Spring Cloud OAuth2:具有多个授权服务器的资源服务器 [英] Spring Cloud OAuth2: Resource server with multiple Authorization server

问题描述

我们正在微服务架构中开发一个应用程序，该应用程序使用 Spring Cloud OAuth2 在多个 OAuth2 提供商(如 Google 和 Facebook)上实现单点登录.我们也在开发我们自己的授权服务器，并将在下一个版本中集成.

We are developing an application in a microservice architecture, which implements signle sign-on using Spring Cloud OAuth2 on multiple OAuth2 providers like Google and Facebook. We are also developing our own authorization server, and will be integrated on next release.

现在，在我们的微服务，即资源服务器上，我想知道如何将多个 token-info-uri 或 user-info-uri 处理为多个授权服务器(例如 Facebook 或 Google).

Now, on our microservices, which are resource servers, I would like to know how to handle multiple token-info-uri or user-info-uri to multiple authorization servers (e.g. for Facebook or Google).

推荐答案

这种情况一般是有中间人解决；您的资源服务器信任的单个实体，可用于标准化任何可能的差异，这些差异源于用户可能会向不同的提供者进行身份验证这一事实.这有时称为联合提供程序.

This type of situation is generally solved by having a middle-man; a single entity that your resource servers trust and that can be used to normalize any possible differences that surface from the fact that users may authenticate with distinct providers. This is sometimes referred to as a federation provider.

Auth0 是此类实现的一个很好的例子._{披露:我是一名 Auth0 工程师.}

Auth0 is a good example on this kind of implementation. _{Disclosure: I'm an Auth0 engineer.}

Auth0 位于您的应用和对您的用户进行身份验证的身份提供商之间.通过这种抽象级别，Auth0 使您的应用与每个提供者实现的任何更改和特性隔离.

Auth0 sits between your app and the identity provider that authenticates your users. Through this level of abstraction, Auth0 keeps your app isolated from any changes to and idiosyncrasies of each provider's implementation.

_{(重点是我的)}

并不是说您的资源服务器在技术上不能信任多个授权服务器，只是将该逻辑从单个资源服务器移到一个中央位置将使其更易于管理和解耦.

It's not that your resource servers can't technically trust more than one authorization server, it's just that moving that logic out of the individual resource servers into a central location will make it more manageable and decoupled.

还要记住，身份验证和授权是不同的东西，尽管我们习惯将它们放在一起.如果您要实现自己的授权服务器，您应该将其作为中心点:

Also have in mind that authentication and authorization are different things although we are used to seeing them together. If you're going to implement your own authorization server, you should make that the central point that can:

• 处理多种类型的身份验证提供程序
• 向下游资源服务器提供用户配置文件的规范化视图
• 提供访问令牌，您的客户端应用程序可以使用这些令牌向您的微服务发出授权请求

这篇关于Spring Cloud OAuth2:具有多个授权服务器的资源服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！