Gaidhi Yakamisikidzwa kuOAuth uye OpenID Batanidza

Cherechedza. transl.: Ichi chinyorwa chikuru kubva kuOkta chinotsanangura mashandiro anoita OAuth neOIDC (OpenID Connect) zviri nyore uye zvakajeka. Ruzivo urwu ruchabatsira kuvagadziri, vatariri vehurongwa, uye kunyangwe "vashandisi venguva dzose" veakakurumbira mawebhu application, avo vangango chinjana data rakavanzika nemamwe masevhisi.

Mu "Stone Age" yeInternet, kugovana ruzivo pakati pemasevhisi kwaive nyore. Iwe wakangopa yako yekupinda uye password kubva kune imwe sevhisi kuenda kune imwe kuti igone kupinda muakaundi yako uye kugamuchira chero ruzivo rwayaida.

"Ndokumbira upe account yako yekubhanga." “Tinovimbisa kuti zvese zvichanaka nepassword nemari. Chokwadi ichokwadi!” *hee hee*

Zvinotyisa! Hapana munhu anofanira kumboda mushandisi kugovera zita rekushandisa uye password; magwaro, nerimwe basa. Iko hakuna vimbiso yekuti sangano riri seri kwesevhisi rino richachengetedza data rakachengeteka uye harizounganidze mamwe ruzivo rwemunhu pane zvakafanira. Izvi zvingaite sekupenga, asi mamwe maapplication achiri kushandisa tsika iyi!

Nhasi kune chiyero chimwe chete chinobvumira imwe sevhisi kushandisa zvakachengeteka data reimwe. Sezvineiwo, miyero yakadaro inoshandisa yakawanda jargon uye mazwi, izvo zvinoita kuti zviome kunzwisisa. Chinangwa chechinyorwa ichi ndechekutsanangura nerubatsiro rwemienzaniso yakapfava mashandiro avanoita (Munofunga kuti mifananidzo yangu inofanana nechinyorwa chemwana here? Ah zvakanaka!).

Nenzira, gwara iri rinowanikwawo muvhidhiyo fomati:

Madzimai nevarume, tinogamuchirwa: OAuth 2.0

Outh 2.0 chiyero chekuchengetedza chinobvumira imwe application kuwana mvumo yekuwana ruzivo mune imwe application. Kutevedzana kwezviito zvekupa mvumo [mvumo] (kana mvumo [chibvumirano]) kazhinji kufona mvumo [mvumo] kana kunyange mvumo yakapiwa [mvumo yakapihwa]. Neichi chiyero, unobvumira application kuverenga data kana kushandisa maficha eimwe application panzvimbo yako pasina kuipa password yako. Kirasi!

Semuenzaniso, ngatiti wawana saiti inonzi "Bad Pun of the Day" [Kutyisa Kwezuva racho] uye ndafunga kusaina kuti igamuchire puns zuva nezuva kuburikidza nemeseji kufoni yako. Iwe wakanyatsofarira saiti uye wafunga kuigovana nemunhu wese waunoziva. Mushure mezvose, munhu wese anoda puns anotyisa, handiti?

"Yakashata pun yezuva: Wakambonzwa nezve murume akarasikirwa neruboshwe rwemuviri wake? Iye zvino anogara akarurama! " (shanduro ndeyekufungidzira, nekuti yekutanga ine matambiro ayo pamazwi - approx. transl.)

Zviripachena kuti kunyorera munhu wese ari pazita rekuonana haisi sarudzo. Uye, kana iwe uri chero seni, iwe unoenda kune hurefu hurefu kudzivirira basa risingakoshi. Neraki, Inotyisa Pun yeZuva inogona kukoka shamwari dzako dzese! Kuti uite izvi, iwe unongoda kumupa mukana kune vako vaunosangana navo maemail - iyo saiti pachayo inovatumira kukoka (mitemo yeOAuth)!

