使用IdentityServer 4验证后台队列工作者的最安全方法是什么? [英] What's the most secure way to authenticate background queue workers using IdentityServer 4?
问题描述
我将一些任务放在后台队列中以进行异步处理.独立队列工作者需要使用IdentityServer 4验证到单独的API,实质上是模拟"触发任务的原始用户.
I have tasks that are placed onto a background queue for async processing. The standalone queue worker needs to authenticate to a separate API using IdentityServer 4, essentially "impersonating" the original user that triggered the task.
我可以看到的两个选择是:
The two options I can see for doing this are:
- 将用户的访问令牌和刷新令牌推送到队列的 有效负载,并在任务拾取时使用它们进行身份验证 并执行.这样做的主要问题是队列的有效负载 即使在 执行,这意味着将存储访问和刷新令牌.
- 尝试在IdentityServer中重新创建这种类型的用户模拟 4, https://www.moonlightbytes.com/blog/impersonation-in-身份服务器3 . 这意味着将原始用户的用户名保存在队列的 有效载荷.
- Push the access and refresh tokens of the user into the queue's payload, and use these to authenticate when the task is picked up and executed. The main issue with this is that the queue's payload is stored in a database for an extended period of time, even after execution, meaning access and refresh tokens will be stored.
- Try and recreate this type of user impersonation in IdentityServer 4, https://www.moonlightbytes.com/blog/impersonation-in-identity-server-3. This would mean saving the original user's username in the queue's payload.
我的问题是:
- 这两个选项中的哪一个更可取且更安全?
- 还有其他方法可以实现我所需要的吗?
推荐答案
I would suggest to use delegation, i.e. to push the access token (only) into the queue's payload (to identify the user later on) and use your worker's ClientCredentials to authenticate at the moment of the call.
绝对不能共享刷新令牌.这是所要求的应用程序的属性.
Refresh token is definitely not to be shared. It is a property of an app it was requested for.
这篇关于使用IdentityServer 4验证后台队列工作者的最安全方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
