 个解决方案
解决方案1
0 2023-01-11 03:22:18
If all your apps are OAuth2, it's likely that you choose an OIDC authorization-server and almost all have SSO (single sign-on) features: when users authenticate (with authorization-code + PKCE flow), they have a "session" opened on authorization-server and can have subsequent authentications happen silently (only the very first authentication for each client can require explicit consent).如果您所有的应用程序都是 OAuth2,那么您很可能选择了 OIDC 授权服务器并且几乎所有应用程序都具有 SSO(单点登录)功能:当用户进行身份验证(使用授权代码 + PKCE 流程)时,他们会打开一个“会话”在授权服务器上,并且可以静默进行后续身份验证(只有每个客户端的第一次身份验证需要明确同意)。
In other words, with SSO, your users would authenticate once for all clients (legacy app and new Vue one).换句话说,使用 SSO,您的用户将为所有客户端(旧版应用程序和新的 Vue 客户端)进行一次身份验证。
Be sure to pick Certified OpenID Connect Implementations for each of your client frameworks.请务必为您的每个客户端框架选择Certified OpenID Connect Implementations 。
解决方案2
0 2023-01-11 08:51:47
In addition to previous answer, OIDC is correct choice, because you can still have user session that will be created during OIDC flow: https://openid.net/connect/除了之前的答案,OIDC 是正确的选择,因为您仍然可以拥有将在 OIDC 流程期间创建的用户 session: https://openid.net/connect/
In OIDC flow id token, access token and refresh token are returned, but id token is used only once to establish user session. OIDC flow id token中返回access token和refresh token,但是id token只用了一次建立用户session。
Access token and refresh token can be saved on backed service(Ie some gateway) responsible for OIDC communication and user session creation.访问令牌和刷新令牌可以保存在负责 OIDC 通信和用户 session 创建的支持服务(即某些网关)上。 Then based on user session you can find those tokens and use in call to microservice when needed.然后基于用户 session,您可以找到这些令牌并在需要时用于调用微服务。
It is important to understand whole concept behind oauth especially in scenario with web application.了解 oauth 背后的整个概念非常重要,尤其是在具有 web 应用程序的场景中。 I recommend to read those information to understand whole picture: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-10.html我建议阅读这些信息以了解全貌: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-10.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.