授权端点如何知道用户已登录? [英] How authorization endpoint knows user is logged in?
问题描述
我正在为分布式Web应用程序使用OAuth2和OpenID Connect实现单一登录.授权服务器独立运行.我已经实现了访问令牌终结点,并且当前正在尝试实现授权终结点(用于授权码流).
I am implementing single sign-in with OAuth2 and OpenID Connect for a distributed web application. The Authorization Server is running on its own. I've implemented the access token endpoint and currently trying to implement the authorization endpoint (for Authorization Code flow).
这是我对应该发生的事情的理解
This is my understanding of what should happen
GET http://authserver/authorize?client_id=1&
state=BB&
_________ scope=read_user& ____________
| | redirect_uri=myapp/callback | |
| |----------------------------------------------------------------> | |
| Browser | | AuthServer |
| |<-----------------------------------------------------------------| |
|_________| 302 myapp/callback?code=AAA&state=BB |____________|
这时,浏览器只需要使用代码向访问令牌端点发出第二个请求,它将接收访问令牌.
At this point the browser simply need to make a second request to the access token endpoint with the code and it will receive the access token.
但是,在发生所有这些事情之前,我对Authorization Server如何真正知道用户已登录
However before all this happens, I'm a bit confused on how the Authorization Server really knows that the user is logged in
- 授权服务器不应该验证用户是否以某种方式登录吗?
- 如果在上一步中,假设用户登录并从另一台服务器获取了cookie,那么如何从授权服务器的角度进行验证?服务器如何知道请求代码的用户是John而不是Bob或匿名的人?
推荐答案
我将尝试使用 RFC6749 OAuth 2.0授权框架.请注意,这对OpenID Connect有效,因为它是OAuth 2.0的扩展
I will try to answer your questions with RFC6749 The OAuth 2.0 Authorization Framework. Note that this is valid for OpenID Connect as it is an extension to OAuth 2.0
1授权服务器是否不应该验证用户是否已登录?
3.1.授权端点状态如下,
授权端点用于与资源所有者进行交互 并获得授权拨款.授权服务器必须 首先验证资源所有者的身份.的方式 授权服务器对资源所有者进行身份验证(例如, 用户名 和密码登录,会话Cookie )超出了此范围 规范.
The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.
在重定向授权服务器对请求执行最终用户授权之前.如上所述,这是以用户登录或所需机制的形式完成的.这是实际最终用户验证发生的地方.从您的问题的角度来看,这是登录名.
Before the redirect authorization server perform end user authorization for the request. This is done in form of a user login or a desired mechanism as given above. This is the point where actual end user validation happens. From your question perspective this is the login.
2如果在上一步中,假设用户登录并从另一台服务器获取了cookie,那么如何从授权服务器的角度进行验证?
我希望您了解Cookie的基础知识.它们帮助基于浏览器的Web应用程序维护前端和后端之间的状态.
I hope you know basics about cookies. They help browser based web applications to maintain state between front end and backend.
根据授权服务器的配置,可以要求最终用户将登录状态标记为已记住.然后,您的浏览器将获得一个安全的cookie,该cookie将存储在浏览器中.这是一个字符串,对最终用户没有意义,但是在后端,它与已登录用户(例如:A1-Bob,A2-Alex)之间存在关联(考虑索引索引).
Depending on authorization server configurations, one could ask end user to mark the logged in state remembered. Then what your browser get is a secure cookie, which get stored in the browser. This is a string, which does not have a meaning to end user, but in the backend there is a correlation (think about an index key) against logged in user (ex:- A1 - Bob, A2 - Alex).
因此,下一次用户打开浏览器并使用您的应用程序时,授权服务器将获得带有授权请求的cookie.如果cookie没有过期/无效,授权服务器可以跳过登录对话框.并且如第一节中突出显示的那样,最终用户授予是通过Cookie进行的.
So the next time user opens the browser and use your application, authorization server get the cookie with the authorization request. If cookie is not expired/invalidated, authorization server can skip login dialog. And as highlighted in first section, end user grant occur through cookie.
这篇关于授权端点如何知道用户已登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
