Client authentication for third party applications for OAuth 2.0 authorization

huangapple go评论60阅读模式
英文:

Client authentication for third party applications for oauth2.0 authorization

问题

在我们的应用程序中,我们有一个授权服务器,保存用户的数据。一些第三方应用程序需要访问这些数据 - 通常是通过用户会话(Web应用程序),在这里资源所有者进行身份验证。

然而,第三方还需要访问一些数据 "独立地"。由于法律要求,它需要在资源所有者首次允许访问后保持数据的最新更改状态;并且如果必要的话,需要保留本地副本并拒绝更改。

然而,除了这可能与谁是实际资源所有者有关之外,这意味着第三方还需要对授权服务器进行身份验证,并且独立行事。

但是,我对此感到困惑。如果我正确理解规范,则该服务器将被视为 "公共客户端",因为没有机密信息。由于任何登录方法都必须被 "编码 "到第三方的设备/服务器中。

然而,在第2.3节中有这段话:

授权服务器可以与公共客户端建立客户端身份验证方法。然而,授权服务器不得依赖于公共客户端身份验证来识别客户端的目的。

这真的让我困惑:我如何才能识别第三方服务器,并授予第三方访问其已注册数据的权限?

英文:

In our application we have an authorization server that holds user's data. Some third party application needs to access this data - normally through a user session (webapp) where the resource owner authenticates itself.

However the third party also needs to access some data "on its own". Due to legal requirements it needs to both keep up to date to changes in the data after the resource owner has allowed access the first time; and it needs to keep a local copy and reject changes if deemed necessary.

However, besides how this might interact with who is the actual resource owner, this means that the third party also needs to authenticate itself to the authorization server, and act on its own.

I am however confused about this. If I understand the specification correctly this server would be considered a "public client", as there's no confidential information. As any login method would have to be "coded" into the third party's device/server.

However in section 2.3 there is this paragraph:

> The authorization server MAY establish a client authentication method
> with public clients. However, the authorization server MUST NOT rely
> on public client authentication for the purpose of identifying the
> client.

This really confuses me: how would I ever identify the third party server, and issue rights to the third party to access the data it has registered to?

答案1

得分: 1

这是相当常见的。另一种情况可能是医生使用健康应用程序。在这种用例中,医生的身份很重要,但他/她不会拥有所有数据。

医疗应用程序将收到具有适当范围的访问令牌,例如 patients,之后可以使用访问令牌调用医疗API。

在你的场景中,似乎需要向第三方应用发放这样的令牌。然后,这些令牌将成为其Web会话的一部分。

英文:

This is pretty common. Another scenario might be a doctor using a health application. In this use case, the doctor's identity is important but he / she won't own all the data.

The medical app would receive an access token with an appropriate scope, eg patients, after which it can call medical APIs with the access token.

It feels like in your scenario you need to issue such a token to the third party app. The token(s) would then be part of its web session.

huangapple
  • 本文由 发表于 2023年4月17日 20:52:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/76035366.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定