id_token 与 access_token 的说明 [英] Clarification on id_token vs access_token
问题描述
我正在使用 OIDC 和 OAuth 2.0(使用 Auth0)构建一个系统,但我不确定如何正确使用 id_token 和 access_token.或者更确切地说,我对在我的设置中为各种服务分配哪些角色感到困惑.
I'm building a system with OIDC and OAuth 2.0 (using Auth0), and I'm unsure how to properly use the id_token and access_token. Or rather, I'm confused about which roles to assign to the various services in my setup.
我有一个完全静态的前端应用程序(单页应用程序、HTML + JS、无后端),可确保使用针对 Auth0 的隐式流程对用户进行身份验证.然后前端应用程序从我也在构建的 API 中获取数据.
I have a fully static frontend-application (single-page app, HTML + JS, no backend) that ensures that the user is authenticated using the implicit flow against Auth0. The frontend-application then fetches data from an API that I am also building.
现在,哪个是对的?
- 前端 SPA 是 OAuth 客户端应用程序
- 我的 API 服务是一个 OAuth 资源服务器
...或:
- 前端和我的 API 服务都是客户端应用
如果我的前端和后端 API 都可以被视为客户端,我认为使用 id_token 作为从我的前端到后端的请求的承载令牌并没有真正的危害 - 这很有吸引力因为这样我就可以简单地在后端验证签名的令牌,并且我拥有有关我需要的用户的所有信息.但是,如果我的 API 被视为资源服务器,我可能应该使用 access_token,但是我必须在每个 API 请求上连接到 Auth0 的服务器以验证令牌, 并获取基本的用户信息,不是吗?
If both my frontend and backend API can be considered to be the client, I see no real harm in using the id_token as the bearer token on requests from my frontend to my backend - this is appealing because then I can simply verify the signed token on the backend, and I have all the information about the user that I need. However, if my API is considered a resource server, I should probably use the access_token, but then I have to connect to Auth0's servers on every API request to both verify the token, and get basic user info, won't I?
我已阅读这个 这似乎表明 access_token 是与我的 API 一起使用的唯一有效令牌.但就像我说的,我不确定各个服务的角色.并且使用 id_token 很诱人,因为它不需要后端的网络连接,并且包含我需要提取正确数据的信息.
I've read this which seems to suggest that the access_token is the only valid token for use with my API. But like I said, I'm not sure about the roles of the individual services. And using the id_token is tempting, because it requires no network connections on the backend, and contains information I need to extract the right data.
解决这个问题的正确方法是什么?
What is the right way to go about this?
推荐答案
你的前端是你的 OAuth 客户端应用程序,一旦它存储了令牌,它就可以对 OAuth 流采取行动.而你的 API 服务是资源服务器,因为它接受你的身份服务器发出的 access_token.
Your frontent is your OAuth client application, once it stores the token it can take actions on the OAuth flow. And your API service is resource server, because it accepts the access_token issued by your identity server.
另外我想说的是,您的 id_token 代表登录用户的身份,可能包含您应用的敏感数据.access_token 是您访问资源的凭据.
Also I would say that your id_token stands for the identification of the logged user and may contain sensitive data for your app. The access_token is standing as your credential to access a resource.
最后您将使用 access_token 来请求资源,然后如果您需要来自登录用户(资源所有者)的特定数据,您可以从令牌端点请求 ID 令牌.
At the end you will use an access_token to request a resource, and then if you need specific data from the logged in user (resource owner), you may request the ID token from the token endpoint.
这篇关于id_token 与 access_token 的说明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
