使用SAML承载令牌验证用户后端服务是一个坏主意？ [英] Is using SAML bearer tokens for authenticating users to backend services a bad idea?

问题描述

假设我有一个想要从后端服务获取一些数据的前端应用程序。 （我）的服务将需要验证最终用户被认证，它被授权使用该业务，可能筛选基于用户的特权返回的数据。在我的情况下，无论是前端应用和后端服务依赖于天青ACS进行身份验证。

Suppose I have a front-end application that wants to fetch some data from a back-end service. (I do.) The service will need to verify that the end-user is authenticated, that it is authorized to use the service and possibly filter the returned data based on the user's privileges. In my case, both the front-end app and the back-end service relies on Azure ACS for authentication.

理想情况下，前端想的上的代表行为的身份验证的用户，这听起来像一个非常适合使用 ACTAS 令牌（如WS-Trust中指定）。然而，事实证明，<一个href=\"http://stackoverflow.com/questions/11296421/is-identity-delegation-via-ws-trust-actas-supported-in-acs/11298814#11298814\">ACS目前不支持ACTAS 。

Ideally the front-end would like to act on the behalf of the authenticated user, which sounds like a good fit for using an ActAs token (as specified in WS-Trust). However, it turns out that ACS does not currently support ActAs.

一个解决办法可能是的用实际承载标记的（在前端应用程序中的引导令牌）认证到后端服务。 这并不难做到，但是这将是一个坏主意某些原因？

A workaround could be to use the actual bearer token (the bootstrap token in the front-end app) to authenticate to the back-end service. It's not hard to do, but would it be a bad idea for some reason?

推荐答案

从前端应用程序，你当然可以沿着最终用户的身份数据由要么发送令牌是或将它发送的属性通过。两者都有问题。对于前者，如果它也进行了加密，前端和后端将共享解密所需要的私钥;他们也将必须共享观众限制等，以使后端考虑令牌有效的。换句话说，前端和后端将ONE依赖方，而不是两个。可能不是一个问题，但要注意。在后一种情况下，则最终在一个proprietay方式这可能会增加集成和维护成本随时间发送用户数据。在这两种情况下，可以使用一些其他类型的凭证的验证前端应用后端，例如，使用的证书在传输层，因此，形成它们之间的可信子系统。

From your front-end app, you could certainly pass along the identity data of the end user by either sending the token as is or sending the attributes from it. Both have issues. For the former, if it's also encrypted, the front- and back-ends will have to share the private key needed to decrypt it; they will also have to share audience restrictions, etc. in order for the back-end to consider the token valid for it. In other words, the front- and back-ends will be ONE relying party, not two. Might not be a problem, but be aware. In the latter case, you end up sending user data in a proprietay way which could increase integration and maintenance costs over time. In both cases, you can authenticate the front-end app to the back-end using some other type of credential, e.g., a certificate used at the transport level and, thus, forming a trusted subsystem between them.

一件事，我会建议你考虑的反而是OAuth的2.从<一个href=\"http://blogs.msdn.com/b/adventurousidentity/archive/2011/09/18/acs-v2-oauth-2-0-delegation-support-explained.aspx\">this博客文章，这在我看来，ACS支持它（虽然我没有任何的第一手经验瓦特/它）。了解OAuth 2忠实地美妙的事情是，它在烘烤代表团并没有在附近一样复杂ACTAS WS-Trust中。最终结果是相同的，即，后端服务将有关于呼叫业务和最终用户，但为了得到它设置在无可比拟的量的信息。这些标记将仍然是承载令牌，但您可以通过使用SSL减轻到一定程度。除了SSL，你可以把一些额外的措施到位，但最好的，海事组织，将是如果微软在ACS做了一些像谷歌做瓦特/它们的访问令牌服务帐户，它使用了被链接到一个PKI非对称密钥。 （顺便说一句，据我所知，微软可能已经做了这样的事情。如果是这样，你设置）

One thing that I would suggest you consider instead is OAuth 2. From this blog post, it seems to me that ACS supports it (though I don't have any first hand experience w/ it). The truely wonderful thing about OAuth 2 is that it bakes delegation in, and is NO WHERE near as complex as ActAs in WS-Trust. The net result is the same, i.e., the back-end service will have info about the calling service and the end user, but the amount of effort to get it setup in incomparable. The tokens will still be bearer tokens, but you can mitigate that to a degree by using SSL. Beyond SSL, you can put some additional measures in place, but the best, IMO, would be if Microsoft did something in ACS like Google has done w/ their Access Tokens for service accounts which uses asymmetric keys that are chained up to a PKI. (BTW, for all I know, Microsoft may have already done something like that; if so, you're set.)

总之，HTH！

这篇关于使用SAML承载令牌验证用户后端服务是一个坏主意？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！