問題描述
我真正想要實施以保護我的 Web API:
- 登錄
- 注銷(使令牌無效?)
- 沒有同意屏幕(只想為我自己提供 API),身份驗證在我的原生桌面、移動、網絡應用程序的后臺進行(無重定向)
- 記住我功能(刷新令牌?)
誰能幫我清除一下 OIDC/OAuth2 的模糊畫面?即給我一些我自己的方式的缺點(實現我自己的流程)和使用 OIDC 代替我自己的流程的優勢.
它將使我以后免于做什么(例如在客戶端),什么不會.尤其是,使用 OIDC 等標準流程開始每個項目是否合適?將來它會以某種方式使我受益嗎?
無論如何你都會實現 OAuth2.將 Oidc 視為 OAuth2 的擴展.要記住的最重要的事情是關注點分離.
忘記 Oidc,Identity Server 4 就是關于身份驗證的:誰是用戶"?考慮谷歌登錄.當用戶第一次登錄時,應用程序不認識該用戶,它只知道 Google 認識.
授權發生在不同的級別上,并不是 IdentityServer 真正關心的問題.為此,您可以查看 PolicyServer.
因此,您需要將用戶數據庫與應用程序數據庫分開.這并不意味著您需要另一個數據庫,只是不要混合上下文.如果您與業務環境"有關系,例如身份上下文"中的用戶表,那么您最終會遇到問題.
在您的設置中,您的 web api 既是 資源 又是 身份提供者.這意味著您創建的每個新 Web api 都必須作為資源和身份提供者來實現.為了可維護性,您可以創建一個單獨的 web api 作為身份提供者,而 web api 只是一個資源.只要所有應用程序都可以讀取令牌,您就可以實現類似的東西.
前面也一樣.為什么前面要和用戶有關系?它需要做的就是傳遞令牌以獲得用戶授權.在 IdentityServer 的情況下,應用程序會聯系它以驗證用戶并接收令牌.它對憑據一無所知.這更安全.客戶端應用程序可能會受到損害.憑據可以被截取.
擁有具有特定關注點的單個應用程序使事情更易于維護.在使用 IdentityServer 時,無需編寫代碼即可輕松添加新資源.只需添加配置.它還允許您在將來添加目前不需要的其他流.另外,同意屏幕是可選的.
好處是您可以實施 SSO,在您的設置中,即使不是不可能,也可能更難.
因此您不必使用 IdentityServer,也不必使用 Oidc.您的設置可能很好.但是,如果您構建某些東西,請記住分離關注點.
https://identityserver4.readthedocs.io/en/release/intro/support.html
I currently issue tokens myself in my web api with JwtSecurityToken and I use standard ASP.NET Core middleware calling AddJwtBearer to verify the tokens. It works fine.
What advantage will give me using OpenID Connect (through IdentityServer4) over the approach described above? How to answer myself question "Do I need OpenID Connect?"
From my basic understanding about OpenID Connect, it is used to allow third parties to access your API. But I make API for myself and not for third parties and I don't know why should I favor IdentityServer/OpenIddict over my simple approach.
I read that if I want Single sign-on I should use this, but JWTs itself aren't bound to any specific domain and I can use single sign-on with just pure JWTs(they're self-contained)
I understand it implements some kind of standard for issuing tokens. (protocol). It might be good if I ever wish to expose some API to third parties. But for internal APIs? Is it worth using it?
This is my current auth flow (from https://jonhilton.net/2017/10/11/secure-your-asp.net-core-2.0-api-part-1---issuing-a-jwt/)
What I really want to implement to secure my Web API:
- Login
- Logout (invalidate token?)
- No consent screen (want to have API only for myself), auth happens in the background in my native desktop, mobile, web app (no redirection)
- Remember me feature (refresh tokens?)
Could someone clear out the fuzzy picture of OIDC/OAuth2 for me? i.e. give me some disadvantages going my own way (implementing my own flow) and advantages of using OIDC in place of my own flow.
What will it save me from doing later on (on the client-side for example), and what will not. And most particularly, is it good to start every project using standard flows like OIDC? Will it somehow benefit me in the future?
In any case you will implement OAuth2. Think of Oidc as an extension of OAuth2. The most important thing to keep in mind is seperation of concerns.
Forget Oidc, Identity Server 4 is all about authentication: "who is the user"? Consider Google login. When a user logs in for the first time, the application doesn't know the user, it only knows that Google does.
Authorization takes place on a different level and isn't really a concern of IdentityServer. For that you could take a look at PolicyServer.
So you'll need to keep the user database seperated from the application database. This doesn't mean you need another database, just don't mix contexts. If you have a relation from the "business context" to e.g. the user table in the "Identity context" then you are going to have a problem eventually.
In your setup your web api is both the resource and the identity provider. This means that every new web api you create has to be implemented as both resource and identity provider. For maintainability you could create a seperate web api that acts as an identity provider, while the web api is a resource only. You can implement something like that as long as all apps can read the token.
The same counts for the front. Why should the front have anything to do with the user? All it needs to do is pass the token in order to get the user authorized. In case of IdentityServer, the app contacts it to verify the user and receives a token. It knows nothing about credentials. This is more secure. The client app can be compromised. The credentials can be intercepted.
Having single apps with a specific concern makes things more maintainable. And it is quite easy to add a new resource without having to code when you use IdentityServer. Just add the configuration. It also allows you to add other flows in the future that are not needed at this time. And as a side note, the consent screen is optional.
The bonus is that you can implement SSO, where in your setup that could be harder, if not impossible.
So you don't have to use IdentityServer, nor Oidc. Your setup may be just fine. But if you build something, keep seperation of concerns in mind.
這篇關于自己發行 JWT 令牌與使用 IdentityServer4(OIDC) 進行 Web API的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!