可以在服务之间传递 OAuth 访问令牌吗? [英] Is it OK to pass on OAuth Access Token between services?

问题描述

在 SSO/OAuth/微服务的上下文中考虑以下场景:

1. 用户使用 OAuth 的隐式流程成功登录到 Web 应用程序.
2. Web 应用向服务 A 和服务 B 请求一些数据，并传递用户的访问令牌以对这两个请求进行授权.
3. 服务 A 还调用 服务 B(传递相同的访问令牌！)以构建对初始 Web 应用请求的响应.

现在，是否可以将用户的访问令牌从服务 A 传递到服务 B?

或者服务A是否应该使用客户端凭据"授权来获取自己的访问令牌来授权调用服务B?

更新:
请假设这两个服务都归同一个组织所有，并且都信任同一个授权服务器.此外，这两个服务都位于验证访问令牌的同一 API 网关之后.

解决方案

这取决于谁在控制 Web 应用程序，Service A 和 Service B.如果它们都由同一方运行，则传递令牌没有问题因为它保持在同一个安全域内.

但是如果例如服务 B 由第 3 方运行，然后事情变得有问题，因为服务 B 的管理员可以获取访问令牌并调用服务 A，就好像它是您的 Web 应用程序一样，可能会访问它不应该访问的资源.

您还会注意到，如果服务 A 和服务 B 由 2 个不同方拥有，除您之外，您的 Web 应用程序还应分别获取两个不同的访问令牌以调用服务 A 和服务 B 以防止出现相同的安全问题.

所以答案确实是:这取决于谁在控制什么，即令牌是否跨越管理/安全域.

Considering the following scenario in a context of the SSO/OAuth/microservices:

1. User successfully logs-in to the web application using OAuth's Implicit Flow.
2. Web app requests some data from Service A and Service B passing on user's Access Token to authorize both requests.
3. Service A also calls Service B (passing on the same Access Token!) in order to build response to the initial Web App request.

Now, is this OK to pass on the user's Access Token from Service A to Service B?

Or should Service A use "Client Credentials" grant to obtain its own Access Token to authorize call to the Service B?

UPDATE:
Please assume both services are owned by the same organization and both trust the same Authorization Server. Also both services are behind the same API Gateway which validates Access Tokens.

解决方案

It depends on who is controlling the web application, Service A and Service B. If they're all run by the same party there's no problem in passing the token on since it stays within the same security domain.

But if e.g. Service B is run by a 3rd party then things become problematic as the administrator of Service B can pickup the access token and call Service A as if it were your web application, potentially getting access to resources that it should not have access to.

You'll also note that if Service A and Service B are owned by 2 different parties, other than you, your web application should also obtain two different access tokens respectively for calling Service A and Service B to prevent the same security issue.

So the answer really is: it depends on who is controlling what i.e. if the token is crossing an administrative/security domain.

这篇关于可以在服务之间传递 OAuth 访问令牌吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！