Kalozera Wojambulidwa ku OAuth ndi OpenID Connect

Zindikirani. transl.: Nkhani yabwinoyi yolembedwa ndi Okta ikufotokoza momwe OAuth ndi OIDC (OpenID Connect) zimagwirira ntchito m'njira yosavuta komanso yomveka bwino. Chidziwitsochi chidzakhala chothandiza kwa omanga, oyang'anira machitidwe, ngakhale "ogwiritsa ntchito nthawi zonse" a mapulogalamu otchuka a intaneti, omwe nthawi zambiri amasinthanitsa zinsinsi ndi ntchito zina.

Mu Stone Age ya intaneti, kugawana zambiri pakati pa mautumiki kunali kosavuta. Munangopereka malowedwe anu ndi mawu achinsinsi kuchokera pautumiki wina kupita ku wina, kotero kuti adalowa muakaunti yanu ndikulandila chilichonse chomwe angafune.

"Ndipatseni akaunti yanu yaku banki." "Tikulonjeza kuti zonse zikhala bwino ndi mawu achinsinsi komanso ndalama. Ndizowona mtima, zowona! *hee iye*

Zowopsa! Palibe amene angafune kuti wogwiritsa ntchito agawane dzina lolowera ndi mawu achinsinsi, ziyeneretso, ndi utumiki wina. Palibe chitsimikizo kuti bungwe lomwe limagwira ntchitoyi lidzasunga deta yotetezeka ndipo silidzasonkhanitsa zambiri zaumwini kuposa momwe ziyenera kukhalira. Zingamveke zopenga, koma mapulogalamu ena amagwiritsabe ntchito mchitidwewu!

Masiku ano pali muyezo umodzi womwe umalola kuti ntchito imodzi igwiritse ntchito bwino deta ya ina. Tsoka ilo, miyezo yotereyi imagwiritsa ntchito mawu ndi mawu ambiri, zomwe zimasokoneza kumvetsetsa kwawo. Cholinga cha nkhaniyi ndi kufotokoza momwe amagwirira ntchito pogwiritsa ntchito zithunzi zosavuta (Kodi mukuganiza kuti zojambula zanga zikufanana ndi zopaka ana? Oh chabwino!).

Mwa njira, bukhuli likupezekanso mumtundu wamakanema:

Amayi ndi abambo, mwalandiridwa: OAuth 2.0

OUTH 2.0 ndi muyezo wachitetezo womwe umalola kuti pulogalamu imodzi ipeze chilolezo chofikira zambiri mu pulogalamu ina. Tsatanetsatane wa masitepe popereka chilolezo [chilolezo] (kapena kuvomereza [kuvomereza]) nthawi zambiri kuyimba chilolezo [chilolezo] kapena ngakhale chilolezo choperekedwa [chilolezo chotumizidwa]. Ndi mulingo uwu, mumalola pulogalamu kuti iwerenge deta kapena kugwiritsa ntchito pulogalamu ina m'malo mwanu osapereka mawu achinsinsi. Kalasi!

Mwachitsanzo, tiyerekeze kuti mwapeza tsamba lotchedwa "Unlucky Pun of the Day" [Zowopsa Zatsiku] ndipo adaganiza zolembetsa kuti alandire ma puns tsiku lililonse ngati mameseji pafoni. Mwakonda kwambiri tsambali, ndipo mudaganiza zogawana ndi anzanu onse. Kupatula apo, aliyense amakonda ma puns owopsa, sichoncho?

"Zachisoni za tsikuli: Munamva za munthu yemwe adataya theka lakumanzere la thupi lake? Tsopano amakhala wolondola nthawi zonse!” (kutanthauzira pafupifupi, chifukwa choyambiriracho chili ndi mawu ake - pafupifupi transl.)

Zikuwonekeratu kuti kulembera munthu aliyense kuchokera pamndandanda wolumikizana nawo sichosankha. Ndipo, ngati muli ngati ine pang'ono, ndiye kuti mudzayesetsa kupewa ntchito zosafunikira. Mwamwayi, Terrible Pun of the Day imatha kuyitana anzanu onse okha! Kuti muchite izi, mumangofunika kutsegula maimelo omwe mumalumikizana nawo - tsambalo liwatumizira maitanidwe (malamulo a OAuth)!

