OAuth 授权与身份验证 [英] OAuth Authorization vs Authentication

问题描述

OAuth 术语一直困扰着我很长时间.OAuth 授权是有人建议的还是身份验证?

如果我错了，请纠正我，但我一直认为授权是允许某人访问资源的行为，但 OAuth 似乎没有任何实际允许用户访问给定资源的实现.所有 OAuth 实现都在为用户提供令牌(已签名，有时已加密).然后，每次调用都会将此令牌传递到后端服务端点，在那里检查它的有效性，同样不是 OAuth 问题.

我认为 OAuth 身份验证(每篇文章都说不是)是否需要用户提供凭据，从而证明用户应该/不应该具有访问权限?

因此似乎 OAuth 不是授权 NOR 身份验证，因为这些必须由其他进程执行.那到底是什么鬼?它是一个传递令牌的过程吗?是不是真的没有具体含义的扯淡词?

很难在不听起来神秘和迷信的情况下提出关于这个主题的问题(鬼魂和妖精)，所以我希望回答这个问题也不会是一件简单的事情.输入您自担风险.

解决方案

OAuth 是一种授权规范

OAuth 2.0 是一种授权规范，而不是身份验证规范.RFC 6749，

^{(抱歉，这些定义摘自我公司的概览页面)}

从实现者的角度定义

身份验证是确定最终用户的主题(= 唯一标识符)的过程.有很多方法可以确定主题.身份证及密码、指纹、虹膜识别等

授权是将主题与请求的权限和请求权限的客户端应用程序相关联的过程.访问令牌代表关联.

另见

1. OAuth 和 OpenID Connect 的全面实施者谈论调查结果
2. 所有 OAuth 2.0 流程的图表和视频
3. 所有 OpenID Connect 的图表流程
4. 最简单的 OAuth 2.0 指南

OAuth terminology has been bothering me a long time now. Is OAuth Authorization as some would suggest or is it Authentication?

Correct me if I'm wrong but I have always read Authorization as being the act of allowing someone access to a resource yet OAuth doesn't seem to have any implementation that actually allows access to users to a given resource. All OAuth implementations talk about is providing a user a token (signed and sometimes encrypted). This token is then passed with every call to a back-end service endpoint where it is checked for validity, again not an OAuth concern.

Is OAuth Authentication (every article says it isn't) which I take it requires a user to provide credentials which in turn proves a user should/shouldn't have access?

So it seems that OAuth is not Authorization NOR Authentication since these have to be performed by other processes. So what the heck is it? Is it a process for communicating a token? Is it fluff word that really has no specific meaning?

It's hard to ask a question about this subject without sounding enigmatic and superstitious (ghosts and goblins) so I expect that answering this question won't be a simple thing either. Enter at your own risk.

解决方案

OAuth is a specification for authorization

OAuth 2.0 is a specification for authorization, but NOT for authentication. RFC 6749, 3.1. Authorization Endpoint explicitly says as follows:

The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.

OAuth authentication?

Authentication deals information about "who one is". Authorization deals information about "who grants what permissions to whom". Authorization flow contains authentication as its first step. It is the reason people are often confused.

There are many libraries and services that use OAuth 2.0 for authentication. It is often called "social login" and It makes people more confused. If you see "OAuth authentication" (not "OAuth authorization"), it is a solution using OAuth for authentication.

OpenID Connect

OpenID 1.0 and OpenID 2.0 are old specifications for authentication. Those who made the specifications expected people to use OpenID for authentication. However, some people began to use OAuth 2.0 for authentication (not for authorization) and OAuth authentication has prevailed rapidly.

From a viewpoint of OpenID guys, authentication based on OAuth was not secure enough, but they had to admit that people preferred OAuth authentication. As a result, OpenID guys decided to define a new specification, OpenID Connect, on top of OAuth 2.0.

Yes, this has made people much more confused.

One-sentence definitions of OAuth 2.0 and OpenID Connect

OAuth 2.0 is a framework where a user of a service can allow a third-party application to access his/her data hosted in the service without revealing his/her credentials (ID & password) to the application.

OpenID Connect is a framework on top of OAuth 2.0 where a third-party application can obtain a user's identity information which is managed by a service.

^{(Sorry, these definitions are excerpts from the overview page of my company)}

Definitions from a viewpoint of implementors

Authentication is a process to determine the subject (= unique identifier) of an end-user. There are many ways to determine the subject. ID & password, fingerprints, iris recognition, etc.

Authorization is a process to associate the subject with the requested permissions and the client application that requested the permissions. An access token represents the association.

See Also

1. Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings
2. Diagrams And Movies Of All The OAuth 2.0 Flows
3. Diagrams of All The OpenID Connect Flows
4. The Simplest Guide To OAuth 2.0

这篇关于OAuth 授权与身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！