OAuth 2.0 令牌审查问题

huangapple go评论60阅读模式
英文:

OAuth 2.0 token introspection questions

问题

(1) 据我理解,会向IP发送一个带有访问令牌的POST请求。然后会返回访问令牌是否有效以及其他信息,如用户名。
这对我来说看起来像是官方规范:https://www.rfc-editor.org/rfc/rfc7662 它说需要一个POST请求来验证访问令牌。我理解得对吗?

(2) 这看起来像是对应的依赖项,是吗?使用 using IdentityModel.AspNetCore.OAuth2IntrospectionMicrosoft.AspNetCore.Authentication.JwtBearer 有什么区别?

(3) 根据规范,只需要访问令牌 (https://www.rfc-editor.org/rfc/rfc7662#section-2.1)。

这个示例并没有传递访问令牌,而是传递了客户端ID和客户端密钥:
https://github.com/IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection

services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
    .AddOAuth2Introspection(options =>
    {
        options.Authority = "https://base_address_of_token_service";
        options.ClientId = "client_id_for_introspection_endpoint";
        options.ClientSecret = "client_secret_for_introspection_endpoint";
    });

为什么会这样?

(4) 如果我正确设置了配置,.Net Core 会自动为我执行POST请求(对于我的API的每个传入请求),对吗?(我还添加了 [Authorize] 特性)

(5) 我如何获取用户上下文?

(6) 我实现了一个小例子,但是收到了500错误。我没有看到任何错误输出。如何记录错误?

英文:

I'm trying to understand token introspection as I need to implement token introspection for OAuth 2.0. But authentication is so hard to understand... OAuth 2.0 令牌审查问题 So I've got a couple of questions:

(1) As far as I understand, a post-request (with the access token) is sent to the IP. This then returns whether the access token is valid or not, as well as further information such as the user name.
This looks like the official spec to me: https://www.rfc-editor.org/rfc/rfc7662 it says a post request is needed to validate the access token. Did I understand that correctly

(2) This looks like the corresponding dependency, is it? using using IdentityModel.AspNetCore.OAuth2Introspection
Whats the difference between Microsoft.AspNetCore.Authentication.JwtBearer?

(3) According to the spec only the access token is requied (https://www.rfc-editor.org/rfc/rfc7662#section-2.1)

This example does not pass it but the clientid and the clientsecret:
https://github.com/IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection

services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
    .AddOAuth2Introspection(options =>
    {
        options.Authority = "https://base_address_of_token_service";

        options.ClientId = "client_id_for_introspection_endpoint";
        options.ClientSecret = "client_secret_for_introspection_endpoint";
    });

Why not?

(4) If I set the config right, .Net Core will do the post-request (for every incoming request to my api) for me automatically, right? (I also added the [Authorize]-Attribute)

(5) How can I get the user context?

(6) I implemented a small example but get a 500. I do not see any error output. How can I log the errors?

答案1

得分: 1

(1) token introspection 端点需要能够返回有关令牌的信息,因此您很可能会将其构建在令牌端点所在的同一位置。请求将是一个包含名为 "token" 的参数的 POST 请求。

(2) JWTs 通常在资源服务器上本地验证。

这是一个技术细节,IdentityServer 也可以在 introspection 端点上验证 JWTs。当资源服务器没有适当的 JWT 库(并且您不希望在 IS 端存储引用令牌)时,可以使用这种方法。

(3) 在我看来,这似乎是一个请求访问令牌的配置。访问令牌是应用程序用于代表用户发出 API 请求的工具。访问令牌代表特定应用程序授权访问用户数据的部分。当应用程序请求访问令牌以访问其自己的资源时,将使用客户端凭证授权,而不是代表用户。请查看此链接:访问令牌

(4) 如果将 [Authorize] 特性添加到需要授权的方法中,如果配置正确,.Net Core 应用程序将自动向授权服务器请求授权,带上您的信息。

(5) 您想在资源服务器上访问最终用户上下文吗?也许 此链接 可以帮到您。

(6) 有关记录错误消息,请参考此链接:如何在 .net core 中记录授权尝试

希望这能对您有所帮助。

英文:

The following are some of my understanding and opinions:

(1) The token introspection endpoint needs to be able to return information about a token, so you will most likely build it in the same place that the token endpoint lives. The request will be a POST request containing just a parameter named "token".

(2) JWTs are typically validated locally on the resource server.

It's a technical detail that IdentityServer can also validate JWTs at the introspection endpoint. That could be used e.g. when the resource server does not have an appropriate JWT library (and you don't want to store reference tokens on the IS side).

(3) In my opinion, this appears to be a configuration requesting an access token. Access tokens are the thing that applications use to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user’s data. The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user. Please check this link: Access Tokens.

(4) If you add the [Authorize] attribute to the method that requires authorization, if the configuration is correct, the .Net Core App will automatically request authorization from the authorization server with your information.

(5) Do you want to access end user context on resource server? Maybe this link can help you.

(6) For logging error messages, please refer to this link: How do I log authorization attempts in .net core.

Hope this can help you.

huangapple
  • 本文由 发表于 2023年2月14日 19:58:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/75447506.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定