基本身份验证 + JWT vs. OAuth2

huangapple go评论78阅读模式
英文:

Basic Auth + JWT vs Oauth2

问题

我有一个由微服务组成的应用程序:网关 + 服务发现 + 微服务。
我现在正在将Spring安全性引入Zuul网关,以便在成功登录后返回带有授权信息的JWT。因此,网关充当授权和认证服务器。我认为这样生态系统是安全的,因为网关不会允许未经授权的访问端点。

我采用这种流程是因为我不想逐个配置每个微服务。这是一个单一的安全入口点。

现在,我已经阅读了有关OAuth的内容,并在演示应用程序中进行了实现,但我不太确定OAuth2是否会让我的应用程序更加便利,还是会增加不必要的复杂性。我读到Spring授权服务器尚未实现,所以我认为我需要使用Okta或Keycloak。

与使用网关 + 基本认证 + JWT 相比,实施OAuth2的优势是什么?

作为附加说明:
该应用由不同的具有不同UI的应用组成,我将通过用户的组来区分用户可以访问哪个产品。

非常感谢您的建议。

英文:

I have an application consisting in microservices: gateway + discovery services + microservices.
Rigth now I'm implementing Spring security to the zuul gateway so after a succesful login it returns a JWT with the grants. So the Gateway acts as an authorization and authentication server. I think this ways the ecosistem is secure because the gatweay wont allow any unauthorized access to the endpoints.

I'm applying this flow because I dont want to indivually config every microservice. This is a single secure entry point.

And now, I've read about Oauth and made an implementation in a demo app but I dont understand correctly if Ouath2 will make easier my app or will add unnecesary complexity. I read that Spring Auth Server is not yet implemented so I think I would need to use Okta or Keycloack.

What would be the advantage of implementing Oauth2 vs Gateway + Basic Auth + JWT?

As additional note:
The app consists of different apps with different UI's, I will distinguish with user can access to what product by its group.

Thank you so much for your advice.

答案1

得分: 1

如果我理解正确,您正在使用JWT而没有使用OAuth2?

实施OAuth2与使用网关+基本身份验证+JWT相比的优势是什么?

OAuth2是一种支持应用程序中特定流程的访问委托协议。OAuth2标准化了用户或其他Web应用程序获取令牌(例如JWT)的方式。因此,在您的情况下,可以理解为以标准化的方式生成JWT令牌。

因此是否有任何好处呢?这取决于情况 基本身份验证 + JWT vs. OAuth2

拥有OAuth2授权服务器使您能够将一些第三方应用程序集成到您的安全性中(仅当它们支持OAuth2/OpenID时)。如果这是您的情况(或将成为您的情况),那么您应该考虑在您的应用程序中使用OAuth2。

您当前的设置(基本身份验证+JWT)可能存在一些安全问题。如果我理解正确,您正在将用户凭据(用户名+密码)发送到授权头,并交换它们以获取JWT?如果用户使用公共客户端(带有登录表单的网页)登录,那么您只是使用了OAuth2 +密码授权类型流程,这被认为是严重的安全问题(https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications)。

您应该问的问题是,使用基本身份验证存在哪些潜在问题,以及如何通过OAuth2解决这些问题。

现在,我已经了解了OAuth,并在演示应用程序中进行了实现,但我不太明白OAuth2是否会使我的应用程序更容易,还是会增加不必要的复杂性。我看到Spring Auth Server尚未实施,所以我认为我需要使用Okta或Keycloak。

您不必使用Okta或Keycloak。您可以在Spring中创建自己的授权服务器(https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/html5/)。这可以被视为微服务架构中的另一个服务,负责授权(例如,发放令牌)。可选地,您可以在其中添加用户管理API(管理对系统其他部分的权限),并将其从网关中删除。

英文:

If I understand correctly you are using JWT without OAuth2?

> What would be the advantage of implementing Oauth2 vs Gateway + Basic
> Auth + JWT?

OAuth2 is an access delegation protocol that supports specific flows in your application. OAuth2 standarizes how your token (ex. JWT) is obtained by user or other web application. So in your case it can be understood as generating JWT tokens in a standarized way.

Are there any benefits because of that? It depends 基本身份验证 + JWT vs. OAuth2

Having an OAuth2 Authorization Server enables you to integrate some 3rd party apps with your security (only if they support OAuth2/OpenId). If it is (or will be) your case then you should consider using OAuth2 in your application.

Your current setup (Basic Auth + JWT) may have some security concerns. If I understood you correctly you are sending user credentials (username + password) in Authorization header and exchanging them for JWT? If users log in using public client (web page with login form) then you are just using OAuth2 + password grant type flow which is considered as serious security concern (https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications)

The question you should ask is what are potentials problems with using Basic Authentication and how those problems can be solved by OAuth2.

> And now, I've read about Oauth and made an implementation in a demo
> app but I dont understand correctly if Ouath2 will make easier my app
> or will add unnecesary complexity. I read that Spring Auth Server is
> not yet implemented so I think I would need to use Okta or Keycloack.

You don't have to use Okta or Keycloak. You can create your own Authorization Server in Spring (https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/html5/). This can be treated as another service in you microservice architecture responsible for authorization (issuing tokens for example). Optionally you could add there user management API (managing priviliges to other parts of your system) and get rid of them from gateway.

答案2

得分: 0

在微服务架构中,我强烈建议您拥有一个独立的授权微服务,用于执行授权任务。

关于OAuth与JWT的问题,OAuth2是一个协议,定义了身份验证令牌的使用标准。而JWT实际上是一种令牌格式。您可以在OAuth2中使用JWT,也可以使用SAML2的更标准的令牌格式。

英文:

In a microservices architecture, I would strongly recommend you to have an individual Authorization microservices, to perform the authorization task.

Coming to your question of OAuth vs JWT. OAuth2 is a protocol which defines standards for how the authentication tokens have to be used. Whereas JWT is actually a token format. You could use JWT in OAuth2 as well or the more standard token format of SAML2

答案3

得分: 0

如果不使用JWT,当您的系统变得很大时,越来越多的身份验证检查需要由身份验证服务器处理。
使用JWT,您可以在令牌的载荷中导出用户详细信息。

英文:

If not use JWT, when your system become large, more and more Auth check need to be handled by Auth Server.
With JWT, you can export user detail in the payload of token

huangapple
  • 本文由 发表于 2020年10月17日 12:23:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/64398982.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定