OpenID Connect:将id_token用作access_token可以吗? [英] OpenID Connect : Is it fine to use id_token as access_token?

问题描述

在我工作的一个应用程序中，我们正在考虑仅对所有用例(包括身份验证和授权)使用id_token.该解决方案正在从头开始开发.当前没有任何资源的使用者，我们可以修改资源以使用id_token.我对openid_connect和oauth 2.0的概念有些陌生.仅使用具有所有访问详细信息的id_token会有任何问题吗?

In one of the application at my work, we are thinking of just using id_token for all the use-cases including authentication and authorization. The solution is being developed from scratch right now. There are currently no consumers of any resources and we can modify the resources to use id_token. I am bit new to the concepts of openid_connect and oauth 2.0. Will there be any issue of just using id_token having all the access details?

推荐答案

如果您的应用程序只需要对用户进行身份验证，然后让他们使用其可能访问的所有功能访问其后端，则仅使用ID令牌并进行检查会更容易基于用户名或角色的访问权限.仅使用ID令牌时，您还可以接受来自不同OAuth2提供程序的ID令牌.

If your application needs just to authenticate users and then let them access its backend with all the features they may access, it's easier to use just an ID token and check access rights based on username or roles. When using just an ID token, you can also accept ID tokens from different OAuth2 providers.

访问令牌对于部分访问委派很有用-当用户将其某些权限委派给另一个应用程序时.例如，如果我创建一个应用程序来询问其用户对他们的GMail的只读访问权限，则该应用程序可以获得访问权限，而没有被允许访问该用户的任何其他Google资源.

Access tokens are useful for partial access delegation - when users delegate some of their permissions to another application. For example if I create an application that asks its users for a read-only access to their GMail, the application can get the access without it being allowed to access any other Google resources of the user.

如果您想为简单的客户端应用程序及其后端使用访问令牌，则您的客户端应用程序将要求其可能使用的所有OAuth2范围，然后查看从OAuth2获取的访问令牌中返回了哪些范围服务器.

If you wanted to use an access token for a simple client application and its backend, your client application would have ask for all OAuth2 scopes it can possibly use and then see what scopes come back in the access token it gets from the OAuth2 server.

因此，如果您只想为其前端创建后端API，而又不打算为其他应用程序打开它，则仅使用ID令牌会更容易.如果发现需要访问令牌，可以稍后再使用.

So if you want to create your backend API just for its frontend and don't plan to open it for other applications, it's easier to use just ID tokens. If you find out that you need access tokens, you can start using them later.

您还可以考虑根据提供的ID令牌发布包含所需的所有身份验证和授权信息的自己的令牌(JWT)，因此您的后端不必在每次API访问时都获取用户的安全性数据.

You can also consider issuing your own tokens (JWT) with all authentication and authorization info you need based on a provided ID token, so your backend doesn't have to fetch the user's security data on each API access.

这篇关于OpenID Connect:将id_token用作access_token可以吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！