英文:
CartService and Authentication
问题
我注意到,如果你去一个在线商店,它允许你在未经授权的情况下查看产品并将其添加到购物车中。我猜我可以通过在配置中添加anyRequest().permitAll()来实现这一点(我不知道这是否是正确的方法,我只是在学习编程)。但是,我不太明白在授权后如何保存我的购物车?
我使用Keycloak来获取和验证令牌。我尝试了授权码流和客户端凭据。但是如何将userId和cartId关联起来呢?
起初,我计划将userId字段插入到购物车中,但在登录之前这个字段没有意义。然后我想起了消息代理,一时间我以为Keycloak会通过传递userId发送授权消息,而Cart-Service会订阅所需的主题并填充userId字段,但这是一些胡言乱语,我怎么知道哪个userId对应哪个cartId。
我应该在这里始终使用会话(也许是Spring Session)还是...?我听说JWT是会话的替代方案,但它们总是需要授权,这是合理的。
我的头脑一团糟,我只是在积累经验,请帮帮我。
英文:
I noticed that if you go to an online store, it allows you to view products and add them to the cart without authorization. I suppose I can achieve this, for example, by adding anyRequest().permitAll() in the configuration (I do not know if this is the right approach, I'm just learning programming). But then I don't quite understand how my shopping cart is saved after authorization?
I use Keycloak to get and validate tokens. I tried Authorization Code Flow and Client Credentials. But how can I link between userId and cartId.
At first I planned to insert the userId field into Cart, but there is no point in this field until I log in.. Then I remembered about the message broker, and for a second I thought that maybe Keycloak would send authorization messages by passing the userId, and Cart-Service would subscribe to the desired topic and fill in the userId field, but this is some nonsense, how will I understand which userId corresponds to which cartId.
Should I always use sessions (Spring Session maybe) here or..? I have heard that JWTs are an alternative to sessions, but they always require authorization, this is logical.
I have a mess in my head, I'm just gaining experience, please help me.
答案1
得分: 0
购物车状态存储在前端:对于基于JavaScript的应用程序(Angular、React、Vue等),存储在浏览器内存中;对于服务器端渲染的应用程序(Thymeleaf、JSP等),存储在服务器内存(会话)中。如果购物车状态需要在会话之间保存,也可以存储在cookie中。
购物车状态与用户身份验证状态完全独立。
一旦用户通过client_credentials进行身份验证,您可以从访问令牌和ID令牌的声明中获取用户ID,并将其与购物车ID关联起来。
Subject是用户ID的一个很好的候选项,但如果在授权服务器(Keycloak)上配置为唯一且非空,您还可以使用电子邮件或preferred_username。
JWT不是会话的替代品。您可以在OAuth2资源服务器上摆脱会话(配置JWT解码器或令牌检查),但OAuth2资源服务器只能由OAuth2客户端使用,运行在服务器上的OAuth2客户端需要会话(会话用于在请求之间存储令牌,以及其他一些功能)。由于现在不鼓励将基于JavaScript的应用程序配置为OAuth2公共客户端,而是推荐使用BFF模式(在服务器上配置为OAuth2机密客户端的中间件),因此您需要在此BFF上使用会话来使OAuth2正常工作。请注意,此会话的使用与购物车状态没有直接关联:如上所述,会话中的购物车状态仅适用于服务器端渲染的应用程序。
英文:
The cart state is in your front-end: in browser memory for Javascript based apps (Angular, React, Vue, etc.) or in server memory (session) for server side rendered application (Thymeleaf, JSP, etc.). It might also be saved in a cookie if cart state should be saved between sessions.
This cart state is completely independent of the user authentication state.
Once your user is authenticated (with client_credentials), you can get the user ID from the access & ID token claims and associate it with the cart ID.
Subject is a good candidate for user ID, but you could also use e-mail or preferred_username when those are configured as unique and not null on your authorization server (Keycloak).
JWTs are not an alternative to sessions. You can get rid of sessions on OAuth2 resource servers (being configured with JWT decoder or token introspection), but OAuth2 resource servers can be consumed only by OAuth2 clients and OAuth2 clients running on a server need sessions (session is used by clients, among other things, to store tokens between requests). As configuring Javascript based applications as OAuth2 public clients is now discouraged in favor of BFF pattern (middleware on the server configured as OAuth2 confidential client), you'll need sessions on this BFF to get OAuth2 working. Note that this session usage is not directly correlated with your cart: as explained above, cart state in session is an option only for server-side rendered applications.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论