Jagorar da aka kwatanta zuwa OAuth da OpenID Connect

Lura. fassara: Wannan babban labarin daga Okta ya bayyana yadda OAuth da OIDC (OpenID Connect) ke aiki a hanya mai sauƙi da haske. Wannan ilimin zai zama da amfani ga masu haɓakawa, masu gudanar da tsarin, har ma da "masu amfani da kullun" na shahararrun aikace-aikacen yanar gizo, waɗanda kuma za su iya musayar bayanai masu mahimmanci tare da wasu ayyuka.

A zamanin Dutsen Intanet, raba bayanai tsakanin sabis yana da sauƙi. Kawai kun ba da login ku da kalmar sirri daga wannan sabis ɗin zuwa waccan, ta yadda ya shigar da asusunku ya karɓi duk bayanan da yake buƙata.

"Bani asusun ajiyar ku na banki." "Mun yi alkawarin cewa komai zai yi kyau tare da kalmar sirri da kudi. Gaskiya ne, gaskiya!" *hai yaya*

Abin tsoro! Babu wanda ya isa ya buƙaci mai amfani don raba sunan mai amfani da kalmar wucewa, takardun shaida, tare da wani sabis. Babu tabbacin ƙungiyar da ke bayan wannan sabis ɗin za ta kiyaye bayanan kuma ba za ta tattara ƙarin bayanan sirri fiye da larura ba. Yana iya zama kamar mahaukaci, amma wasu ƙa'idodin har yanzu suna amfani da wannan aikin!

A yau akwai ma'auni guda ɗaya wanda ke ba da damar sabis ɗaya don amfani da bayanan wani amintacce. Abin baƙin ciki, irin waɗannan ma'auni suna amfani da jargon da kalmomi da yawa, wanda ke dagula fahimtar su. Manufar wannan abu shine don bayyana yadda suke aiki ta amfani da misalai masu sauƙi (Kuna tsammanin cewa zanena ya yi kama da zane na yara? Oh da kyau!).

Af, ana samun wannan jagorar a tsarin bidiyo:

Mata da maza, maraba: OAuth 2.0

OAuth 2.0 mizanin tsaro ne wanda ke ba wa ɗayan aikace-aikacen damar samun izini don samun damar bayanai a cikin wani aikace-aikacen. Jerin matakai don ba da izini [izini] (ko yarda [ yarda]) sau da yawa kira izini [izini] ko ma izini da aka wakilta [Izinin wakilai]. Tare da wannan ma'auni, kuna ba da izinin aikace-aikacen don karanta bayanai ko amfani da ayyukan wani aikace-aikacen a madadin ku ba tare da ba shi kalmar sirri ba. Darasi!

Misali, a ce kun gano wani shafi mai suna "Unlucky Pun of the Day" [Mummunan Pun of the Day] kuma ya yanke shawarar yin rajista a kai don karɓar lamuni na yau da kullun ta hanyar saƙonnin rubutu a wayar. Kuna son shafin sosai, kuma kun yanke shawarar raba shi tare da duk abokan ku. Bayan haka, kowa yana son wasan kwaikwayo mai ban tsoro, daidai?

"Rashin rashin sa'a na ranar: An ji labarin mutumin da ya rasa rabin jikinsa na hagu? Yanzu ko yaushe yana da gaskiya!” (kimanin fassarar, domin asalin yana da nasa pun - kimanin fassarar.)

A bayyane yake cewa rubutawa ga kowane mutum daga jerin lambobin sadarwa ba zaɓi bane. Kuma, idan kun kasance ma dan kadan kamar ni, to, za ku bi kowane hanya don guje wa aikin da ba dole ba. Abin farin ciki, Mummunan Pun na Ranar na iya gayyatar duk abokanka da kanta! Don yin wannan, kawai kuna buƙatar buɗe hanyar shiga imel ɗin lambobinku - rukunin yanar gizon da kansa zai aika musu gayyata (Dokokin OAuth)!

"Kowa yana son puns! - An riga an shiga? "Za ku so ku ƙyale gidan yanar gizon Mummunan Pun na Ranar don samun damar jerin sunayen ku? - Na gode! Daga yanzu, za mu aika da tunatarwa kowace rana ga duk wanda kuka sani, har zuwa ƙarshen zamani! Kai ne babban aboki!"

1. Zaɓi sabis ɗin imel ɗin ku.
2. Idan ya cancanta, je zuwa rukunin wasiku kuma shiga cikin asusunku.
3. Ba da Mummunan Pun na Ranar izini don samun dama ga abokan hulɗar ku.
4. Koma zuwa Mummunan Pun na Gidan Rana.

Idan kun canza tunanin ku, aikace-aikacen da ke amfani da OAuth suma suna ba da hanyar soke shiga. Da zarar ka yanke shawarar cewa ba ka son raba lambobin sadarwa tare da Mummunan Pun of the Day, za ka iya zuwa rukunin wasiku kuma ka cire rukunin yanar gizon daga jerin aikace-aikace masu izini.