"Aliyense amakonda masewera! - Mwalowa kale? "Kodi mungakonde kulola tsamba la Terrible Pun of the Day kuti lipeze mndandanda wa omwe mumalumikizana nawo? - Zikomo! Kuyambira pano, tidzatumiza zikumbutso tsiku lililonse kwa aliyense amene mumamudziwa, mpaka kumapeto kwa nthawi! Ndiwe bwenzi lapamtima!"

1. Sankhani ntchito yanu ya imelo.
2. Ngati ndi kotheka, pitani patsamba la makalata ndikulowa muakaunti yanu.
3. Perekani chilolezo cha Terrible Pun of the Day kuti mulumikizane ndi anzanu.
4. Bwererani ku Malo Owopsa a Pun of the Day.

Mukasintha malingaliro anu, mapulogalamu ogwiritsira ntchito OAuth amaperekanso njira yoletsera mwayi wofikira. Mukangoganiza kuti simukufunanso kugawana zolumikizana ndi Terrible Pun of the Day, mutha kupita patsamba la makalata ndikuchotsa tsamba la pun pamndandanda wamapulogalamu ovomerezeka.

Kuyenda kwa OAuth

Tangodutsa kumene kumatchedwa kuyenda [kuyenda] OAuth. Mu chitsanzo chathu, kuyenda uku kumakhala ndi masitepe owoneka, komanso njira zingapo zosaoneka, zomwe mautumiki awiri amavomereza pa kusinthanitsa kotetezedwa kwa chidziwitso. Chitsanzo cham'mbuyo cha Terrible Pun of the Day chimagwiritsa ntchito njira yodziwika bwino ya OAuth 2.0, yomwe imadziwika kuti "authorization code". ["code code" tuluka].

Tisanalowe mwatsatanetsatane momwe OAuth imagwirira ntchito, tiyeni tikambirane tanthauzo la mawu ena:

• Mwini Zida:

  
  
  Ndi inuyo! Muli ndi mbiri yanu, deta yanu, ndikuwongolera zochitika zonse zomwe zingachitike pa akaunti yanu.

• kasitomala:

  
  
  Pulogalamu (mwachitsanzo, Terrible Pun of the Day service) yomwe ikufuna kupeza kapena kuchita zinthu zina m'malo mwa Mwini Zida'ndi.

• Seva Yovomerezeka:

  
  
  Pulogalamu yomwe ikudziwa Mwini Zida'a ndi momwe u Mwini Zida'Ndili ndi akaunti kale.

• seva zothandizira:

  
  
  Mawonekedwe opangira mapulogalamu (API) kapena ntchito yomwe kasitomala akufuna kugwiritsa ntchito m'malo mwake Mwini Zida'ndi.

• Londoleranso URI:

  
  
  Link kuti Seva Yovomerezeka idzalozeranso Mwini Zida'ndipo atapereka chilolezo kasitomala'ku. Nthawi zina amatchedwa "Callback URL".

• Mtundu Wamayankho:

  
  
  Mtundu wa chidziwitso chomwe chikuyembekezeka kulandiridwa kasitomala. Chofala kwambiri Mtundu Wamayankho'ohm ndi code, ndiye kasitomala akuyembekeza kulandira Chilolezo chololeza.

• kuchuluka:

  
  
  Uku ndikulongosola mwatsatanetsatane zilolezo zomwe zimafunikira kasitomala'y, monga kupeza deta kapena kuchita zina.

• Kuvomereza:

  
  
  Seva Yovomerezeka amatenga Zolembaanapempha kasitomala'om, ndikufunsa Mwini Zida'a, ali wokonzeka kupereka kasitomala'kukhala ndi zilolezo zoyenera.

• Chidziwitso cha Makasitomala:

  
  
  ID iyi imagwiritsidwa ntchito kuzindikira kasitomala'a pa Seva Yovomerezeka'e.

• Chinsinsi cha Makasitomala:

  
  
  Ili ndi mawu achinsinsi omwe amadziwika okha kasitomala'u ndi Seva Yovomerezeka'ku. Zimawathandiza kugawana zambiri mwachinsinsi.

• Chilolezo chololeza:

  
  
  Code yosakhalitsa yokhala ndi nthawi yochepa yovomerezeka, yomwe kasitomala amapereka Seva Yovomerezeka'y posinthana Pezani Chizindikiro.

