OAuth2.0的用例 [英] Use cases of OAuth2.0
问题描述
我正在构建muli-tenant saas(software as a service) architecture.我必须为系统构建authentication system.
根据我的研究,我认为我需要基于OAuth2.0和带有JWT tokens的承载令牌构建身份验证系统.
在阅读了很多有关如何构建OAuth2.0服务器的OAuth2.0的信息后,我仍然didn't understand full concept of OAuth,并且对是否需要它或是否需要其他身份验证系统感到困惑.
我的系统需要的是,我们将为所有客户提供SDK,每个客户端将具有Application Id,并且a secret key,使用SDK客户端将连接到他的应用程序出现在我们系统中.
application ID将客户映射到他的系统中存在的应用程序,而client secret key将对应用程序内的客户端进行身份验证.我是否仍需要基于OAuth2.0构建身份验证系统,还是可以构建我的身份验证系统?根据我们自己的身份验证系统?
OAUTH2.0的用例是什么?何时不需要实现它?
首先,如 OAuth身份验证
OAuth 2.0不是身份验证协议.
在用户访问应用程序的上下文中的身份验证会告诉应用程序当前用户是谁以及他们是否存在.完整的身份验证协议还可能会告诉您有关此用户的许多属性,例如唯一标识符,电子邮件地址,以及当应用程序显示"Good Morning"时如何调用它们.
但是,OAuth不会告诉应用程序所有信息.
OAuth绝对不会对用户说任何话,也不会说用户如何证明他们的存在或者即使他们仍然在场.
就OAuth客户端而言,它要求一个令牌,获得一个令牌,并最终使用该令牌访问某些API.它不知道是谁授权了该应用程序,或者根本就没有用户.
有一个使用OAuth进行用户身份验证的标准:OpenID Connect,与OAuth2兼容.
OpenID Connect ID令牌是签名的 JSON Web令牌( JWT)(与常规OAuth访问令牌一起提供给客户端应用程序.
ID令牌包含一组有关身份验证会话的声明,包括用户的标识符(sub),发布令牌的标识符提供者的标识符(iss)和为其创建令牌的客户端的标识符(音频).
在Go中,您可以查看 coreos/dex ,这是一个OpenID通过可插拔连接器连接身份(OIDC)和OAuth 2.0提供程序.
I am building a muli-tenant saas(software as a service) architecture. I have to build the authentication system for the system.
From what I have studied, I think I need to the build the authentication system based on OAuth2.0 and the bearer token with JWT tokens.
After reading a lot about OAuth2.0 of how to build an OAuth2.0 server I still didn't understand the full concept of OAuth and also have confusion about whether I need it or not or I need some other Authentication system.
What my system need is we will provide an SDK to all our customer and each client will have an Application Id and a secret key using the SDK client will connect to his application present in our system.
The application ID will map the customer to his application present in our system and the client secret key will authenticate the client inside the application.Do I still need to build an authentication system based on OAuth2.0 or can I build my own authentication system based on our need?
What are the use cases of OAUTH2.0 and when we won't need it to implement?
First, as clearly indicated in OAuth authentication
OAuth 2.0 is not an authentication protocol.
Authentication in the context of a user accessing an application tells an application who the current user is and whether or not they're present. A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an email address, and what to call them when the application says "Good Morning".
However, OAuth tells the application none of that.
OAuth says absolutely nothing about the user, nor does it say how the user proved their presence or even if they're still there.
As far as an OAuth client is concerned, it asked for a token, got a token, and eventually used that token to access some API. It doesn't know anything about who authorized the application or if there was even a user there at all.
There is a standard for user authentication using OAuth: OpenID Connect, compatible with OAuth2.
The OpenID Connect ID Token is a signed JSON Web Token (JWT) that is given to the client application along side the regular OAuth access token.
The ID Token contains a set of claims about the authentication session, including an identifier for the user (sub), the identifier for the identity provider who issued the token (iss), and the identifier of the client for which this token was created (aud).
In Go, you can look at coreos/dex, an OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with Pluggable Connector.
这篇关于OAuth2.0的用例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