Gudun OAuth

Mun riga mun wuce abin da aka saba kira kwarara [gudu] OAuth. A cikin misalinmu, wannan kwararar ya ƙunshi matakai na bayyane, da kuma matakai da yawa marasa ganuwa, waɗanda sabis biyu suka yarda akan amintaccen musayar bayanai. Misalin Mummunan Pun na Ranar da ya gabata yana amfani da mafi yawan kwararar OAuth 2.0, wanda aka sani da kwararar "lambar izini". ["lambar izini" kwarara].

Kafin mu nutse cikin cikakkun bayanai na yadda OAuth ke aiki, bari mu yi magana game da ma'anar wasu kalmomi:

• Mai Albarka:

  
  
  Kai ne! Kuna mallaki bayanan shaidarku, bayananku, kuma kuna sarrafa duk ayyukan da za'a iya yi akan asusunku.

• Abokin ciniki:

  
  
  Aikace-aikace (misali, The Terrible Pun of the Day sabis) wanda ke son samun dama ko aiwatar da wasu ayyuka a madadin Mai Albarka'a.

• Sabar Izini:

  
  
  App din da ya sani Mai Albarka'a kuma a cikin ku Mai Albarka'an riga na da asusu.

• uwar garken albarkatu:

  
  
  Application Programming interface (API) ko sabis wanda Abokin ciniki yana so a yi amfani da shi a madadin Mai Albarka'a.

• Juyawa URI:

  
  
  Hanyar da Sabar Izini zai turawa Mai Albarka'kuma bayan bada izini Abokin ciniki'a ku. Wani lokaci ana kiransa da "Urlback Call".

• Nau'in Amsa:

  
  
  Nau'in bayanin da ake sa ran karba Abokin ciniki. Mafi na kowa Nau'in Amsa'Ohm shine code, wato Abokin ciniki yana sa ran karba Lambar Izini.

• Zangon:

  
  
  Wannan cikakken bayanin izini ne da ake buƙata Abokin cinikiy, kamar samun damar bayanai ko yin wasu ayyuka.

• yarda:

  
  
  Sabar Izini daukan Scopesnema Abokin ciniki' om, ya tambaya Mai Albarka'a, a shirye yake ya bayar Abokin ciniki'ku sami izini masu dacewa.

• ID na abokin ciniki:

  
  
  Ana amfani da wannan ID don ganowa Abokin ciniki'a zo Sabar Izini'e.

• Asirin Abokin Ciniki:

  
  
  Wannan ita ce kalmar sirri da aka sani kawai Abokin cinikiku kuma Sabar Izini'a ku. Yana ba su damar raba bayanai a asirce.

• Lambar Izini:

  
  
  Lambar wucin gadi tare da ɗan gajeren lokaci na inganci, wanda Abokin ciniki bayar da Sabar Izini'y a musanya Hanyar shiga.

• Hanyar shiga:

  
  
  Makullin da abokin ciniki zai yi amfani da shi don sadarwa da shi uwar garken albarkatu' om. Wani nau'i na lamba ko katin maɓalli wanda ke bayarwa Abokin ciniki'ku sami izini don neman bayanai ko aiwatar da ayyuka akan uwar garken albarkatu'e a madadin ku.

Примечание: Wani lokaci uwar garken izini da Sabar Resource uwar garken iri ɗaya ne. Koyaya, a wasu lokuta, waɗannan na iya zama sabar sabar daban-daban, koda kuwa ba sa cikin ƙungiya ɗaya. Misali, Sabar Izini na iya zama sabis na ɓangare na uku wanda Sabar Albarkatu ta amince.

Yanzu da muka rufe ainihin ra'ayoyin OAuth 2.0, bari mu koma ga misalinmu kuma mu kalli abin da ke faruwa a cikin kwararar OAuth.

1. Kai, Mai Albarka, kana so ka samar da Mummunan Pun of the Day sabis (Abokin cinikiy) samun dama ga abokan hulɗarka domin su iya aika gayyata zuwa ga duk abokanka.
2. Abokin ciniki yana tura mai lilo zuwa shafi Sabar Izini'a kuma haɗa cikin tambaya ID na abokin ciniki, Juyawa URI, Nau'in Amsa kuma daya ko fiye Scopes (izni) yana bukata.
3. Sabar Izini yana tabbatar da ku, yana neman sunan mai amfani da kalmar sirri idan ya cancanta.
4. Sabar Izini nuna form yarda (tabbatarwa) tare da jerin duka Scopesnema Abokin ciniki' om. Kun yarda ko kin yarda.
5. Sabar Izini tura ku zuwa shafin Abokin ciniki'a, amfani Juyawa URI tare da Lambar Izini (lambar izini).
6. Abokin ciniki sadarwa kai tsaye da Sabar Izini"Ohm (bypassing da browser Mai Albarkaa) da sallama lafiya ID na abokin ciniki, Asirin Abokin Ciniki и Lambar Izini.
7. Sabar Izini yana duba bayanan ya amsa da Hanyar shiga'om (access token).
8. Yanzu Abokin ciniki iya amfani Hanyar shiga aika bukata zuwa ga uwar garken albarkatu don samun jerin lambobin sadarwa.