• Pezani Chizindikiro:

  
  
  Mfungulo yomwe kasitomala adzagwiritsa ntchito polumikizana nayo seva zothandizira'om. Mtundu wa baji kapena kiyi khadi yomwe imapereka kasitomala'kukhala ndi chilolezo chopempha deta kapena kuchitapo kanthu seva zothandiziram'malo mwanu.

ndemanga: Nthawi zina Authorization Server ndi Resource Server ndi seva yomweyo. Komabe, nthawi zina, awa akhoza kukhala ma seva osiyana, ngakhale sali a bungwe lomwelo. Mwachitsanzo, Seva Yovomerezeka ikhoza kukhala ntchito ya chipani chachitatu yodalirika ndi Resource Server.

Tsopano popeza tafotokoza mfundo zazikuluzikulu za OAuth 2.0, tiyeni tibwerere ku chitsanzo chathu ndikuwona bwino zomwe zimachitika mumayendedwe a OAuth.

1. Inu, Mwini Zida, mukufuna kupereka ntchito ya Terrible Pun of the Day (kasitomalay) kupeza omwe mumalumikizana nawo kuti athe kutumiza maitanidwe kwa anzanu onse.
2. kasitomala imalozeranso msakatuli kutsamba Seva Yovomerezeka'a ndikuphatikizanso mufunso Chidziwitso cha Makasitomala, Londoleranso URI, Mtundu Wamayankho ndi chimodzi kapena zingapo Zolemba (zilolezo) zimafunikira.
3. Seva Yovomerezeka amakutsimikizirani, ndikufunsani dzina lolowera ndi mawu achinsinsi ngati kuli kofunikira.
4. Seva Yovomerezeka akuwonetsa fomu Kuvomereza (zitsimikizo) ndi mndandanda wa zonse Zolembaanapempha kasitomala'om. Mukuvomereza kapena kukana.
5. Seva Yovomerezeka amakulowetsani kumalo kasitomala'a, kugwiritsa Londoleranso URI pamodzi ndi Chilolezo chololeza (kodi chilolezo).
6. kasitomala amalumikizana mwachindunji ndi Seva Yovomerezeka'ohm (kudutsa msakatuli Mwini Zida'a) ndikutumiza mosatekeseka Chidziwitso cha Makasitomala, Chinsinsi cha Makasitomala и Chilolezo chololeza.
7. Seva Yovomerezeka amayang'ana deta ndikuyankha ndi Pezani Chizindikiro'om (chizindikiro chofikira).
8. Tsopano kasitomala akhoza kugwiritsa ntchito Pezani Chizindikiro kutumiza pempho kwa seva zothandizira kuti mupeze mndandanda wazolumikizana.

ID ya kasitomala ndi Chinsinsi

Kale musanalole Zoyipa Zowopsa za Tsikuli kuti mulumikizane ndi omwe mumalumikizana nawo, Client and Authorization Server idakhazikitsa ubale wogwira ntchito. Seva Yovomerezeka idapanga ID ya kasitomala ndi Chinsinsi cha kasitomala (nthawi zina amatchedwa ID ID и Chinsinsi cha App) ndikuwatumiza kwa Makasitomala kuti azilumikizananso ndi OAuth.

"- Moni! Ndikufuna kugwira nanu ntchito! - Zedi, palibe vuto! Nayi ID yanu Yamakasitomala ndi Chinsinsi!

Dzinali limatanthauza kuti Chinsinsi cha kasitomala chiyenera kusungidwa mwachinsinsi kuti Wothandizira ndi Wopereka Authorization yekha adziwe. Kupatula apo, ndi thandizo lake kuti Authorization Server imatsimikizira zoona za kasitomala.

Koma si zokhazo... Chonde landirani OpenID Connect!

OAuth 2.0 idapangidwira kokha chilolezo - kupereka mwayi wopeza deta ndi ntchito kuchokera ku pulogalamu ina kupita ku ina. OpenID Lumikizani (OIDC) ndi gawo lopyapyala pamwamba pa OAuth 2.0 lomwe limawonjezera zolowera ndi mbiri ya wogwiritsa ntchito yemwe walowa muakaunti. Kukonzekera kwa gawo lolowera nthawi zambiri kumatchedwa kutsimikizika [kutsimikizira], ndi zambiri za wosuta adalowa mudongosolo (ie Mwini Zidandi), - zambiri zanu [chidziwitso]. Ngati Authorization Server imathandizira OIDC, nthawi zina imatchedwa wopereka deta yanu [Identity provider]chifukwa amapereka kasitomala' Dziwani zambiri za Mwini Zida'e.

