OAuth 2.0用户授权服务器和访问令牌 [英] OAuth 2.0 Authorization Server and Access Tokens
问题描述
我目前正在研究的OAuth 2.0和OpenID Connect和我有一个关于授权服务器和访问令牌一个疑问。该规范授权服务器定义为:
I'm currently studying OAuth 2.0 and OpenID Connect and I have a doubt regarding the Authorization Server and Access Tokens. The spec defines the Authorization Server as:
服务器后成功认证资源所有者和获得授权发出访问令牌给客户端。
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
所以我的理解,客户端将用户重定向到授权服务器,用户在授权服务器验证自身和授权服务器发出一个访问令牌给客户端。
So as I understood, the client redirects the user to the Authorization Server, the user authenticates itself at the Authorization Server and the Authorization Server issues an access token to the client.
现在这里来的事情我无法理解,直到现在。有两种可能的方式来理解这一点,我试图让正确的:
Now here comes a thing I couldn't understand until now. There are two possible ways to understand this and I'm trying to get the right one:
-
授权服务器发出包含用户的索赔的访问令牌。与用户的权利要求所述接入令牌与每个请求到资源服务器和资源服务器能够读取的那些权利要求发送和基于然后允许或拒绝对资源的访问。
The Authorization Server issues the access token containing the user's claims. The access token with the user's claims is sent with each request to the resource server and the resource server is able to read those claims and based on then allow or deny access to resources.
授权服务器发出已含有明确指示,允许或拒绝访问资源的资源服务器上的访问令牌。资源服务器从而也就读到此信息,查看用户是否可以做一些与否。
The Authorization Server issues the access token already containing explicit instructions to allow or deny access to resources on the resource server. The resource server thus just reads this information to see if the user can do something or not.
第一种方案似乎是明白的事情正确的方式。在这种情况下,授权服务器将管理只包含索赔(如生日,年龄,角色等内容),用户的要求和问题令牌。这,轮流给另一个负责资源服务器:决胜盘基于索赔如果资源是可用的。
The first option seems to be right way to understand the thing. In that case the Authorization Server will manage the user's claims and issues tokens containing just the claims (things like birthday, age, role and so on). This, in turns gives another responsibility to the resource server: deciding based on claims if a resource is available or not.
第二个选择是有限得多。而不是仅仅发出索赔的授权服务器将需要为每个资源发行授权和令牌可以得到相当重,mananging这种复杂性似乎是困难的。
The second option is much more limited. Instead of just issuing claims the authorization server would need to issue authorization for each resource, and the token could get quite heavy and mananging this complexity seems to be hard.
所以,我的理解是否正确?该授权是这样,对于管理用户索赔和发布仅包含声明令牌负责呢?另一方面资源服务器是负责允许或不基于权利要求的对资源的访问
So is my understanding correct? The Authorization is thus responsible for managing user claims and issuing token containing just the claims? On the other hand the resource server is responsible for allowing or not the access to resources based on claims?
推荐答案
这是访问令牌不包含用户的要求,而是一个的 ID令牌一样。
An access token does NOT contain a user's claims, but an ID token does.
这是授权服务器负责管理访问令牌,但它并不一定要管理用户的索赔。应该有一个管理用户的索赔单独的服务器。
An authorization server is responsible for managing access tokens, but it does not necessarily have to manage users' claims. There should be a separate server that manages users' claims.
没有。 2听起来不可思议,因为一个访问令牌的存在就意味着授权已被授予。
No. 2 sounds weird, because existence of an access token means "authorization has been granted."
OAuth 2.0用户( RFC 6749 )是一个规范的授权 。 OpenID的连接是对于认证规范。不要混淆。
OAuth 2.0 (RFC 6749) is a specification for authorization. OpenID Connect is a specification for authentication. Don't be confused.
这篇关于OAuth 2.0用户授权服务器和访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
