OAuth的2.0资源服务器在分布式环境中验证令牌 [英] OAuth-2.0 resource servers token validation in distributed environment
问题描述
我要做出许多资源服务器一个REST Web服务(在不同的编程语言实现的)和一个授权服务器。
I'm going to make a REST web service with many resource servers (implemented in different programming languages) and one authorization server.
我的问题是资源服务器关于令牌验证。比方说,一个资源服务器无法连接到数据库,并检查令牌信息在那里。
My question is about token validation in the resource servers. Let's say that a resource server cannot connect to the database and check the token info there.
我已阅读本主题:<一href=\"http://stackoverflow.com/questions/6255104/oauth-v2-communication-between-authentication-and-resource-server\">OAuth验证和资源服务器之间 V2通信
I have read this thread: OAuth v2 communication between authentication and resource server
和我喜欢这个主意,以在授权服务器的API,这将是负责解析令牌。例如:的https://oauth.example.tdl/tokeninfo令牌= tokentovalidate
And I like the idea to make an API in the authorization server, which will be responsible to "resolve" tokens. For example: https://oauth.example.tdl/tokeninfo?token=tokentovalidate
所以我的问题:如果/ tokeninfo资源是公?我的意思是大家谁知道这个端点将能够验证令牌。
So my question: Should the /tokeninfo resource be "public"? I mean everyone who knows this endpoint will be able to validate tokens..
那岂不是更好地使这个私?我的意思的https://oauth.example.tdl/tokeninfo?access_token=valid_token&token=tokentovalidate
Wouldn't it be better to make this "private"? I mean https://oauth.example.tdl/tokeninfo?access_token=valid_token&token=tokentovalidate
但后来我的资源服务器将验证令牌前授权本身..太多的要求,我想..
But then my resource server will have to authorize itself before validating tokens.. too many requests, I think..
如果你知道更多的策略来验证资源服务器和授权服务器之间的令牌 - 告诉我,因为我是pretty新的OAuth
If you know more strategies to validate tokens between resource server and authorization server - tell me, because I'm pretty new to OAuth.
推荐答案
如果令牌验证API是公开的?
Should the token verification API be public?
在认证方面,当然,如果要通过身份验证的API,并且使用调用它的访问要验证令牌访问令牌。 RFC 6750 解释了如何做到这一点。通常情况下,令牌中的授权标头中发送,或者作为一个URI查询参数。
In terms of authentication, if should of course be an authenticated API, and the access token that you use to call it is the access token you want to verify. RFC 6750 explains how to do that. Typically, the token is sent in the Authorization header, or as a Uri query parameter.
另外,为了更加安全,您需要的客户端ID和客户端密钥,或者通过将它们作为参数,通过使用客户证书授予获得访问令牌客户端,以确保呼叫。
Alternatively, for more security, you require the client id and client secret to secure the call, either by passing them as parameters, either by obtaining an access token for the client using the Client Credentials Grant.
小心你从API返回的信息。你只应返回并不要求必须由资源所有者授权的特定范围的信息。
Be careful what information you return from the API. You should only return information that does not require a specific scope that has to be authorized by the resource owner.
对于现实生活中的例子,请参见谷歌执行或的从身份中心的实施。了解Facebook的实施,请参阅在手工创建一个登录流程。
For a real life example, see the Google implementation or the implementation from The Identity Hub. For the Facebook implementation, see the section "Confirming identity" on Manually Build a Login Flow.
这篇关于OAuth的2.0资源服务器在分布式环境中验证令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
