OAuth2 中 OTP/2FA 支持的推荐设计 [英] Recommended design for OTP/2FA support in OAuth2
问题描述
我正在尝试将 OTP/2FA 支持添加到 OAuth2 中,但在阅读了RFC6749,目前尚不清楚如何在不违反规范的情况下干净地添加 OTP/2FA.
I'm trying to add OTP/2FA support into OAuth2, but after much reading through the RFC6749, it's still not clear how OTP/2FA could be cleanly added without violating the specification.
虽然可以将 OTP/2FA 条目添加到 authorize 对话流程中,但没有规定将其添加到 token 中.例如,具有 Resource owner password-based 权限的 public 客户端应用程序可能希望在请求新的 access_token 时直接提供令牌,而不是嵌入 HTML 对话框.
Although OTP/2FA entry can be added into the authorize dialog flow, there is no provision for adding it into token. For example, public client apps with Resource owner password-based privileges may want to provide the token directly when requesting a new access_token, rather than having to embed a HTML dialog box.
因此我的问题是;
RFC 是否允许自定义
grant_type?这是否应该用于提供 2FA/OTP 功能?
Does the RFC allow for custom
grant_type? Should this be used to provide 2FA/OTP functionality?
RFC 是否允许现有 grant_type 上的附加属性?例如,grant_type=token&otp_code=1234(RFC 没有明确说明是否允许在规范中的 grant_type 上添加其他属性)
Does the RFC allow for additional attributes on an existing grant_type? For example, grant_type=token&otp_code=1234 (RFC does not make it clear if additional attributes are allowed on grant_type's within the specification)
是否应将 OTP 功能放入标头中?这是 Github 使用的方法,但感觉真的很难看/hacky.
Should OTP functionality be placed into headers? This is the approach that Github used, but it feels really ugly/hacky.
还有其他我忽略的方法吗?
Are there any other approaches that I have overlooked?
提前致谢
推荐答案
RFC 允许扩展(自定义)授权,请参阅部分 https://tools.ietf.org/html/rfc6749#section-8.3.该授权可以定义其他属性.
The RFC allows for an extension (custom) grant, see section https://tools.ietf.org/html/rfc6749#section-8.3. That grant could define additional attributes.
OAuth 2.0 没有定义资源所有者如何向授权服务器进行身份验证,但资源所有者密码凭据授予除外.您的提案可以设计为该赠款的扩展变体.
OAuth 2.0 does not define how the Resource Owner authenticates to the Authorization Server, with the exception of the Resource Owner Password Credentials grant. Your proposal could be designed as an extended variant of that grant.
这篇关于OAuth2 中 OTP/2FA 支持的推荐设计的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