"Wese munhu anoda mimhanzi! — Watopinda? - Iwe unoda here kupa Iyo Inotyisa Pun yeZuva webhusaiti kuwana kune yako yekuonana runyorwa? - Ndatenda! Kubva zvino zvichienda mberi, tichange tichitumira zviyeuchidzo mazuva ese kune wese waunoziva kusvika pakupera kwenguva! Iwe ndiwe shamwari yepamoyo!"

1. Sarudza yako email sevhisi.
2. Kana zvichidikanwa, enda kune iyo mail webhusaiti uye pinda muakaundi yako.
3. Ipa Inotyisa Pun yeZuva mvumo yekuwana vaunosangana navo.
4. Dzokera kune Inotyisa Pun yeZuva webhusaiti.

Kana ukashandura pfungwa dzako, mapurogiramu anoshandisa OAuth anopawo nzira yekukanzura kupinda. Paunenge uchinge wafunga kuti hauchada kugovera mabatiro neInotyisa Pun yeZuva, unogona kuenda kune yetsamba saiti uye wobvisa iyo pun saiti kubva pane yako runyorwa rwezvikumbiro zvine mvumo.

OAuth kuyerera

Tichangobva kupfuura nevanowanzonzi kuyerera [kuyerera] OAuth. Mumuenzaniso wedu, kuyerera uku kunosanganisira matanho anooneka, pamwe chete nematanho akawanda asingaoneki, umo masevhisi maviri anobvumirana kuchengetedza ruzivo. Iyo yapfuura Inotyisa Pun yeZuva muenzaniso inoshandisa yakajairika OAuth 2.0 kuyerera, inozivikanwa se "mvumo kodhi" kuyerera. ["mvumo kodhi" kuyerera].

Tisati tanyura muruzivo rwekuti OAuth inoshanda sei, ngatitaurei nezve zvinoreva mamwe mazwi:

• Resource Muridzi:

  
  
  Ndiwe! Iwe ndiwe magwaro ako, data rako, uye unodzora zviito zvese zvinogona kutorwa kumaakaundi ako.

• munhu anoda kubetserwa:

  
  
  Chikumbiro (chakadai seInotyisa Pun yeZuva sevhisi) chinoda kuwana kana kuita zvimwe zviito pachinzvimbo che Resource Muridzi'а.

• Authorization Server:

  
  
  Application inoziva Resource Muridzi'a uye umo y Resource Muridzi'uye watova neakaundi.

• Resource Server:

  
  
  Iyo application programming interface (API) kana sevhisi iyo munhu anoda kubetserwa inoda kushandiswa pachinzvimbo Resource Muridzi'а.

• Redirect URI:

  
  
  Iyo link apo Authorization Server will redirect Resource Muridzi'uye mushure mekupa mvumo munhu anoda kubetserwa'u. Izvi dzimwe nguva zvinodaidzwa kuti "Callback URL".

• Rudzi rwemhinduro:

  
  
  Rudzi rwemashoko anotarisirwa kugamuchirwa munhu anoda kubetserwa. The most common Rudzi rwemhinduro'om ndiyo kodhi, kureva munhu anoda kubetserwa anotarisira kugamuchira Mvumo Kodhi.

• Makuriro:

  
  
  Iyi irondedzero yakadzama yemvumo dzinodiwa munhu anoda kubetserwa'y, sekuwana data kana kuita zvimwe zviito.

• mvumo:

  
  
  Authorization Server inotora Scopes, akakumbira munhu anoda kubetserwa'Om, uye anobvunza Resource Muridzi'ah, agadzirira here kupa munhu anoda kubetserwa'ivai nemvumo dzakakodzera.

• Mutengi ID:

  
  
  ID iyi inoshandiswa pakuzivikanwa munhu anoda kubetserwa'uye zvakadaro Authorization Server'e.

• Chakavanzika Client:

  
  
  Iri pasiwedhi rinozivikanwa chete munhu anoda kubetserwa'u uye Authorization Server'u. Zvinovabvumira kuchinjana ruzivo zvakavanzika.

