WebAPI混合隐式流和客户端凭证流 [英] WebAPI Mixing Implicit Flow and Client Credentials Flow
问题描述
我有一个WebAPI解决方案,可通过[Authorize]属性保护其控制器方法.它验证给定的用户具有适当的角色,这些角色基本上是来自IdentityServer3的声明.
I have a WebAPI solution that secures it's controller methods via the [Authorize] attribute. It verifies that a given user has the appropriate roles, which are basically claims that come from an IdentityServer3.
有多个与此WebAPI交互的单页应用程序客户端,并且使用隐式流对客户端用户进行了身份验证/授权.
There are several single page application clients that interact with this WebAPI, and the client users are authenticated/authorized using implicit flow.
到目前为止,非常标准和简单,一切正常...
So far pretty standard and simple, it all works fine...
现在,我需要后台进程来对此相同的WebAPI进行调用.这有效地变成了机器对机器的通信.根据我已阅读的所有文档,这是客户端凭据流的一种情况.没有用户参与.
Now I have a need for background process to make calls to this same WebAPI. This effectively becomes machine to machine communication. Based on all the documentation I have read this is a situation for Client Credentials flow. No users are involved.
问题...
鉴于没有用户参与,这也意味着没有主题,没有主张并且显然没有任何角色.如果我没记错的话,客户就没有索赔.由于我的控制器方法受角色保护,因此如何授权诸如此类的客户端使用服务/资源?
Given that no user is involved, this also means no subject, no claims and obviously no roles. If I am not mistaken a client does not have claims. Since my controller methods are secured by roles, how then can a client such as this be authorized to use the service/resource?
我读到客户端应该只有一个流,但是资源呢?客户端使用的流对资源来说应该不重要,除了访问令牌根据客户端流没有声明外.因此,在这种情况下,当资源由权利要求保护时,流程也与资源相关.我感到困惑吗?
I read that a client should have only one flow, but what about a resource? The flow used by client shouldn't be important to the resource, except that the access token will have no claims depending on the client flow. So in that context the flow is also relevant to a resource when it is secured by claims. Am I confused?
我应该专门为客户凭证流创建一个新服务吗?装配身份服务器以支持对客户的索赔?
Should I create a new service specifically for client credentials flow? Rig the identity server to support claims on clients?
我正在这里寻找最佳实践.
I am looking for best practices here.
修改
也请参考这个Github讨论... 问题76
Please also refer to this Github discussion... Issue 76
如果主题为空-没有人参与.
If the subject is null - there is no human involved.
我们不打算向客户提出索赔.客户身份 和范围应该足够.
We are not planning to have claims for clients. The client identity and scopes should be enough.
另请参阅... 问题79
好吧-一般而言,客户只能拥有一个流程,因为它可以 如果错误组合流将导致安全问题 配置(例如代码和隐式).
Well - in general a client should only have one flow since it can result in security problems if the wrong combination of flows is configured (e.g. code and implicit).
推荐答案
您可能不完全匹配Client Credentials(用户凭据)流中的用户角色声明(细粒度授权),但是解决方法很少:
You may not exactly match the user-role claim (fine-grained authorization) in Client Credentials flow but there are few workarounds:
- Use the Scope claim issued to the Client for making authorization decision (refer to this Identity Server documentation - Specifically under Registering a Web API )
- Based on the Audience ("aud") claim in the access token, you may waive the authorization decisions that you usually check for user tokens
还可以查看令牌自省(以及Dominick发布的相关视频),以供进一步了解.这也概述了资源服务器的作用.
Also have a look at the Token Introspection (and the associated video posted by Dominick) for further understanding. This also outlines the role of resource server.
这篇关于WebAPI混合隐式流和客户端凭证流的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