ID na abokin ciniki da Sirrin

Tun kafin ku ƙyale muguwar ranar don samun damar abokan hulɗarku, Abokin Ciniki da Sabar izini sun kafa dangantakar aiki. Sabar Izini ta haifar da ID na Abokin ciniki da Sirrin Abokin ciniki (wani lokaci ana kiransa App ID и Sirrin App) kuma aika su zuwa ga Abokin ciniki don ƙarin hulɗa a cikin OAuth.

"- Hello! Ina so in yi aiki tare da ku! - Tabbas, ba matsala! Anan ga ID ɗin abokin ciniki da Sirrin ku!"

Sunan yana nuna cewa dole ne a ɓoye Sirrin Abokin Ciniki ta yadda Abokin Ciniki da Izini ne kaɗai suka san shi. Bayan haka, tare da taimakonsa ne Ma'aikacin izini ya tabbatar da gaskiyar abokin ciniki.

Amma wannan ba duka ba... Da fatan za a maraba da OpenID Connect!

OAuth 2.0 an tsara shi kawai don izini - don samar da damar yin amfani da bayanai da ayyuka daga wannan aikace-aikacen zuwa wani. OpenID Haɗa (OIDC) sirara ce a saman OAuth 2.0 wanda ke ƙara bayanan shiga da bayanan bayanan mai amfani da aka shiga cikin asusun. Ana yawan kiran tsarin zaman shiga kamar tabbaci [tabbaci], da bayanai game da mai amfani ya shiga cikin tsarin (watau game da Mai Albarka'e), - bayanan sirri [tabbaci]. Idan Sabar Izini tana goyan bayan OIDC, wani lokaci ana kiranta da mai bada bayanan sirri [mai ba da shaida]saboda yana bayarwa Abokin ciniki'da bayanai game da Mai Albarka'e.

OpenID Connect yana ba ku damar aiwatar da yanayi inda za'a iya amfani da shiga guda ɗaya a aikace-aikace da yawa - wannan hanyar kuma ana kiranta da Alamar shiga guda ɗaya (SSO). Misali, aikace-aikace na iya goyan bayan haɗin SSO tare da cibiyoyin sadarwar jama'a kamar Facebook ko Twitter, kyale masu amfani suyi amfani da asusun da suka rigaya suke da su kuma sun fi son amfani da su.

Haɗin buɗe ID ɗin da ke gudana (gudanarwa) yayi kama da na OAuth. Bambancin kawai shine a cikin buƙatun farko, takamaiman iyakar da aka yi amfani da shi shine openid,- A Abokin ciniki ƙarshe ya zama kamar Hanyar shigakuma ID Token.

Kamar dai a cikin kwararar OAuth, Hanyar shiga a OpenID Connect, wannan wasu ƙima ce da ba ta bayyana ba Abokin ciniki'a ku. Daga ra'ayi Abokin ciniki'a Hanyar shiga yana wakiltar zaren haruffa waɗanda aka wuce tare da kowace buƙata don uwar garken albarkatu'y, wanda ke ƙayyade idan alamar tana aiki. ID Token yana wakiltar wani abu dabam dabam.

ID Token JWT ne

ID Token sigar haruffa ce ta musamman da aka fi sani da JSON Web Token ko JWT (wani lokaci ana kiran alamun JWT kamar "jots"). Ga masu sa ido na waje, JWT na iya zama kamar gibberish da ba za a iya fahimta ba, amma Abokin ciniki zai iya fitar da bayanai dabam-dabam daga JWT, kamar ID, sunan mai amfani, lokacin shiga, ranar karewa ID Tokena, kasancewar yunƙurin tsoma baki tare da JWT. Bayanan ciki ID Token'a suna aikace-aikace [da'awar].

A game da OIDC, akwai kuma daidaitattun hanyar da Abokin ciniki na iya buƙatar ƙarin bayani game da mutum ɗaya [tabbaci] daga Sabar Izini'a, misali, adireshin imel ta amfani da Hanyar shiga.

Ƙara koyo game da OAuth da OIDC

Don haka, mun ɗan yi bitar yadda OAuth da OIDC ke aiki. Shirya don tona zurfi? Anan akwai ƙarin albarkatun don taimaka muku ƙarin koyo game da OAuth 2.0 da OpenID Connect:

• Menene Heck shine OAuth?
• Babu wanda ya damu Game da Haɗin OAuth ko Buɗe ID
• Aiwatar da lambar izini na OAuth 2.0 tare da Gudun PKCE
• Menene OAuth 2.0 Grant Type?
• OAuth 2.0 Daga Layin Umurni
• Gina Amintaccen Node.js App tare da SQL Server

Kamar koyaushe, jin daɗin yin sharhi. Domin samun sabbin labaran mu, ku yi subscribing Twitter и YouTube Okta ga masu haɓakawa!

PS daga mai fassara

Karanta kuma a kan shafinmu:

• «ABC na Tsaro a Kubernetes: Tabbatarwa, izini, dubawa";
• «Masu amfani da izini RBAC a cikin Kubernetes";
• «33+ Kubernetes kayan aikin tsaro";
• «Tsaro don kwantena Docker".

source: www.habr.com