stackoom
  简体   繁体   中英

Authentication with OAuth and JWT but without OpenID Connect

 原文  2015-06-17 02:15:46       session/ authentication/ oauth/ authorization/ openid-connect

Question

I'm wondering if I really need OpenID Connect to provide authentication on top of OAuth2. It seems to me if I generate JWTs (JWE) as my access token and I store user claims, roles/permissions, etc. in the access token, then the OpenID Connect's id token isn't needed. Resource servers can validate the access token on each request. Alternatively, I could keep the access token small and just have it store a session id and populate that session with claims/roles/permission. Also I could put an expiration value in session and support sliding expiration, etc. and not even deal with refresh tokens. Am I missing what OpenID Connect is really about?

Update

I just realized I need to clarify my question a bit. If I built a site where I allow users to login via Google, I see how OpenID Connect is necessary. I'm allowing someone access to my site based on some OAuth authorization flow which doesn't prove authentication happened. But if I'm building a bunch of services and I just want to issue tokens to access these service resources, isn't OAuth enough? And if I wanted these tokens to contain roles/claims so I can make authorization decisions in my services, isn't a JWT containing roles/claims enough? If feels like OpenID Connect wouldn't be necessary in this case.

1 answers

solution1
 0 ACCPTED  2015-06-17 17:47:57

By requiring that the access token is a JWT, agreeing on the user claims that go in to the JWT, putting expiration/issuance timestamps in there and making sure that you cryptographically verify the issuer of the token you're actually doing the very same thing that OpenID Connect is doing: "profiling" OAuth 2.0 in such a way that it can provide user authentication/identity information.

Update:

But if you don't need user authentication semantics you can stick with OAuth 2.0. You may use a JWT as an access token so the Resource Server (the API) can verify and inspect the access token and find out on whose behalf the client is acting. But just be aware that the possession of that token does not mean that the user is present (and authenticated) at that time.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Managing session in REST application after authentication with OpenID Authentication: sessions, JWT, or something else? Authentication: JWT usage vs session How to do session management for OpenID Connect? Session Management OpenID Connect Why two Iframes? Does passport JWT strategy conflict with OAuth? Better approach for Jwt authentication and session management Re-validating users when using OpenId Connect implicit flow Keycloak fails to authenticate openid-connect token in cluster mode Should I use JWT and OAuth for different types of users?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM