使用JWT和OpenID Connect的微服务中的客户端身份验证 [英] Client authentication in microservices using JWT and OpenID Connect
问题描述
我对微服务架构中的身份验证有一些疑问.我现在有一个整体应用程序,我的目标是将应用程序拆分为小型微服务.
I've some questions regarding authentication in a microservices architecture. I've right now a monolithic application and my goal is to split the application in small microservices.
我最大的问题是身份验证(目前).阅读了很多文档之后,看来最好的解决方案是使用OpenID Connect对用户进行身份验证以检索可以随请求一起传递给微服务的JWT.
My bigest problem is for authentication (for now). After reading a LOT a documentation, It seems that the best solution is to use OpenID Connect to authenticate an user to retrieve a JWT that can by passed with the request to the microservices.
此外,为避免有多个端点,您可以将API Gateway部署为仅为最终用户提供一个端点.好的,所以现在我对这种架构有两个疑问.
Also, to avoid having multiple endpoints, you can deploy and API Gateway to have only one endpoint for the end user. Ok, so now I've two questions with this architecture.
身份验证的标准流程为:
The standard flow for authentication will be :
用户使用隐式流与OpenID Connect中的身份服务器联系,并获取id_token(JWT)和access_token.用户现在可以使用此access_token与我的API联系. API网关将使用身份服务器验证access_token,还检索JWT以将其添加到微服务API的子请求中.
An user contact my identity server in OpenID Connect with the implicit flow and get the id_token (JWT) and also the access_token. The user can now contact my API with this access_token. The API Gateway will valide the access_token with the identity server and also retrieve the JWT to add it to the sub request to the microservice API.
1/API网关如何从access_token获取JWT?我从文档中摘录的内容( http://openid.net/specs/openid -connect-core-1_0.html ),它可以联系"/userinfo"端点,但是它将仅获取JSON格式,而不是JWT ...
1/ How the API Gateway can get the JWT from the access_token? From what I red from the documentation (http://openid.net/specs/openid-connect-core-1_0.html), It can contact the "/userinfo" endpoint but It will get just the JSON format not the JWT...
2/我想允许我的微服务之间进行身份验证的调用.因此,每个微服务都需要能够生成JWT以直接联系其他微服务.我的第一个想法是联系身份服务器.但是,借助OAuth2客户端凭据流程,我不会检索id_token或JWT.只是没有JWT的经典OAuth2访问令牌.我的第二个想法是,微服务可以使用与身份服务器使用的PKI相同的PKI颁发的证书直接签署自己的JWT.这意味着JWT可以由多个证书签名,但可以来自同一私有PKI.当微服务接收到JWT时,它需要能够识别用来签署JWT的证书.我在RFC上找不到关于此问题的任何内容.我可以在令牌中添加自己的私人索赔以获取证书,但是在浏览了几天的网络却没有看到这种解决方案后,我想知道自己是否走错了道路……总而言之,如何我可以在JWT中执行用户到服务"身份验证,也可以执行服务到服务"身份验证吗?
2/ I want to allow authenticated calls between my microservices. So each microservice needs to be able to generate a JWT to contact other microservices directly. My first thought was to contact the identity server. But with the OAuth2 Client Credentials flow, I don't retrieve a id_token or a JWT. Just a classic OAuth2 access token without JWT. My second thought was that the microservice can directly sign its own JWT with a certificate issued by the same PKI as the one used by the identity server. That mean that a JWT can be sign by several certificats but from the same private PKI. When a microservice receives a JWT, It needs to be able to identify witch certificat was used to sign the JWT. I don't find anything on the RFC regarding this problem. I can add my own private claim in the token to have the certificate but after several days of browsing the web without seeing this kind of solution, I'm wondering if I'm not on the wrong path... To sum up, how can i perfom "User to service" authentication AND alors "service to service" authentication in JWT?
非常感谢!
推荐答案
我正在实现类似的解决方案.不确定是否可以完全解决您的问题,但是希望对您有所帮助:
I am implementing a similar solution. Not sure if it will address to your question completely, but, I hope it helps:
-
您可以实施新的身份验证微服务,以将oAuth2访问令牌转换为JWT令牌.该微服务也将对此JWT令牌进行签名.
You can implement a new authentication micro-service to convert your oAuth2 access token to JWT token. This microservice will also sign this JWT token.
您的API网关会将所有客户端请求路由到身份验证服务,这将验证来自IDM的令牌并将其转换为签名的JWT令牌.
Your API gateway will route all client requests to authentication service, which will validate this token from IDM and will convert it to a signed JWT token.
API网关会将此JWT令牌传递给其他微服务,这些微服务将验证来自身份验证服务公钥的签名.如果签名有效,则可以从中提取角色进行授权.
API gateway will pass this JWT token to other microservices which will validate the signature from Authentication Service's public key. If the signature validates, roles can be extracted out of it for authorization.
每个微服务都可以配置自己的IDM凭据,并且当它想要调用任何其他微服务时,可以生成访问令牌并调用身份验证服务以获取JWT,该JWT可以在调用中传递给其他微服务. p>
Each microservice can have its own IDM credentials configured and when it wants to call any other microservice, it can generate an access token and call Authentication Service to get JWT which can be passed in call to other microservices.
这篇关于使用JWT和OpenID Connect的微服务中的客户端身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
