He alakaʻi i kiʻi ʻia no OAuth a me OpenID Connect

Nānā. unuhi.: Hōʻike kēia ʻatikala nui na Okta i ka hana ʻana o OAuth a me OIDC (OpenID Connect) ma kahi ala maʻalahi a maopopo. Pono kēia ʻike i nā mea hoʻomohala, nā luna ʻōnaehana, a me nā "mea hoʻohana maʻamau" o nā noi pūnaewele kaulana, kahi e hoʻololi ai i ka ʻikepili huna me nā lawelawe ʻē aʻe.

I ka Stone Age o ka Pūnaewele, ua maʻalahi ka hāʻawi ʻana i ka ʻike ma waena o nā lawelawe. Ua hāʻawi wale ʻoe i kāu kau inoa a me ka ʻōlelo huna mai kahi lawelawe i kekahi, no laila ua komo ʻo ia i kāu moʻokāki a loaʻa iā ia kekahi ʻike e pono ai.

"E hāʻawi mai iaʻu i kāu waihona panakō." "Hoʻohiki mākou e maikaʻi nā mea āpau me ka ʻōlelo huna a me ke kālā. ʻOiaʻiʻo, ʻoiaʻiʻo!" *hee hee*

Weliweli! ʻAʻole pono e koi i ka mea hoʻohana e kaʻana like i ka inoa inoa a me ka ʻōlelo huna, palapala hōʻoia, me kahi lawelawe ʻē aʻe. ʻAʻohe mea hōʻoiaʻiʻo e mālama ka hui ma hope o kēia lawelawe i ka ʻikepili a ʻaʻole e hōʻiliʻili i ka ʻike pilikino ma mua o ka pono. He mea pupule paha ia, akā hoʻohana mau kekahi mau polokalamu i kēia hana!

I kēia lā aia kahi maʻamau e hiki ai i kahi lawelawe ke hoʻohana paʻa i ka ʻikepili o kekahi. ʻO ka mea pōʻino, hoʻohana nā ʻano maʻamau i ka nui o nā jargon a me nā huaʻōlelo, e hoʻopiʻi nei i ko lākou ʻike. ʻO ke kumu o kēia mea ʻo ia ka wehewehe ʻana i kā lākou hana me ka hoʻohana ʻana i nā kiʻi maʻalahi (Ke manaʻo nei ʻoe ua like kaʻu kiʻi me ka daubing keiki? ʻAe!).

Ma ke ala, loaʻa kēia alakaʻi i ka ʻano wikiō:

E na wahine a me na keonimana, aloha mai: OAuth 2.0

OAuth 2.0 He kūlana palekana e hiki ai i kekahi noi ke loaʻa ka ʻae e komo i ka ʻike ma kahi noi ʻē aʻe. Ke kaʻina hana no ka hoʻopuka ʻana i ka palapala ʻae [ʻae] (ai ole ʻae ʻae [ʻae]) kahea pinepine ʻae ʻia [ʻae] aiʻole hāʻawi ʻae ʻia [ʻae i hāʻawi ʻia]. Me kēia maʻamau, ʻae ʻoe i kahi noi e heluhelu i ka ʻikepili a hoʻohana paha i nā hana o kahi noi ʻē aʻe ma kou inoa me ka hāʻawi ʻole ʻana i kāu ʻōlelo huna. Papa!

E like me ka laʻana, e ʻōlelo mākou ʻike ʻoe i kahi pūnaewele i kapa ʻia ʻo "Unlucky Pun of the Day" [Ke Puni weliweli o ka lā] a ua hoʻoholo e hoʻopaʻa inoa ma luna o ia mea i mea e loaʻa ai nā puns i kēlā me kēia lā ma ke ʻano o nā leka uila ma ke kelepona. Ua makemake nui ʻoe i ka pūnaewele, a ua hoʻoholo ʻoe e kaʻana like me kāu mau hoaaloha a pau. Ma hope o nā mea a pau, makemake nā mea a pau i nā puns creepy, pololei?

“Pano ʻino o ka lā: Ua lohe ʻia e pili ana i ke kanaka i nalowale i ka hapa hema o kona kino? I kēia manawa ua pololei ʻo ia! " (ma kahi o ka unuhi, no ka mea, he pun no ka mea kumu - approx. transl.)

Ua maopopo ʻaʻole he koho ke kākau ʻana i kēlā me kēia kanaka mai ka papa inoa pili. A inā he ʻano liʻiliʻi ʻoe iaʻu, a laila e hele ʻoe i nā mea āpau e pale i nā hana pono ʻole. ʻO ka mea pōmaikaʻi, hiki iā Terrible Pun of the Day ke kono i kāu mau hoaaloha a pau iā ia iho! No ka hana ʻana i kēia, pono ʻoe e wehe i ke komo ʻana i kāu leka uila - na ka pūnaewele ponoʻī e hoʻouna iā lākou i nā kono (nā kānāwai OAuth)!

