最佳实践来组织微服务架构授权? [英] Best practice to organize authorization in microservice architecture?
问题描述
例如,我有3个服务:
- 验证
- 卖家
- 买家
他们每个人都得到了自己的数据库,模型,服务...等
Each of them got their own databases, models, services... etc
验证服务知道的用户,用户组,角色,权限和创建令牌。
Authentication service knows about users, user-groups, roles, permissions and creates token.
我应该在哪里存放卖方/买方的实体?在身份验证服务,或卖方/买方服务?
Where should I store sellers/buyers entities? On Authentication service, or on Seller/Buyer services?
卖方/买方服务应如何进行交互,以创造新的卖方/买方实体?
How should Seller/Buyer services interact to create new seller/buyer entity?
卖方/买方服务应如何检查权限?
How should Seller/Buyer services check permissions?
卖方和买方机构有一些共同的字段:姓名,密码,电子邮件......,而且他们每个人都有自己的附加字段
Seller and Buyer entities have some common fields: name, password, email..., but also each of them have their own additional fields.
卖方和买方相互交流。
推荐答案
这听起来很熟悉的一个问题我最近解决
This sounds familiar to a problem I was solving recently
假设你的服务是基于HTTP的,那么我建议你看看的OAuth 2.0
Assuming your services are HTTP based, then I would recommend you check out oAuth 2.0
的OAuth通过引入一个授权层解决了这些问题
并从该资源的分离客户端的角色
所有者。在OAuth的,客户端请求访问控制的资源
由资源所有者和由资源服务器托管,并且是
发出了不同的凭据比那些资源
所有者。
OAuth addresses these issues by introducing an authorization layer and separating the role of the client from that of the resource owner. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner.
而不是使用资源所有者的凭证来访问受保护
资源,客户端获得访问令牌 - 一个字符串,表示一个
具体范围,寿命等访问属性。访问令牌
通过与授权服务器发放给第三方客户
资源所有者的批准。客户端使用访问令牌
访问由资源服务器托管的受保护的资源。
Instead of using the resource owner's credentials to access protected resources, the client obtains an access token -- a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.
例如,最终用户(资源拥有者)可以授予打印
服务(客户端)访问她的保护的照片存储在光电
共享服务(资源服务器),没有分享她的用户名和
密码与印刷服务。相反,她验证
直接与由照片共享服务信任的服务器
(授权服务器),它发出打印服务delegation-
特定的凭证(访问令牌)。
For example, an end-user (resource owner) can grant a printing service (client) access to her protected photos stored at a photo- sharing service (resource server), without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo-sharing service (authorization server), which issues the printing service delegation- specific credentials (access token).
有简单的模型
- 旗下拥有一些数据,因此它也被称为的资源所有者的
- 的凭证(S)
- 拥有并控制用户身份,凭证和索赔
- 控制授予&安培;拒绝访问用户资源(的不是真的需要在这种情况下的)
- 换货用户凭据为的access_token一个客户端就可以使用从资源提供访问信息
- 的可选的授予,可用于更新已过期的access_token一个refresh_token
- Owns and Controls the User Identity, Credentials, and Claims
- Controls granting & denying access to User's resources (not really required in this scenario)
- Exchanges a user's credentials for an access_token that a Client can then use to access information from a Resource Provider
- Optionally grants a refresh_token that can be used to renew an expired access_token
- 服务具有信息
- 信任的授权服务器
- 验证的access_token是有效的(未过期签署正确,等等。)
- 验证要求索赔present(用户,角色等)
- 和发布信息来请求客户端
- 的应用程序(内部或第三方)
- 通过进行身份验证已知的授权服务器 用户
- 获得一个的access_token
- 采用的access_token调用资源的提供者获取信息
索赔标识(<一个href=\"http://stackoverflow.com/questions/6786887/explain-claims-based-authentication-to-a-5-year-old\">explained在这里更多的细节更好的)不只是一个用户名和放大器;密码,可进行多种说法,如电子邮件,出生日期等身份验证的用户,您可以使用这些声明的任何普通用户属性传达给你的各种服务。
A Claims Identity (explained better in more details here) is not just a username & password, it can carry many claims such as an email, a date of birth, etc. for an authenticated user, and you can use those claims to communicate any common user properties to your various services.
现在,你最后的问题是关于用户(或标识)链接到每个服务的实体重新presents在该服务中的上下文一些独特的信息......这可以通过将现有的认证的身份来实现和ACCESS_TOKEN在每个服务的用户的内部重新presentation
Now, your last questions was about linking a user (or an identity) to an entity in each service that represents some unique information in that service's context... this can be achieved by linking an existing authenticated identity and access_token to an internal representation of the user in each service.
是这样的:
- 卖方是用户
- 一个买家是用户
- 用户拥有(权利要求书的access_token)
- 索赔是一个键值对
- 索赔可以是(姓名,电子邮件,角色,...等)
这篇关于最佳实践来组织微服务架构授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
