Oauth2、范围和用户角色 [英] Oauth2, scopes and user roles
问题描述
我在这里从概念上提出一个问题,因为我试图了解基于 OAuth2 的系统中范围和用户角色之间的关系.
I am asking a question conceptually here as I am trying to understand the relationship between scopes and user roles in an OAuth2 based system.
在实现 API 时,我想通过对资源使用范围来限制对特定资源的访问.我了解使用访问令牌请求资源,并且我相信我的理解是正确的,因为您在请求访问令牌时指定了您的范围.
As I am implementing an API, I want to restrict access to specific resources by using scopes on the resources. I understand the use of access tokens to request resources, and I believe my understanding to be correct in that you specify your scope(s) when requesting the access token.
我不完全确定范围限制如何根据经过身份验证的用户所处的特定角色起作用.假设 Bob 是管理员,Sue 是普通用户.我们有一些资源受 is_admin 范围保护.什么阻止 Sue 在她的访问令牌中请求(和接收)is_admin 范围?
What I am not entirely sure of is how restriction of scopes would work based on specific roles that an authenticated user is in. Let's assume Bob is an admin and Sue is a regular user. We have some resources protected by an is_admin scope. What stops Sue from requesting (and receiving) is_admin scope in her access token?
我认为应该发生以下情况:
- Bob 进行身份验证.
- Bob 的角色在其身份验证完成后进行查找.他的管理员"角色附加了is_admin"范围.
- Bob 要求提供一个访问令牌,其中包含从他的各种角色中收集的所有范围
- Bob 会自动为他的访问令牌分配这些范围
是否由我的呼叫应用强制要求仅发送请求 Bobs 需要的范围?还是我在范围方面遗漏了什么?
Is it up to my calling app to enforce only sending asking for the scope Bobs needs? Or is there something I am missing with regards to scopes?
有人可以用一些简单的例子来启发我吗?
Can someone please enlighten me with some simple examples?
推荐答案
在 OAuth2 中,有有以下角色:
In OAuth2, there are the following roles:
- 资源所有者 - 通常是某个人
- 身份验证提供程序 - OAuth2 服务器
- 资源服务器 - 需要访问令牌并验证其范围的 API
- 客户端应用程序 - 请求具有某些范围的访问令牌的应用程序.
要理解 OAuth2,有必要将其视为从资源所有者到客户端应用程序的访问权限委托协议.所以主要用例是:客户端应用程序想要访问资源服务器.为此,客户端应用程序需要一个由 Auth 提供者颁发并由资源所有者授权(由 Auth 提供者进行身份验证)的访问令牌.
To understand OAuth2, it's necessary to think about it as a protocol for access rights delegation from a Resource owner to a Client application. So the main use case is: the Client application wants to access the Resource server. In order to do that, the Client application needs an access token issued by the Auth provider and authorized by the Resource owner (which gets authenticated by the Auth provider).
在您的描述中,缺少客户端应用程序.假设它是您的 API 的前端应用程序.它需要一个范围为 admin-user-scope 或 regular-user-scope 的访问令牌.因此它将用户(资源所有者)重定向到 Auth 提供者,请求两个范围.
In your description, the Client application is missing. Let's assume it's a frontend application for your API. It needs an access token with scopes admin-user-scope or regular-user-scope. So it redirect a user (Resource owner) to the Auth provider, requesting both scopes.
Auth 提供者对用户进行身份验证,并要求他/她同意将某些请求的范围授予客户端应用程序.身份验证提供程序可能会删除某些范围 - 例如 admin-user-scope 用于非管理员.身份验证提供程序也可能为用户提供删除某些范围的可能性.
The Auth provider authenticates the user and asks him/her for a consent on granting some of the requested scopes to the Client application. The Auth provider may remove some scopes - for example the admin-user-scope for non-admins. The Auth provider may give the user a possibility to remove some scopes too.
客户端应用程序在重定向 URI 中接收具有范围的访问令牌(或授权).如果授予的范围与请求的范围不同,则 Auth 提供程序将授予范围的列表(scope URL 参数)与访问令牌一起发送,因此客户端应用程序知道它可以使用访问令牌.
The Client application receives an access token (or a grant) with scopes in a redirect URI. If the granted scopes differ from the requested scopes, the Auth provider sends a list of granted scopes (the scope URL parameter) along with the access token, so the Client application knows what actions it can perform with the access token.
然后客户端应用程序可以访问资源服务器,资源服务器确保提供的访问令牌包含所需的范围.资源服务器使用 OAuth2 自省端点来验证令牌并获取其范围列表.
Then the client application may access the Resource server and the Resource server makes sure that the provided access token contains required scopes. The Resource server uses the OAuth2 introspection endpoint to validate the token and to get a list of its scopes.
这篇关于Oauth2、范围和用户角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
