Oauth2授权认证? [英] Oauth2 for Authorization and Authentication?
问题描述
可以将Oauth2用于授权和认证?
Can Oauth2 be used for authorization and authentication?
据了解,Oauth2 授权消费者应用程序从提供商(例如Facebook,Google,Twitter等)访问用户信息。
As I understand it, Oauth2 authorizes a consumer application to access user information from providers (e.g. Facebook, Google, Twitter, etc).
但是可以使用Oauth2进行身份验证一个用户?例如,假设我们有一个由本地手机前端组成的应用程序,并且后端api可以使用Oauth2来有效地维护认证,例如Facebook等提供商的授权 ,Google,Twitter等?
But can Oauth2 be used to authenticate a user? For example, suppose we have an app comprised of native mobile frontends and a backend api - can Oauth2 be used to valid and maintain authentication on top of the authorization from providers like Facebook, Google, Twitter, etc?
如果是,如何?例如,我们是否持有认证令牌并将其用作会话令牌?或者,通过第三方提供商将认证用户需要OpenId Connect到消费者应用程序?
If yes, how? For example, do we persistent the auth token and use it as a session token? Or is OpenId Connect required for authenticating users to a "consumer" app via third-party providers?
推荐答案
OAuth 2.0的规范兼容表单不能用于用户身份验证。话虽如此,可以开发一个允许用户认证的OAuth 2.0扩展。一些提供商,例如Facebook已经做到了这一点。
OAuth 2.0 in its spec-compliant form cannot be used for user authentication. Having said that, one can develop an extension to OAuth 2.0 that would allow for user authentication. Some providers, e.g. Facebook, have done just that.
但是还有一个OAuth 2.0的标准扩展,允许用户认证,称为OpenID Connect。如果您想通过第三方提供商以标准化方式向消费者应用程序验证用户,则需要OpenID Connect。 OpenID Connect的令牌格式是JWT,令牌本身称为 id_token 。您可以使用 id_token 作为会话令牌。
But there is also a standardized extension of OAuth 2.0 that allows for user authentication, called OpenID Connect. OpenID Connect is required indeed if you want to authenticate users to a consumer app via 3rd party providers in a standardized way. The token format of OpenID Connect is a JWT and the token itself is called id_token. You may use an id_token as a session token.
有关OAuth 2.0和用户身份验证的大量文章,请参阅< a href =http://oauth.net/articles/authentication/ =nofollow> http://oauth.net/articles/authentication/
For an extensive article on OAuth 2.0 and user authentication see http://oauth.net/articles/authentication/
这篇关于Oauth2授权认证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