• Mvumo Kodhi:

  
  
  Kodhi yenguva pfupi ine nguva pfupi yechokwadi, iyo munhu anoda kubetserwa inopa Authorization Server'y mukutsinhana Kupinda Chiratidzo.

• Kupinda Chiratidzo:

  
  
  Kiyi iyo mutengi achashandisa kutaura nayo Resource Server'om. Rudzi rwebheji kana kiyi kadhi inopa munhu anoda kubetserwa'iva nemvumo yekukumbira data kana kuita zviito pa Resource Server'e panzvimbo yako.

taura pfungwa: Dzimwe nguva Authorization Server uye Resource Server ndiwo akafanana sevha. Nekudaro, mune dzimwe nguva aya anogona kunge akasiyana maseva, kunyangwe asiri esangano rimwe chete. Semuenzaniso, iyo Authorization Server inogona kunge iri yechitatu-bato sevhisi inovimbwa neResource Server.

Izvozvi zvatave kujairana nedzidziso dzekutanga dzeOAuth 2.0, ngatidzokerei kumuenzaniso wedu tonyatsotarisisa zvinoitika mukuyerera kweOAuth.

1. Iwe, Resource Muridzi, ingada kupa iyo Inotyisa Pun yeZuva sevhisi (munhu anoda kubetserwa'y) kuwana kune vaunosangana navo kuitira kuti atumire kukoka kushamwari dzako dzese.
2. munhu anoda kubetserwa inodzosera bhurawuza kune peji Authorization Server'a uye inosanganisira muchikumbiro Mutengi ID, Redirect URI, Rudzi rwemhinduro uye imwe kana kupfuura Scopes (mvumo) zvaanoda.
3. Authorization Server inokutarisa, kana zvichidikanwa, uchikumbira kupinda uye password.
4. Authorization Server inoratidza fomu mvumo (kusimbisa) nerunyorwa rwezvose Scopesrequested munhu anoda kubetserwa'om. Unobvuma kana kuramba.
5. Authorization Server inokuendesa kune saiti munhu anoda kubetserwa'a, kushandisa Redirect URI pamwe chete Mvumo Kodhi (mvumo kodhi).
6. munhu anoda kubetserwa contacts zvakananga Authorization Server'om (kupfuura nebrowser Resource Muridzi'a) uye inotumira zvakachengeteka Mutengi ID, Chakavanzika Client и Mvumo Kodhi.
7. Authorization Server inotarisa data uye inopindura nayo Kupinda Chiratidzo'om (chiratidzo chekuwana).
8. Iye zvino munhu anoda kubetserwa anogona kushandisa Kupinda Chiratidzo kutumira chikumbiro kuna Resource Server kuitira kuti uwane runyoro rwemacontacts.

Client ID uye Chakavanzika

Kare usati wabvumira Kutyisa Pun yeZuva kuwana vaunosangana navo, Mutengi uye Mvumo Server yakagadzira hukama hwekushanda. Iyo Authorization Server yakagadzira iyo Client ID uye Client Chakavanzika (dzimwe nguva inonzi App ID и App Secret) uye akavatumira kuMutengi kuti awedzere kudyidzana mukati meOAuth.

"- Mhoro! Ndinoda kushanda newe! - Chokwadi, kwete dambudziko! Heino Client ID yako uye Chakavanzika!

Iro zita rinoratidza kuti Chakavanzika cheMutengi chinofanirwa kuchengetwa chakavanzika kuitira kuti Chete Mutengi uye Mvumo Sevha inozviziva. Mushure mezvose, iri nerubatsiro rwayo iyo iyo Authorization Server inosimbisa chokwadi cheMutengi.

Asi handizvo zvoga... Ndokumbirawo uti mhoro kuOpenID Batanidza!

