我们应该比较访问令牌和 ID 令牌中的 'sub' 声明吗?
Should we compare 'sub' claim in Access Token and ID Token?
如果我们在 OIDC 流程中获得如下所示的 ID 令牌和访问令牌:
ID 令牌:
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
"acr": "urn:mace:incommon:iap:silver"
"amr": ["mfa", "pwd","otp"]
}
访问令牌:
{
"iss": "https://cas.nhs.uk",
"sub": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]",
"aud": "https://provider.thirdparty.nhs.uk/GP0001/STU3/1",
"exp": 1469436987,
"iat": 1469436687,
"reason_for_request": "directcare",
"requested_scope": "patient/*.read",
"requesting_system": "https://fhir.nhs.uk/Id/accredited-system|[ASID]",
"requesting_organization": "https://fhir.nhs.uk/Id/ods-organization-code|[ODSCode]",
"requesting_user": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]"
}
Id 令牌中的 'sub' 声明应与访问令牌中的 'sub' 声明匹配是否是一个有效的假设?或者它们都是单独的表示形式?
我们是否甚至在资源服务器上执行此类验证以确保它们成对并针对同一用户会话发布?
根据 Okta 的文档,the 'sub' claim in the access token is, by default, either the user's ID (if using an OAuth flow with a user scope available, like Authorization Code flow) in Okta OR the application's client ID (if using Client Credentials flow) in Okta. However, if you are using a custom authorization server, the value for 'sub' can be configured。
同样,the 'sub' claim in the ID token will be the user's ID in Okta. Unlike the access token, this value cannot be modified as OIDC standard 要求此值在发行人中是本地唯一的。
为什么您的资源服务器会与 ID 令牌交互? ID 令牌用于 Authentication 用例,而访问令牌用于 Authorization 用例,如此处所述:https://developer.okta.com/docs/guides/validate-access-tokens/go/overview/#access-tokens-vs-id-tokens。如果您希望使用 OAuth 令牌保护资源服务器,您将需要依赖访问令牌。
如果我们在 OIDC 流程中获得如下所示的 ID 令牌和访问令牌:
ID 令牌:
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
"acr": "urn:mace:incommon:iap:silver"
"amr": ["mfa", "pwd","otp"]
}
访问令牌:
{
"iss": "https://cas.nhs.uk",
"sub": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]",
"aud": "https://provider.thirdparty.nhs.uk/GP0001/STU3/1",
"exp": 1469436987,
"iat": 1469436687,
"reason_for_request": "directcare",
"requested_scope": "patient/*.read",
"requesting_system": "https://fhir.nhs.uk/Id/accredited-system|[ASID]",
"requesting_organization": "https://fhir.nhs.uk/Id/ods-organization-code|[ODSCode]",
"requesting_user": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]"
}
Id 令牌中的 'sub' 声明应与访问令牌中的 'sub' 声明匹配是否是一个有效的假设?或者它们都是单独的表示形式?
我们是否甚至在资源服务器上执行此类验证以确保它们成对并针对同一用户会话发布?
根据 Okta 的文档,the 'sub' claim in the access token is, by default, either the user's ID (if using an OAuth flow with a user scope available, like Authorization Code flow) in Okta OR the application's client ID (if using Client Credentials flow) in Okta. However, if you are using a custom authorization server, the value for 'sub' can be configured。
同样,the 'sub' claim in the ID token will be the user's ID in Okta. Unlike the access token, this value cannot be modified as OIDC standard 要求此值在发行人中是本地唯一的。
为什么您的资源服务器会与 ID 令牌交互? ID 令牌用于 Authentication 用例,而访问令牌用于 Authorization 用例,如此处所述:https://developer.okta.com/docs/guides/validate-access-tokens/go/overview/#access-tokens-vs-id-tokens。如果您希望使用 OAuth 令牌保护资源服务器,您将需要依赖访问令牌。