OAuth2.0的用例
Use cases of OAuth2.0
我正在构建 muli-tenant saas(software as a service) architecture。我必须为系统构建 authentication system。
根据我的研究,我认为我需要构建基于 OAuth2.0 的身份验证系统和带有 JWT tokens 的不记名令牌。
在阅读了很多有关如何构建 OAuth2.0 服务器的 OAuth2.0 之后,我仍然 didn't understand full concept of OAuth 并且对我是否需要它或我需要一些东西感到困惑其他身份验证系统。
我的系统需要的是我们将为所有客户提供一个 SDK,每个客户将有一个 Application Id,并且 a secret key 使用 SDK 客户端将连接到他的应用程序在我们的系统中。
application ID 会将客户映射到他在我们系统中的应用程序,client secret key 将在 application.Do 中对客户端进行身份验证我仍然需要构建一个基于OAuth2.0 还是我可以根据需要构建自己的身份验证系统?
OAUTH2.0 的用例是什么?什么时候我们不需要它来实施?
中明确指出
OAuth 2.0 is not an authentication protocol.
Authentication in the context of a user accessing an application tells an application who the current user is and whether or not they're present. A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an email address, and what to call them when the application says "Good Morning".
However, OAuth tells the application none of that.
OAuth says absolutely nothing about the user, nor does it say how the user proved their presence or even if they're still there.
As far as an OAuth client is concerned, it asked for a token, got a token, and eventually used that token to access some API. It doesn't know anything about who authorized the application or if there was even a user there at all.
有一个使用OAuth进行用户身份验证的标准:OpenID Connect,与OAuth2兼容。
The OpenID Connect ID Token is a signed JSON Web Token (JWT) that is given to the client application along side the regular OAuth access token.
The ID Token contains a set of claims about the authentication session, including an identifier for the user (sub), the identifier for the identity provider who issued the token (iss), and the identifier of the client for which this token was created (aud).
在 Go 中,您可以查看 coreos/dex,一个 OpenID 连接身份 (OIDC) 和带有可插入连接器的 OAuth 2.0 提供程序。
我正在构建 muli-tenant saas(software as a service) architecture。我必须为系统构建 authentication system。
根据我的研究,我认为我需要构建基于 OAuth2.0 的身份验证系统和带有 JWT tokens 的不记名令牌。
在阅读了很多有关如何构建 OAuth2.0 服务器的 OAuth2.0 之后,我仍然 didn't understand full concept of OAuth 并且对我是否需要它或我需要一些东西感到困惑其他身份验证系统。
我的系统需要的是我们将为所有客户提供一个 SDK,每个客户将有一个 Application Id,并且 a secret key 使用 SDK 客户端将连接到他的应用程序在我们的系统中。
application ID 会将客户映射到他在我们系统中的应用程序,client secret key 将在 application.Do 中对客户端进行身份验证我仍然需要构建一个基于OAuth2.0 还是我可以根据需要构建自己的身份验证系统?
OAUTH2.0 的用例是什么?什么时候我们不需要它来实施?
OAuth 2.0 is not an authentication protocol.
Authentication in the context of a user accessing an application tells an application who the current user is and whether or not they're present. A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an email address, and what to call them when the application says "Good Morning".
However, OAuth tells the application none of that.
OAuth says absolutely nothing about the user, nor does it say how the user proved their presence or even if they're still there.
As far as an OAuth client is concerned, it asked for a token, got a token, and eventually used that token to access some API. It doesn't know anything about who authorized the application or if there was even a user there at all.
有一个使用OAuth进行用户身份验证的标准:OpenID Connect,与OAuth2兼容。
The OpenID Connect ID Token is a signed JSON Web Token (JWT) that is given to the client application along side the regular OAuth access token.
The ID Token contains a set of claims about the authentication session, including an identifier for the user (sub), the identifier for the identity provider who issued the token (iss), and the identifier of the client for which this token was created (aud).
在 Go 中,您可以查看 coreos/dex,一个 OpenID 连接身份 (OIDC) 和带有可插入连接器的 OAuth 2.0 提供程序。