OAuth 2.0多对多委托客户端凭证流方案 [英] OAuth 2.0 Many to Many Delegated Client Credential Flow Scenario

问题描述

场景:

1. 控制器进程使用客户端凭据授予来获得短暂的JWT访问令牌和刷新令牌句柄.
2. 控制器产生一个或多个隔离的工作程序节点，并将访问和刷新令牌传递给该节点.
3. 子节点可能会继续执行长时间运行的任务，其中访问令牌可能会过期，并且需要进行刷新.
4. 在后台线程中，代理在到期之前刷新其令牌，然后重新生成访问令牌.短期访问令牌和刷新生命周期的需求是为了重新生成时间JWT声明(具有时间传递性的声明，例如uris).
5. 孩子可以将回复返回给父母.父母和子女都需要维持独立的会话验证生命周期，而又不能使对方无效.

假设: 假设每个过程都是具有独立状态的原子工作单元.访问令牌由控制器进行一次身份验证，并随其刷新令牌传递到N + 1或N * N个工作节点.

Assumptions: Assume each process is an atomic unit of work with independent state. The access token is authenticated once by the controller and passed down with its refresh token to N+1 or N*N worker nodes.

任何给定的N个进程都可以主动将其访问令牌与刷新令牌一起传递给它，以延长其生存期并防止过期.

Any given N process may proactively regenerate its access token with the refresh token handed down to it to extend its lifetime and prevent expiration.

该过程可以通过HTTPS& amp;在受信任的(私有)或不受信任的(公共)环境中运行. SSL.

The process may run in a trusted (private) or untrusted (public) environment over HTTPS & SSL.

有一台授权服务器和一台api资源服务器.

There is one authorization server and one api resource server.

问题: 代理将如何验证访问令牌和刷新令牌的生存期，以确保任何子进程或父进程都可以在其生存期内刷新其会话，而不会暴露任何安全攻击媒介或使池中的另一个代理无效?

Problem: How would the agent validate both the access token and refresh token lifetime ensuring that any child or parent process can refresh its session during its lifetime without exposing any security attack vectors or invalidating another agent in the pool?

推荐答案

相互TLS客户端证书身份验证可能是一个不错的选择.它涉及各方通过验证提供的数字证书来相互认证，从而确保双方都可以确认对方的身份.用技术术语来说，它是指客户端应用程序对服务器进行身份验证，并且该服务器还通过验证受信任的证书颁发机构(CA)颁发的公钥证书/数字证书来向客户端进行身份验证.

Mutual TLS client certificate authentication may be a good option for this. It involves parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity. In technology terms, it refers to a client application authenticating themselves to a server and that server also authenticating itself to the client through verifying the public key certificate/digital certificate issued by the trusted Certificate Authorities (CAs).

这篇关于OAuth 2.0多对多委托客户端凭证流方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！