"Makemake nā kānaka a pau i nā puns! - Ua komo mua? “Makemake ʻoe e ʻae i ka pūnaewele Terrible Pun of the Day e komo i kāu papa inoa hoʻopili? - Mahalo iā ʻoe! Mai kēia manawa, e hoʻouna mākou i nā hoʻomanaʻo i kēlā me kēia lā i nā mea a pau āu e ʻike ai, a hiki i ka hopena o ka manawa! ʻO ʻoe ka hoaaloha maikaʻi loa!"

1. E koho i kāu lawelawe leka uila.
2. Inā pono, e hele i ka leka uila a kau inoa i kāu moʻokāki.
3. Hāʻawi iā Terrible Pun of the Day i ka ʻae e komo i kāu mau hoapili.
4. E hoʻi i ka pūnaewele Weliweli Pun o ka Lā.

Inā hoʻololi ʻoe i kou manaʻo, hāʻawi nā noi e hoʻohana ana iā OAuth i kahi ala e hoʻopau ai i ke komo. Ke hoʻoholo ʻoe ʻaʻole makemake hou e kaʻana like i nā pilina me Terrible Pun of the Day, hiki iā ʻoe ke hele i ka pūnaewele leka uila a wehe i ka pūnaewele pun mai ka papa inoa o nā noi i ʻae ʻia.

Kahe OAuth

Ua hele wale mākou i ka mea i kapa ʻia kahe [kahe] OAuth. I kā mākou laʻana, aia kēia kahe i nā ʻanuʻu ʻike ʻia, a me nā ʻanuʻu ʻike ʻole ʻia, kahi e ʻae ai nā lawelawe ʻelua i kahi hoʻololi palekana o ka ʻike. Hoʻohana ka laʻana Terrible Pun of the Day i ka kahe OAuth 2.0 maʻamau, i kapa ʻia ʻo ke kahe "ʻae ʻae". [Ke holo nei ka "code authorization"].

Ma mua o ka luʻu ʻana i nā kikoʻī o ka hana ʻana o OAuth, e kamaʻilio e pili ana i ke ʻano o kekahi mau huaʻōlelo:

• Ka mea nona ka waiwai:

  
  
  ʻO ʻoe nō! Loaʻa iā ʻoe kāu mau hōʻoia, kāu ʻikepili, a mālama i nā hana āpau e hana ʻia ma kāu mau moʻokāki.

• Client:

  
  
  He palapala noi (no ka laʻana, ka Terrible Pun of the Day service) makemake e komo a hana i kekahi mau hana ma ka inoa o Ka mea nona ka waiwai'a.

• Mea Mana Mana:

  
  
  ʻO ka polokalamu ʻike Ka mea nona ka waiwai'a a ma kahi u Ka mea nona ka waiwai'a loaa he mooolelo.

• waihona waiwai:

  
  
  ʻĀpana polokalamu polokalamu (API) a i ʻole ka lawelawe ʻana i kēlā Client makemake e hoʻohana ma ka inoa Ka mea nona ka waiwai'a.

• Hoʻihoʻi hou i ka URI:

  
  
  ʻO ka loulou kēlā Mea Mana Mana e kuhikuhi hou Ka mea nona ka waiwai'a mahope o ka ae ana Client' ma. I kekahi manawa, kapa ʻia ʻo ia ʻo "Callback URL".

• ʻAno pane:

  
  
  ʻO ke ʻano o ka ʻike i manaʻo ʻia e loaʻa Client. ʻO ka mea maʻamau ʻAno pane'ohm ke code, ʻo ia hoʻi Client manaʻo e loaʻa Kānā ʻĀpono.

• laulā:

  
  
  He wehewehe kikoʻī kēia o nā ʻae i koi ʻia Client'y, e like me ke komo ʻana i ka ʻikepili a i ʻole ka hana ʻana i kekahi mau hana.

• 'ae' ana:

  
  
  Mea Mana Mana lawe ʻO Scopesnoi ʻia Client'om, a ninau mai Ka mea nona ka waiwai'a, ua makaukau anei oia e hoolako Client'loa'a nā 'ae kūpono.

• Kānāwai kūwaho:

  
  
  Hoʻohana ʻia kēia ID e ʻike Client'a ma Mea Mana Mana'e.

• Mea huna mea kūʻai aku:

  
  
  ʻO kēia ka ʻōlelo huna i ʻike wale ʻia Client'u a Mea Mana Mana' ma. Hiki iā lākou ke kaʻana like i ka ʻike.