OpenID Connect imakulolani kuti mugwiritse ntchito zochitika zomwe malowedwe amodzi angagwiritsidwe ntchito pamapulogalamu angapo - njirayi imadziwikanso kuti kusaina kamodzi (SSO). Mwachitsanzo, pulogalamu ikhoza kuthandizira kuphatikiza kwa SSO ndi malo ochezera a pa Intaneti monga Facebook kapena Twitter, kulola ogwiritsa ntchito kugwiritsa ntchito akaunti yomwe ali nayo kale ndipo amakonda kugwiritsa ntchito.

Kuthamanga (kuthamanga) OpenID Connect kumawoneka chimodzimodzi monga momwe zilili ndi OAuth. Kusiyana kokha ndiko kuti mu pempho loyamba, kuchuluka kwapadera komwe kumagwiritsidwa ntchito ndi openid, -A kasitomala pomaliza zimakhala ngati Pezani Chizindikiro, ndi Chizindikiro cha ID.

Monga momwe mukuyenda kwa OAuth, Pezani Chizindikiro mu OpenID Connect, ichi ndi mtengo wina womwe sudziwika bwino kasitomala'ku. Kuchokera pamalingaliro kasitomala'ndi Pezani Chizindikiro imayimira mndandanda wa zilembo zomwe zimaperekedwa pamodzi ndi pempho lililonse seva zothandizira'y, zomwe zimatsimikizira ngati chizindikirocho ndichabwino. Chizindikiro cha ID imayimira chinthu chosiyana kotheratu.

Chizindikiro cha ID ndi JWT

Chizindikiro cha ID ndi mndandanda mwapadera wa zilembo zomwe zimadziwika kuti JSON Web Token kapena JWT (nthawi zina ma tokeni a JWT amatchulidwa ngati "jots"). Kwa owonera akunja, JWT imatha kuwoneka ngati yabodza yosamvetsetseka, koma kasitomala amatha kuchotsa zambiri mu JWT, monga ID, dzina lolowera, nthawi yolowera, tsiku lotha ntchito Chizindikiro cha ID'a, kukhalapo kwa zoyesayesa zosokoneza JWT. Deta mkati Chizindikiro cha ID'a amatchedwa mapulogalamu [mawu].

Pankhani ya OIDC, palinso njira yokhazikika yochitira kasitomala akhoza kupempha zambiri zokhudza munthuyo [chidziwitso] от Seva Yovomerezeka'a, mwachitsanzo, imelo adilesi yogwiritsa ntchito Pezani Chizindikiro.

Dziwani zambiri za OAuth ndi OIDC

Chifukwa chake, tawonanso mwachidule momwe OAuth ndi OIDC zimagwirira ntchito. Mwakonzeka kukumba mozama? Nazi zowonjezera zomwe zingakuthandizeni kudziwa zambiri za OAuth 2.0 ndi OpenID Connect:

• Kodi OAuth ndi chiyani?
• Palibe Amene Amasamala za OAuth kapena OpenID Connect
• Tsatirani Khodi Yovomerezeka ya OAuth 2.0 ndi PKCE Flow
• Kodi OAuth 2.0 Grant Type ndi chiyani?
• OAuth 2.0 Kuchokera ku Command Line
• Pangani Pulogalamu Yotetezedwa ya Node.js yokhala ndi SQL Server

Monga nthawi zonse, omasuka kuyankhapo. Kuti mudziwe zambiri zaposachedwa, lembani ku Twitter и YouTube Okta kwa opanga!

PS kuchokera kwa womasulira

Werenganinso pa blog yathu:

• «ABC ya Chitetezo ku Kubernetes: Kutsimikizika, Kuvomerezeka, Kuwerengera";
• «Ogwiritsa ndi Authorization RBAC ku Kubernetes";
• «33+ Kubernetes zida zachitetezo";
• «Chitetezo cha zotengera za Docker".

Source: www.habr.com