如何使用Identity Server保护多租户API? [英] How should you secure a multi-tenant API with Identity Server?
问题描述
我正在努力使用Identity Server保护多租户Web API的正确方法.让我解释一下.
我们有一个服务于ASP.NET MVC应用程序的多租户Web API.
- 为每个新客户分配一个新的TenantId.
- 一个客户可以拥有该应用程序的多个订阅.它的 就像说该应用程序每个服务器管理多个数据库一样 客户(他可以从相同的基本URL访问).
- 每个用户都属于一个客户(租户),并且可以访问 所有该客户的订阅.
设置API的方式是,每个端点都包括租户ID和订阅ID,以便可以知道应该从哪个订阅/数据库中获取数据.
<server>/tentantId/subscriptionId/(...)
现在想象一下,我有另一个使用客户端凭据流的外部应用程序(例如控制台应用程序),它正在尝试代表"客户访问某些API资源,这意味着将使用特定的tenantId/subscriptionId对:
<server>/1000/1/products
每次调用到达API端点之一时,我都需要验证此特定客户端应用程序可以访问该租户/订阅.
如果Identity Server可以作为授权流程的一部分自动执行该检查,那将很有意义.
如果我们为客户添加了某种方式来注册(同意)特定的客户端应用程序以访问其订阅上的Web API,则可能是我们还可以将Identity Server设置为以范围的形式知道或至少包括声明中的信息,以便我们可以通过检查令牌而不是调用外部组件来执行权限检查.
这甚至有可能吗? 我应该尝试使用范围吗?索赔?
有人能指出我正确的方向吗?
在谈论多租户时,您的问题令人困惑.默认情况下,API是否不是多租户?我的看法是,它是可由多个用户/客户端访问的资源.
如果我理解正确,那么您要做的就是代表用户通过MVC应用访问API.换句话说:具有API访问权限的混合流. /p>
使用sub声明中的ID代替将userid放在路径中.该API使API能够区分代表客户端的调用和代表用户的调用.
该资源应得到授权.根据授权类型,您可以使用声明.如果需要检查订阅,则应该由API通过sub声明来区分用户来完成.
另一方面,范围是用来定义资源的.通过作用域"api1",我可以访问Api1资源(api).但这并没有说明授权.
I'm struggling with the correct way to secure a multi-tenant Web API with Identity Server. Let me explain.
We have a multi-tenant Web API that serves a ASP.NET MVC application.
- Each new customer is assigned a new TenantId.
- A customer can have multiple subscriptions of the application. Its the same as saying that the app manages multiple databases per customer (that he can access from the same base URL).
- Each user belongs to a single customer (tenant) and will have access to all that customer's subscriptions.
The API is set in a way that every endpoint includes both the tenant id and the subscription id so it can know from which subscription/database it should get the data.:
<server>/tentantId/subscriptionId/(...)
Now imagine that I have another external app (say a console app), using the client credentials flow, that is trying to access some API resource "on behalf" of a customer, meaning that will use a specific tenantId/subscriptionId pair:
<server>/1000/1/products
Every time a call hits one of the API endpoints I need to validate that this specific client app can access that tenant/subscription.
It would make a lot of sense if the Identity Server could perform that check automatically as part of the authorization flow.
If we added some way for the customer to register (consent) a specific client app to access the Web API on it's subscriptions, may be we could also set the Identity Server to know that in the form of scopes or at least include that information in the claims so that we could perform the permission check by inspecting the token instead of calling an external component.
Is this even possible? Should I try to use scopes? Claims?
Can anyone point me in the right direction?
Your question is confusing when you talk about multi-tenancy. Isn't an API multi-tenant by default? The way I see it, it's a resource that can be accessed by multiple users / clients.
If I understand correctly, all you want is to access the API through the MVC app on behalf of a user. In other words: a hybrid flow with API access.
Instead of putting the userid in the path, use the id from the sub claim. Which lets the API distinguish between calls on behalf of clients and calls on behalf of users.
The resource should take care of authorization. Depending on the type of authorization you can use claims. If a subscription needs to be checked then this should be done by the API, using the sub claim to distinguish the user.
Scopes on the other hand are meant to define the resource. With the scope "api1" I can access the Api1 resource (api). But it says nothing about authorization.
这篇关于如何使用Identity Server保护多租户API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
