我应该将ID令牌从SPA发送到我的其余后端吗? [英] Should I send the id token from my SPA to my rest backend?

问题描述

我有一个由REST API服务器支持的SPA应用程序.

I have a SPA app which is backed by a rest api server.

我使用隐式授予流将Auth0用于身份验证和授权.
我阅读的所有示例都说明我应该将接收到的访问令牌发送给api以用于授权目的.例如:
https://auth0.com/blog/why-should -使用访问令牌以安全地获取api

I use Auth0 for authentication and authorization using the implicit grant flow.
All the examples I read explain that i should send the access token which I receive to the api for authorization purpose. For example :
https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api

另一方面，我读到访问令牌不能用作身份验证的证明:
http://www.thread-safe.com /2012/01/problem-with-oauth-for-authentication.html https://oauth.net/articles/authentication/

On the other hand, I read that access token cannot be used as a proof for authentication:
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html https://oauth.net/articles/authentication/

这意味着，我不能信任访问令牌上的子声明，以确保它确实是用户，而不是发送访问令牌的另一个客户端. 意思是，如果我将facebook用作IDP，则另一个Web应用程序可以将用户发布给其使用的访问令牌发送到我的服务器，并且由于访问令牌没有aud声明，因此我的服务器会认为该用户已通过身份验证在我的网络应用中. 此外，我看到google登录确实指导水疗中心向服务器发送ID令牌: https://developers.google.com/identity/sign-in/web/backend-auth

That means, I cannot trust the sub claim on my access token to be sure that this is indeed the user and not another client that send its access token. Meaning, if i would use facebook as the IDP, another web app could send an access token issued to its use by the user to my server and because access tokens don't have an aud claim, my server would think that the user is authenticated in my web app. Moreover , I see that google sign in indeed guide the spa to send an id token to the server: https://developers.google.com/identity/sign-in/web/backend-auth

所以:我是否应该将ID令牌(用于身份验证)和访问令牌(用于授权)都发送到我的服务器?

So : Should I send both the id token(for authetication) and the access token(for authorization) to my server ?

推荐答案

我经历了 使用后端服务器进行身份验证 .正如它建议的那样，可以使用id令牌对后端服务器进行身份验证.不仅由Google推荐，而且还有其他一些实体推荐.但是id令牌旨在供依赖方(客户端)验证和认证最终用户.访问令牌是应用于访问资源的令牌.

I went through Authenticate with a backend server as you have pointed out. As it suggest, one can use id token to authenticate against backend server. Which not only recomend by Google but some other entities as well. But id token is intended for relying party (client) to validate and authenticate the end user. Access token is the token that should be used to access resources.

您可以考虑的另一种选择是使用OpenID Connect规范定义的用户信息端点.

One alternative you could consider is the use of user info endpoint defined by OpenID Connect specification.

用户信息端点

UserInfo端点是OAuth 2.0受保护的资源，它返回有关经过身份验证的最终用户的声明.为了获得所请求的有关最终用户的声明，客户端使用通过OpenID Connect身份验证获得的访问令牌向UserInfo端点发出请求.这些声明通常由一个JSON对象表示，该对象包含声明的名称和值对的集合.

The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication. These Claims are normally represented by a JSON object that contains a collection of name and value pairs for the Claims.

Google确实提供了用户信息端点.他们的文档 获取用户配置文件信息 sectioon解释了端点，如何调用它以及响应详细信息.

Google do provide user info endpoint. Their documentation's Obtaining user profile information sectioon explains about the endpoint, how to call it and response details.

要获取有关用户的其他配置文件信息，可以使用访问令牌(您的应用程序在身份验证流程中接收到的访问令牌)和OpenID Connect标准:

To obtain additional profile information about the user, you can use the access token (which your application receives during the authentication flow) and the OpenID Connect standard:

成功的详细信息将揭示最终用户的信息，其格式在 人们:getOpenIdConnect 格式.

And a succesfull details will reveal end user infromation which has a format explained in People: getOpenIdConnect format.

这样，您可以避免将ID令牌暴露给其他方.您的后端可以使用访问令牌访问这些信息，以检测最终用户并根据该身份进行验证.

This way you avoid exposing id token to other parties. And your backend can use the access token to access these information to detect end user and authenitcate based on that.

无论采用哪种替代方法，id令牌都应用于身份验证.因此，只要保护id令牌，就可以将其传递给服务器并使用声明来标识最终用户并验证令牌的有效性.

Regardless of these alternative approaches, id token is meant to be used for authentication. So passing it to server and use claims to identify end user and authenticate on token validity is fine as long as you protect id token.

这篇关于我应该将ID令牌从SPA发送到我的其余后端吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！