如何在 oauth2 身份验证之上实现用户权限 [英] How to implement user permissions on top of oauth2 authentication

查看:80
本文介绍了如何在 oauth2 身份验证之上实现用户权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在使用 oauth2 通过 IdP 对其用户进行身份验证的 Web 应用程序中,实现用户权限(客户端和服务器端)的标准/推荐选项是什么?

In a web application which authenticates its users via an IdP using oauth2, what are the more standard/recommended options for implementing user permissions (both client and server side)?

用户权限"是指用户在应用程序中允许或不允许执行的操作.
例如,假设应用程序有一个管理"页面,用于管理应用程序的某些设置,仅允许特定用户进入.其中一些用户仅被允许查看当前设置,而其他用户也被允许更改设置(可能只有其中一些).

By "user permissions" I am referring to actions that the user is or isn't allowed to perform inside the application.
For example, let's say the application has an "admin" page which is used for managing some of the application's settings, that only specific users are allowed to enter. Some of these users are only allowed to view the current settings, while others are also permitted to change the settings (possibly only some of them).

据我所知,oauth2 中范围"的概念可能用于实现这样的要求,例如,仅被允许查看管理"页面的用户将拥有一个 应用程序:admin:view 范围,而还可以编辑设置的用户将拥有一个 app:admin:some-setting:edit 范围.
但是,在大多数大型身份提供者服务中,管理这些范围并将它们分配给用户的任务似乎非常繁琐.

From what I gather, the concept of "scopes" in oauth2 could probably be used for implementing such a requirement, so for example, a user that is only permitted to view the "admin" page would have a app:admin:view scope, whereas a user who can also edit a setting would, in addition, have a app:admin:some-setting:edit scope.
But, it seems that in most large identity provider services, the task of managing these scopes and their assignment to users would be quite a tedious one.

这会是一个好的解决方案吗?如果是这样,是否有任何产品/服务与 oauth2 IdP 集成并帮助更轻松地管理权限及其分配给用户(例如,具有漂亮直观的 UI)?如果没有,是否有任何既定的方法来处理此类情况?

Would that be a good solution? If so, are there any products/services which integrate with oauth2 IdPs and help managing permissions and their assignment to users more easily (say, with a nice intuitive UI)? If not, are there any established methods handling such scenarios?

推荐答案

范围

我不会为此目的使用 OAuth2 范围.原因是 OAuth2 范围用于限制 应用程序 可以对用户的资源 做什么,而不是限制 用户应用.

Scopes

I would not use OAuth2 scopes for this purpose. The reason is that OAuth2 scopes are for restricting what an application can do with a user's resource, not for restricting what a user can do in the application.

例如,如果我编写了一个 Web 应用程序,向用户显示他们在其 Google 文档中使用的语言,则需要 Google 授予的权限才能阅读用户的 Google 文档,但不需要例如阅读他们的日历.因此,应用程序将从 Google 获得一个 OAuth2 令牌,该令牌范围具有读取文档权限,但没有读取日历权限或任何其他不必要的权限.

For example, if I wrote a web application that showed users what languages they used in their Google Docs, it would need the privilege delegated from Google to read the user's Google Docs, but not to, for example, read their calendar. So the application would get an OAuth2 token from Google that was scoped with the read-Docs privilege, but not the read-calendar privilege or any other unnecessary privileges.

使用范围来携带有关用户权限(而不是应用程序权限)的信息的具体缺点是,如果您想实现上述内容,应用程序可以在应用程序中对用户资源进行不同级别的访问,尝试同时以多种方式使用 OAuth2 范围可能会令人困惑.如果您想通过 API 向客户公开应用程序中的功能以集成到他们自己的应用程序中,这可能会成为一个问题.

The concrete drawback of using scopes to carry info about user permissions (as opposed to application permissions) would be, if you want to implement something like the above, where applications get varying levels of access to users' resources within your application, it could be confusing trying to use OAuth2 scopes in multiple ways simultaneously. This could become a problem if you want to expose functionality within your application via an API to your customers to integrate into their own applications.

您提到您使用 OAuth2 进行身份验证.OAuth2 用于委托授权,不用于身份验证.OAuth2 访问令牌不代表经过身份验证的用户.OpenId Connect ID 令牌可以.

You mentioned you are using OAuth2 for authentication. OAuth2 is for delegating authorization, not for authentication. OAuth2 access tokens do not represent authenticated users. OpenId Connect ID tokens do.

我喜欢使用 AWS Cognito 进行身份验证.它为您跟踪您的用户,因此您不需要用户数据库,并处理对他们的身份验证.它与 Google 和 Facebook 等外部身份提供商集成.对于跟踪不同类型用户的用例,您可以使用 Cognito .此处 是一篇带有示例的博客文章.

I like using AWS Cognito for authentication. It keeps track of your users for you, so you don't need a user database, and handles authenticating them. It integrates with external identity providers like Google and Facebook. For your use case of keeping track of different kinds of users, you can use Cognito Groups. Here is a blog post with an example.

基本上,您将从 Cognito 获得 ID 令牌,您的客户端或服务器可以读取 ID 令牌以找出用户的组(管理员、普通用户等),并采取相应的行动.这里是阅读的例子来自令牌的组.

Basically you'll get an ID token from Cognito, and your client or your server can read the ID token to figure out the user's groups (admin, regular-user, etc), and act accordingly. Here is an example of reading the group from the token.

这篇关于如何在 oauth2 身份验证之上实现用户权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