• Kānā ʻĀpono:

  
  
  Code manawa me ka manawa pōkole o ka mana, ka mea Client hoʻolako Mea Mana Mana'y i panai no ʻIke Hana.

• ʻIke Hana:

  
  
  ʻO ke kī e hoʻohana ai ka mea kūʻai aku e kamaʻilio me waihona waiwai'om. He ʻano hōʻailona a i ʻole kāleka kī e hāʻawi Client'ae mai e noi i ka 'ikepili a i 'ole e hana i nā hana ma waihona waiwai'e ma kou inoa.

i hoʻopuka: I kekahi manawa, ʻo ka Mana Mana Mana a me ka Punawaiwai ke kikowaena like. Eia nō naʻe, i kekahi mau hihia, he mau kikowaena ʻokoʻa paha kēia, ʻoiai inā ʻaʻole lākou i ka hui like. No ka laʻana, ʻo ka Mana Mana Manaʻo he lawelawe ʻaoʻao ʻekolu paha i hilinaʻi ʻia e ka Pūnaewele Pūnaewele.

I kēia manawa ua uhi mākou i nā manaʻo koʻikoʻi o OAuth 2.0, e hoʻi kāua i kā mākou hiʻohiʻona a nānā pono i nā mea e hana nei i ke kahe OAuth.

1. ʻO ʻoe, Ka mea nona ka waiwai, makemake ʻoe e hoʻolako i ka lawelawe Terrible Pun of the Day (Clienty) komo i kāu mau hoapili i hiki iā lākou ke hoʻouna i nā kono i kāu mau hoaaloha a pau.
2. Client hoʻihoʻi hou i ka polokalamu kele i ka ʻaoʻao Mea Mana Mana'a a hookomo i ka ninau Kānāwai kūwaho, Hoʻihoʻi hou i ka URI, ʻAno pane a hoʻokahi a ʻoi aku paha ʻO Scopes (ʻae) pono ia.
3. Mea Mana Mana hōʻoia iā ʻoe, e noi ana i kahi inoa inoa a me ka ʻōlelo huna inā pono.
4. Mea Mana Mana hōʻike i kahi palapala 'ae' ana (hōʻoia) me ka papa inoa o nā mea a pau ʻO Scopesnoi ʻia Client'om. ʻAe ʻoe a hōʻole paha.
5. Mea Mana Mana hoʻihoʻi hou iā ʻoe i ka pūnaewele Client'a, hoohana Hoʻihoʻi hou i ka URI pū me Kānā ʻĀpono (ka palapala mana).
6. Client kamaʻilio pololei me Mea Mana Mana'ohm (bypassing the browser Ka mea nona ka waiwai'a) a hoʻouna palekana Kānāwai kūwaho, Mea huna mea kūʻai aku и Kānā ʻĀpono.
7. Mea Mana Mana nānā i ka ʻikepili a pane me ʻIke Hana'om (hōʻailona komo).
8. Ano Client hiki ke hoʻohana ʻIke Hana e hoʻouna i kahi noi i waihona waiwai e kiʻi i ka papa inoa o nā mea pili.

Client ID a me ka mea huna

Ma mua o kou ʻae ʻana iā Terrible Pun of the Day e kiʻi i kāu mau hoʻopili, ua hoʻokumu ka mea kūʻai aku a me ka ʻae ʻana i kahi pilina hana. Ua hoʻokumu ka Mea Mana Mana i ka Client ID a me ka mea huna Client (i kapa ʻia kekahi manawa Pākuʻi App и Mea huna) a hoʻouna iā lākou i ka mea kūʻai aku no ka launa hou ʻana i loko o OAuth.

"- Aloha! Makemake au e hana pū me ʻoe! - ʻOiaʻiʻo, ʻaʻole pilikia! Eia kāu ID a me ka mea huna!”

Hōʻike ka inoa e pono e hūnā ʻia ka mea huna o ka mea kūʻai aku i ʻike ʻia e ka mea kūʻai aku a me ka ʻae ʻana. Ma hope o nā mea a pau, ʻo ia me kāna kōkua e hōʻoia i ka ʻoiaʻiʻo o ka mea kūʻai aku.

Akā ʻaʻole ʻo ia wale nō... E ʻoluʻolu e hoʻokipa iā OpenID Connect!

