基于OAuth和基于令牌的身份验证有什么区别? [英] What is the difference between OAuth based and Token based authentication?

问题描述

我认为OAuth本质上是基于令牌的身份验证规范，但是大多数时间框架的作用似乎是它们之间存在差异.例如，如下图所示， Jhipster 询问是否使用基于OAuth的身份验证或基于令牌的身份验证.

I thought that OAuth is basically a token based authentication specification but most of the time frameworks act as if there is a difference between them. For example, as shown in the picture below Jhipster asks whether to use an OAuth based or a token based authentication.

这些不是同一回事吗?既然两者都在其实现中包含令牌，到底有什么区别?

Aren't these the same thing ? What exactly is the difference since both includes tokens in their implementations ?

推荐答案

这是一个好问题-令牌和OAuth周围存在很多困惑.

This is a good question -- there is a lot of confusion around tokens and OAuth.

首先，当您提到OAuth时，您可能会引用 OAuth2标准.这是OAuth协议的最新版本，也是大多数人说"OAuth"时专门谈论的话题.

First up, when you mention OAuth, you are likely referring to the OAuth2 standard. This is the latest version of the OAuth protocol, and is what most people are specifically talking about when they say 'OAuth'.

OAuth协议支持几种不同类型的身份验证和授权(准确地说是4种).

The OAuth protocol supports several different types of authentication and authorization (4 to be precise).

第二，OAuth协议通过令牌对用户进行身份验证来工作.这里的想法是这样的:

Secondly, the OAuth protocol works by authenticating users via tokens. The idea here is this:

不是让您的用户在每个单个请求上将其实际凭据发送到服务器(就像使用Basic Auth一样，即用户将每个请求的用户名/密码发送到服务器)，而是使用OAuth，您首先交换了用户令牌的凭据，然后基于此令牌对用户进行身份验证.

Instead of having your user send their actual credentials to your server on every single request (like they would with Basic Auth, where a user sends their username/password to the server for each request), with OAuth you first exchange your user credentials for a 'token', and then authenticate users based on this 'token'.

OAuth的想法是，通过要求用户更少地通过网络传递其机密凭据，可以减少不良事件的发生. (无论如何，这就是主意.)

The idea of OAuth is that by requiring users to pass their confidential credentials over the network less frequently, less bad things can happen. (This is the idea, anyhow.)

现在，令牌就在这里发挥作用:OAuth规范是围绕令牌的概念构建的，但是并未指定令牌是什么.

Now, here's where tokens come into play: the OAuth spec is built around the concept of tokens, but DOES NOT SPECIFY WHAT A TOKEN IS.

在最一般"的意义上，令牌只是一个唯一标识用户的字符串.就是这样.

In the most 'general' sense, a token is just a string that uniquely identifies a user. That's it.

人们意识到了这一点，并开发了一种用于创建令牌的新标准，称为 JSON Web令牌标准.该标准基本上提供了一套以非常特定的方式创建令牌的规则，这使得令牌通常对您更有用.

People realized this, and developed a new standard for creating tokens, called the JSON Web Token standard. This standard basically provides a set of rules for creating tokens in a very specific way, which makes tokens more useful for you in general.

JWT使您可以执行以下操作:

JWTs let you do things like:

• 通过密码对令牌进行签名，以便您知道令牌未被用户篡改.
• 对令牌进行加密，以使内容无法以纯文本格式读取.
• 以标准方式将Token字符串嵌入JSON数据中.

现在，大部分情况下:开发社区中几乎所有人都同意，如果您使用的是任何一种OAuth，那么您使用的令牌应该是JSON Web令牌.

Now, for the most part: pretty much everyone in the development community has agreed that if you're using any sort of OAuth, then the tokens you're using should be JSON Web Tokens.

==========

==========

好！现在我们已经介绍了背景知识，让我回答您的问题.

OK! Now that we've covered the backstory, let me answer your question.

您在上面所做的选择是您是否要启用完整的OAuth2规范以进行身份​​验证/授权(这很复杂)，还是只需要一些基本的令牌身份验证".

The choice you're making above is whether or not you want to enable the full OAuth2 specification for authentication / authorization (which is quite complex), or whether you simply want some basic 'token authentication'.

由于OAuth协议提供了多种以标准兼容方式进行身份验证的方法，因此它为大多数身份验证系统增加了很多复杂性.

Because the OAuth protocol provides multiple different ways to authenticate in a STANDARDS COMPLIANT way, it adds a lot of complexity to most authentication systems.

因此，许多框架都提供了OAuth2密码授予流的简化版本"，从本质上讲，这是一种简单的方法，其中:

Because of this, a lot of frameworks offer a 'dumbed down' version of the OAuth2 Password Grant flow, which essentially is a simple method where:

• 用户通过/login之类的URL将其用户名/密码发送到您的服务器.
• 您的服务器为用户生成一个JWT令牌.
• 您的服务器将该令牌返回给用户.
• 用户将此令牌存储在其Cookie，移动设备或可能的API服务器中，并在其中使用该令牌进行请求.

再次:上面的流程不兼容OAuth，但仍是STILL使用令牌的简单版本.

Again: the flow above is NOT OAuth compliant, but is a slightly simpler version that STILL uses tokens.

这里的要点是令牌(JWT)通常很有用，不需要与OAuth流配对.

The main point here is that tokens (JWTs) are generally useful, and don't NEED to be paired with the OAuth flow.

我意识到这是一堵文字墙，但希望它能更深入地回答您的问题=)

I realize this is a wall of text, but hopefully it answers your question in more depth =)

这篇关于基于OAuth和基于令牌的身份验证有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！