客户端使用OAuth2的API网关的客户端凭据

huangapple go评论79阅读模式
英文:

Client credentials for a API Gateway using OAuth2

问题

我正在尝试使用OAuth2.0来理解微服务架构。我已经理解了OAuth2.0的工作原理。我看到其中一种授权类型是客户端凭据,它需要客户端ID和客户端秘钥,借助这些信息它将生成一个访问令牌。

这可能是一个愚蠢的问题,但我仍然不明白如何将其集成到我的应用程序中。

我有10个客户端尝试调用我的API网关。

客户是否应该拥有不同的客户端凭据?他们需要调用授权服务器来生成访问令牌吗?还是他们将客户端凭据发送到API网关以生成访问令牌并继续进行?

客户端凭据应该存储在哪里?

请帮助我理解。

非常感谢。

英文:

I'm trying to understand Microservice architecture using OAuth2.0. I've understood about how OAuth2.0 works. I saw one of the grant type is Client credentials, which it requires client id and client secret key and with that help it will generate a access token.

This may be a stupid question, but still I'm not able to understand how to integrate it into my application.

I've 10 clients who are trying to call my API gateway.

Do the customers should have different client credentials? Do they need to call the Authorization server to generate the access token? or do they send the client credentials to the API gateway to generate the access token and proceed further?

Where should be the client credentials stored?

Please help me in understanding.

Thank you very much.

答案1

得分: 1

什么类型的客户?

  • 网页/移动界面?
  • 来自业务合作伙伴的后端 API 客户?

无论哪种情况:

  • 客户将从授权服务器获取令牌
  • API / 网关只会接收令牌 - 永不接收凭据

对于后端 API 客户,您需要在授权服务器中为每个客户端配置客户端 ID 和密钥,然后将其作为其入职的一部分发送给每个客户。

英文:

What type of clients are they?

  • Web / Mobile UIs?
  • Back end API clients from business partners?

In either case:

  • The client will get tokens from the Authorization Server
  • The API / Gateway will only receive tokens - never credentials

For back end API clients you would configure a client id and secret for each of them in the Authorization Server, then send it to each customer as part of onboarding them.

huangapple
  • 本文由 发表于 2020年9月3日 12:39:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/63716952.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定