Hoʻolālā ʻia ʻo OAuth 2.0 no mana ʻae - e hāʻawi i ka ʻike i ka ʻikepili a me nā hana mai kekahi noi i kekahi. Hoʻohui OpenID (OIDC) kahi ʻāpana lahilahi ma luna o OAuth 2.0 e hoʻohui i ka ʻikepili a me nā kikoʻī kikoʻī o ka mea hoʻohana i hoʻopaʻa ʻia i ka moʻokāki. ʻO ka hoʻonohonoho ʻana o kahi kau inoa inoa pinepine ʻia ʻo ia hōʻoia [hōʻoia], a me ka ʻike e pili ana i ka mea hoʻohana i komo i loko o ka ʻōnaehana (ʻo ia hoʻi Ka mea nona ka waiwai'e), - ʻikepili pilikino [ʻike]. Inā kākoʻo ka Mana Mana Mana i ka OIDC, i kekahi manawa i kapa ʻia ʻo ia mea hāʻawi i ka ʻikepili pilikino [mea hoʻolako ʻike]no ka mea, hāʻawi Client'loa'a ka 'ike e pili ana Ka mea nona ka waiwai'e.

Hiki iā OpenID Connect iā ʻoe ke hoʻokō i nā hiʻohiʻona kahi e hiki ai ke hoʻohana i hoʻokahi komo i nā noi he nui - ʻike ʻia kēia ala kau inoa hoʻokahi (SSO). No ka laʻana, hiki i kahi noi ke kākoʻo i ka hoʻohui ʻana o SSO me nā ʻoihana pūnaewele e like me Facebook a i ʻole Twitter, e ʻae ana i nā mea hoʻohana e hoʻohana i kahi moʻokāki i loaʻa iā lākou a makemake e hoʻohana.

Ua like ke kahe (kahe) OpenID Connect me ka hihia o OAuth. ʻO ka ʻokoʻa wale nō ma ka noi mua, ʻo ka laulā kikoʻī i hoʻohana ʻia openid, - A Client e like me ka hope ʻIke Hana, a ID Token.

E like me ka holo ʻana o OAuth, ʻIke Hana ma OpenID Connect, ʻo ia kekahi waiwai i maopopo ʻole Client' ma. Mai ka manaʻo Client'A ʻIke Hana hōʻike i kahi kaula o nā huaʻōlelo i hāʻawi ʻia me kēlā me kēia noi waihona waiwai'y, ka mea e hoʻoholo ai inā kūpono ka hōʻailona. ID Token he mea okoa loa.

ʻO ka ID Token kahi JWT

ID Token He kaula i hoʻonohonoho kūikawā ʻia o nā huaʻōlelo i kapa ʻia ʻo JSON Web Token a i ʻole JWT (i kekahi manawa ua ʻōlelo ʻia nā hōʻailona JWT e like me "jots"). No ka poʻe nānā i waho, ʻike ʻia ʻo JWT e like me ka ʻōlelo ʻino ʻole, akā Client hiki ke unuhi i nā ʻike like ʻole mai ka JWT, e like me ka ID, ka inoa inoa, ka manawa komo, ka lā pau ID Token'a, ke alo o na hoao ana e keakea i ka JWT. ʻIkepili i loko ID Token'a kapaia nā noi [koi].

I ka hihia o OIDC, aia kekahi ala maʻamau e hiki ai Client hiki ke noi i ka ʻike hou aku e pili ana i ke kanaka [ʻike] от Mea Mana Mana'a, no ka la'ana, he leka uila e ho'ohana ana ʻIke Hana.

E aʻo hou e pili ana iā OAuth a me OIDC

No laila, ua loiloi pōkole mākou i ka hana ʻana o OAuth a me OIDC. Mākaukau e ʻeli hohonu? Eia nā kumuwaiwai hou aʻe e kōkua iā ʻoe e aʻo hou e pili ana iā OAuth 2.0 a me OpenID Connect:

• He aha ka OAuth?
• ʻAʻohe mea mālama iā OAuth a i ʻole OpenID Connect
• E hoʻokō i ka OAuth 2.0 Authorization Code me PKCE Flow
• He aha ke ʻano hāʻawi OAuth 2.0?
• OAuth 2.0 Mai ka laina kauoha
• E kūkulu i kahi polokalamu Node.js palekana me SQL Server

E like me nā manawa a pau, e ʻoluʻolu e ʻōlelo. No ka hoʻomau ʻana i kā mākou nūhou hou, kau inoa iā Twitter и YouTube Okta no nā mea hoʻomohala!

PS mai ka unuhi

E heluhelu pū ma kā mākou blog:

• «ʻO ka ABC o ka palekana ma Kubernetes: Hōʻoiaʻiʻo, Manaʻo, Hoʻoponopono";
• «Nā mea hoʻohana a me ka mana RBAC ma Kubernetes";
• «33+ mau mea hana palekana Kubernetes";
• «Palekana no nā pahu Docker".

Source: www.habr.com