是否可以在不重定向到外部登录页面的情况下进行SPA身份验证 [英] Is it possible to have SPA authentication without redirecting to an outside login page
问题描述
我目前正在开发一个SPA应用程序,该应用程序可以连接一堆webAPI.这些API要求用户登录,因此我开始使用OpenServer深入研究Openid Conect和OAuth2示例.
I am currently developing an SPA application that connects to a bunch of webAPI's. These API require that the user is logged in, so I started digging into Openid Conect and OAuth2 examples, mostly using IdentityServer.
出于SPA的原因,它们都要求将隐式授予用于检索access_tokens.令牌刷新是使用隐藏的iframe连接到身份验证服务器来处理的.
They all require, for SPA reasons, that the implicit grant should be used for retrieving access_tokens. Token refreshes are handled connecting to authentication server using hidden iframe.
我从这种方法中了解到o更新您的access_token的是,会话在身份验证服务中维护.隐藏的iframe进入身份验证服务器,会话仍处于活动状态,提供了新的access_token.
What I understand from this approach o renewing your access_token is that, sessions is maintained at authentication service. Hidden iframe goes to the authentication server, sessions is still active, new access_token is provided.
所有这些对我来说都很不错,除了(对于UX reasosn),我的用户需要重定向到身份验证服务器页面以提供凭据.
All that looks good for me, except (for UX reasosn) the fact that my user needs to be redirected to authentication server page for providing credentials.
是否有可能让我的SPA应用程序将凭据发送到身份验证服务器,获取access_token,然后使用隐藏的iframe进行刷新以进行静默更新(我们显然不希望用户每15分钟不断通知一次凭据)或每小时一次.)
Isn't it possible to have my SPA application send credentials to authentication server, getting the access_token, and then do the refresh using the hidden iframe for silently renewing (we, obviously dont want the user to keep informing credentials every 15 minutes or every hour..).
如果出于安全原因这是不可接受的,请您解释一下原因?
If this is not acceptable for security reasons, could you please explain why?
推荐答案
从技术上讲,可以使用"对于2019年,任何Web应用程序(例如Angular SPA)的建议流程都是带有PKCE扩展名的代码流程,如
Technically it is possible with "resource owner password flow", but in that model identity provider can not trust your application and will not create a session for your user (to use silent renew later on). Thus such non-interactive approach is not truly SSO.
For 2019 the recommended flow for any web app such as Angular SPA is Code flow with PKCE extension, as described here or there.
这篇关于是否可以在不重定向到外部登录页面的情况下进行SPA身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
