OKTA 管理员和用户的不同令牌 [英] OKTA different tokens for admin and user

问题描述

我有一个带有几个 rest 端点的 Spring Boot 应用程序.我正在尝试使用 oaut2 和 okta 来限制对这些端点的访问，具体取决于角色.到目前为止，我已经这样做了:

I have a spring boot application with a couple rest endpoints. I am trying to user oaut2 together with okta to limit access to these endpoints depending on roles. So far I have done this:

我已经能够通过调用获得一个 BEARER 令牌:

I have been able to get a BEARER token by calling :

oauth2/default/v1/token

oauth2/default/v1/token

然后我可以使用令牌来访问本地主机中的端点.

Then I can use the token to hit my endpoints in localhost.

我尝试使用其中的一些https://developer.okta.com/blog/2017/10/13/okta-groups-spring-security

实现基于用户组的访问.现在的问题是，在调用 oauth2/default/v1/token 时，我在我的应用程序中使用作为客户端 ID 和客户端凭据提供的用户和密码.

to implement the access based on user group. Now The problem is that when calling oauth2/default/v1/token I am using the user and password provided as client id and client credentials in my application.

有没有办法通过调用包含用户特定信息的/token 端点来生成令牌?

Is there any way to generate tokens by calling the /token endpoint that contain user specific information?

推荐答案

当您将用户重定向到授权端点时，大多数用户范围的 OAuth 流都涉及用户通过浏览器进行身份验证.如果您无法这样做，您可以通过授权代码流(推荐)或隐式流(不那么安全)进行一系列后端调用以接收令牌.请注意，此选项仅在相关用户精通 Okta 时才有效(即，用户在 Okta 中拥有密码且未联合)

Most user scoped OAuth flows involve the user authenticating through the browser when you redirect them to the authorization endpoint. If you are not able to do so, you can instead make a series of backend calls to receive tokens via Authorization Code flow (recommended) or Implicit flow (not as secure). Note that this option will only work if the users in question are Okta mastered (aka, the user's have passwords within Okta and are not federated)

1. 对 /authn 进行主要身份验证调用, 提供用户的用户名/密码
2. 如果用户不需要回答 MFA 质询，则此调用返回的状态将为 SUCCESS，您将在响应中返回 sessionToken
3. 包括 sessionToken 作为授权请求中的参数，为分配给相关应用程序的用户请求授权代码(授权代码流)或令牌(隐式流).立>
4. 如果使用授权代码流，请调用/token 端点以取回令牌.如果使用隐式流，您已经拥有令牌

1. make a primary authentication call to /authn, providing the user's username/password
2. if user is not required to answer an MFA challenge, the status returned from this call will be SUCCESS and you will be returned a sessionToken in the response
3. include the sessionToken as a parameter in your authorize request to request either an authorization code (authorization code flow) or token(s) (implicit flow) for a user assigned to the application in question.
4. If using authorization code flow, make the call to the /token endpoint to get the tokens back. If using implicit flow, you already have the token(s)

这篇关于OKTA 管理员和用户的不同令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！