使用不记名令牌进行身份验证(≠ 授权) [英] Using a bearer token for authentication(≠ authorization)

问题描述

使用Authorization:bearer [token]的请求可以用于认证吗?

A request using the Authorization: bearer [token] can be used for authentication?

或

我们是否应该使用另一种方法来验证客户端并发出令牌，然后像 OAuth2 那样使用该令牌作为不记名令牌?为什么流行的 Web 服务(例如 Github、AWS、Google ..)使用其他方法(如 AWS 所做的:Authorization: AWS4-HMAC-SHA256 Credential=...)来验证客户端.问题的关键是:以下流程中是否有任何有价值的东西或违反标准.

Should we use another method to authenticate a client and issue a token then use the token as a bearer token like OAuth2 does? Why popular web services(e.g. Github, AWS, Google..) uses other method(like AWS does: Authorization: AWS4-HMAC-SHA256 Credential=...) to authenticate a client. The point of the question is: is there any valunerables or violation of standards in the following flow or not.

我想使用以下流程:

客户端:类似于 Twitter 客户端.
服务器:类似于 Twitter API.

the client: which is like Twitter client.
the server: which is like Twitter API.

1. 客户端生成令牌(加密的用户 ID、密码等).
2. 客户端使用Authorization:bearer [token]向服务器请求资源.
3. 服务器解密令牌并验证客户端.
4. 服务器响应资源.

我阅读了以下 RFC，但我没有找到我不应该或应该使用上述流程的任何理由.

I read the following RFC but I haven't found any reason why I shouldn't or should use the flow above.

https://www.rfc-editor.org/rfc/rfc7235
https://www.rfc-editor.org/rfc/rfc6750

谢谢

推荐答案

我建议坚持 OAuth2 规范.如果您想使用用户名和密码来获取令牌，您应该使用客户端凭据"流程.这意味着您需要一个https"端点，用户可以通过以下 POST 请求获取访问令牌:

I would recommend to stick to the OAuth2 spec. If you want to use a username and password to obtain a token you should use the "Client Credentials" flow. That means you need an "https" endpoint where the user can obtain an access token through the following POST request:

POST /token HTTP/1.1
Authorization: Basic base64_encode("username:password")
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

如果客户端凭据有效，端点应在服务器上创建访问令牌.在令牌旁边，您应该存储谁获得了令牌以及令牌过期时的时间戳.因此，令牌不应是像您的示例中那样加密的用户名和密码，而应该是分配给用户的随机字符串.

If the client credentials are valid the endpoint should create an access token on the server. Beside the token you should store who has obtained the token and a timestamp when the token expires. So the token should not be the username and password encrypted like in your example instead it should be a random string which is assigned to the user.

然后客户端可以使用访问令牌来访问 API 的受保护部分.如果您的 API 收到不记名令牌，您可以在令牌表中查找分配的用户.

The access token can then be used by the client to access protected parts of your API. If your API receives an bearer token you can look up the assigned user in your token table.

正如在 OAuth2 中所说的那样，您通常会通过 API 提供商之前获得的应用密钥和机密获得访问令牌.这样做的好处是用户不需要与第 3 方应用程序共享任何凭据.但是否需要这取决于您的用例.

That being said in OAuth2 you typically get an access token though an app key and secret which you have obtained previously by the API provider. This has the advantage that the user does not need to share any credentials with an 3rd party app. But whether this is needed depends on your use case.

这篇关于使用不记名令牌进行身份验证(≠ 授权)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！