OAuth 2.0 yakagadzirirwa chete mvumo -kupa mukana kune data uye mabasa kubva kune imwe application kuenda kune imwe. OpenID Batanidza (OIDC) inhete yakatetepa pamusoro peOAuth 2.0 iyo inowedzera kupinda uye nhoroondo yeruzivo nezve mushandisi anopinda muaccount. Kuronga chikamu chekupinda kunowanzonzi authentication [kutendeseka], uye ruzivo nezve mushandisi akapinda muhurongwa (i.e. Resource Muridzi'e), - personal data [kuzivikanwa]. Kana iyo Authorization Server ichitsigira OIDC, dzimwe nguva inodanwa personal data provider [identity provider]sezvo inopa munhu anoda kubetserwa'y ruzivo nezve Resource Muridzi'e.

OpenID Connect inokutendera iwe kuti uite mamiriro ekuti kupinda kamwe chete kunogona kushandiswa mune akawanda maapplication - nzira iyi inozivikanwa zvakare se. kusaina-pamwe chete (SSO). Semuenzaniso, application inogona kutsigira SSO kubatanidzwa nesocial network seFacebook kana Twitter, ichibvumira vashandisi kushandisa account yavanenge vanayo uye vanoda kushandisa.

Iyo OpenID Connect inoyerera inotaridzika zvakafanana neOAuth. Musiyano chete ndewekuti muchikumbiro chekutanga iyo chaiyo scope inoshandiswa ndeye openid, - A munhu anoda kubetserwa pakupedzisira zvinoita sekudaro Kupinda Chiratidzo, uye ID Token.

Zvakafanana nekuyerera kweOAuth, Kupinda Chiratidzo muOpenID Batanidza - iyi imwe kukosha isina kujeka munhu anoda kubetserwa'u. Kubva pakuona munhu anoda kubetserwa'а Kupinda Chiratidzo inomiririra mutsara wemavara anotumirwa pamwe nechikumbiro chega chega kune Resource Server'y, uye izvo zvinotarisa kana chiratidzo chiriko. ID Token chimwe chinhu chakasiyana zvachose.

ID Chiratidzo ndeyeJWT

ID Token itambo yakanyatso kurongwa yemavara anozivikanwa seJSON Web Token kana JWT (JWT tokens dzimwe nguva inodaidzwa "jots").. Kune vacherechedzi vekunze, JWT inogona kuita seisinganzwisisike gobbledygook, asi munhu anoda kubetserwa inogona kubvisa ruzivo rwakasiyana kubva kuJWT senge ID, zita rekushandisa, account yekupinda nguva, zuva rekupera ID Token'ah, kuvapo kwekuedza kupindira neJWT. Data mukati ID Token'uye vanodanwa applications [zvinoda].

Panyaya yeOIDC pane zvakare nzira yakajairwa iyo munhu anoda kubetserwa inogona kukumbira mamwe mashoko emunhu [kuzivikanwa] от Authorization Server'uye, semuenzaniso, email kero uchishandisa Kupinda Chiratidzo.

Dzidza zvakawanda nezve OAuth neOIDC

Saka, takatarisa muchidimbu mashandiro anoita OAuth neOIDC. Wagadzirira kuchera zvakadzika? Heano zvimwe zviwanikwa zvekukubatsira kuti udzidze zvakawanda nezve OAuth 2.0 uye OpenID Batanidza:

• Chii chinonzi Heck OAuth?
• Hapana Munhu Ane Hanya Nezve OAuth kana OpenID Batanidza
• Shandisa OAuth 2.0 Authorization Code nePKCE Flow
• Chii chinonzi OAuth 2.0 Grant Type?
• OAuth 2.0 Kubva kuMutsetse Wemirairo
• Vaka Yakachengeteka Node.js App ine SQL Server

Senguva dzose, inzwa wakasununguka kutaura. Kuti ugare uchifambirana nenhau dzedu dzichangoburwa, nyoresa Twitter и YouTube Okta for Developers!

PS kubva kumushanduri

Verenga zvakare pablog yedu:

• «Iyo ABCs yeKubernetes Chengetedzo: Kusimbisa, Mvumo, Kuongorora";
• «Vashandisi uye Mvumo yeRBAC muKubernetes";
• «33+ Zvishandiso zveKubernetes Chengetedzo";
• «Chengetedzo yemidziyo yeDocker".

Source: www.habr.com