Isikhokelo esineMizobo se-OAuth kunye ne-OpenID Connect

Phawula. transl.: Eli nqaku elihle ngu-Okta lichaza indlela i-OAuth kunye ne-OIDC (i-OpenID Connect) esebenza ngayo ngendlela elula necacileyo. Olu lwazi luya kuba luncedo kubaphuhlisi, abalawuli benkqubo, kunye "nabasebenzisi abaqhelekileyo" bezicelo zewebhu ezidumileyo, ezinokuthi zitshintshe idatha eyimfihlo kunye nezinye iinkonzo.

Kwi-Stone Age ye-Intanethi, ukwabelana ngolwazi phakathi kweenkonzo kwakulula. Unike nje igama lakho lokungena kunye negama lokugqitha ukusuka kwenye inkonzo ukuya kwenye, ukuze ungene kwiakhawunti yakho kwaye wafumana naluphi na ulwazi alufunayo.

"Ndinike iakhawunti yakho yebhanki." “Siyathembisa ukuba yonke into izakulunga nge-password kunye nemali. Unyanisekile, unyanisekile!" *Hee hayi*

Ukoyikeka! Akukho mntu kufuneka afune umsebenzisi ukuba abelane ngegama lomsebenzisi kunye negama lokugqitha, iziqinisekiso, nenye inkonzo. Akukho siqinisekiso sokuba umbutho emva kwale nkonzo uya kugcina idatha ikhuselekile kwaye ayiyi kuqokelela ulwazi lomntu siqu kunokuba luyimfuneko. Isenokuvakala ngathi iyaphambana, kodwa ezinye ii-apps zisasebenzisa olu qheliselo!

Namhlanje kukho umgangatho omnye ovumela enye inkonzo ukuba isebenzise ngokukhuselekileyo idatha yomnye. Ngelishwa, imigangatho enjalo isebenzisa ijargon kunye namagama amaninzi, nto leyo eyenza kube nzima ukuqonda kwabo. Injongo yesi sixhobo kukucacisa indlela ezisebenza ngayo kusetyenziswa imizobo elula (Ucinga ukuba imizobo yam ifana nedayibhithi yabantwana? Hayi ke!).

Ngendlela, esi sikhokelo sikwafumaneka kwifomathi yevidiyo:

Manene nani manene, namkelekile: OAuth 2.0

I-OAuth 2.0 ngumgangatho wokhuseleko ovumela isicelo esinye ukuba sifumane imvume yokufikelela kulwazi kwesinye isicelo. Ulandelelwano lwamanyathelo okukhutshwa kwemvume [imvume] (okanye imvume [imvume]) ukufowuna rhoqo ugunyaziso [ugunyaziso] okanye ugunyaziso olunikezelweyo [ugunyaziso olunikezelweyo]. Ngalo mgangatho, uvumela usetyenziso ukuba lufunde idatha okanye lusebenzise imisebenzi yolunye usetyenziso egameni lakho ngaphandle kokunika igama eliyimfihlo. Iklasi!

Njengomzekelo, masithi ufumene indawo ebizwa ngokuba yi "Unlucky Pun of the Day" [Ingqondo eyoyikisayo yoSuku] kwaye wagqiba ukubhalisa kuyo ukuze ufumane iipuns zemihla ngemihla ngendlela yemiyalezo ebhaliweyo kwifowuni. Uyithande kakhulu indawo, kwaye ugqibe ekubeni wabelane ngayo nabahlobo bakho bonke. Emva kwayo yonke loo nto, wonke umntu uthanda iipuns ezihlekisayo, akunjalo?

"Ngelishwa i-pun yosuku: Uvile malunga nomfo ophulukene nesiqingatha sasekhohlo somzimba wakhe? Ngoku usoloko enyanisile!” (inguqulelo eqikelelweyo, kuba eyantlandlolo inepun yayo - approx. transl.)

Kucacile ukuba ukubhalela umntu ngamnye kuluhlu lwabafowunelwa alukho ukhetho. Kwaye, ukuba ufana nam kancinane, ngoko uya kuya kuyo nayiphi na ubude ukuphepha umsebenzi ongeyomfuneko. Ngethamsanqa, iPun eyoyikisayo yoSuku inokumema bonke abahlobo bakho ngokwayo! Ukwenza oku, kufuneka uvule ukufikelela kwi-imeyile yabafowunelwa - indawo ngokwayo iya kubathumela izimemo (imithetho ye-OAuth)!

“Wonke umntu uyazithanda iipuns! - Sele ungenile? Ngaba ungathanda ukuvumela iwebhusayithi ye-Terrible Pun yoSuku ukuba ifikelele kuluhlu lwakho lonxibelelwano? - Enkosi! Ukusukela ngoku ukuya phambili, siya kuthumela izikhumbuzo yonke imihla kuye wonke umntu omaziyo, kude kube sekupheleni kwexesha! Ungoyena mhlobo!

1. Khetha inkonzo yakho ye-imeyile.
2. Ukuba kuyimfuneko, yiya kwindawo yeposi kwaye ungene kwiakhawunti yakho.
3. Nika imvume eyoyikekayo yePun yoSuku ukufikelela kubafowunelwa bakho.
4. Buyela kwi-Terrible Pun yesiza soSuku.

Kwimeko yokutshintsha ingqondo yakho, iinkqubo ezisebenzisa i-OAuth zikwabonelela ngendlela yokurhoxisa ufikelelo. Nje ukuba ugqibe ekubeni awusafuni ukwabelana nabafowunelwa kunye ne-Terrible Pun yoSuku, ungaya kwindawo yeposi kwaye ususe indawo yepun kuluhlu lwezicelo ezigunyazisiweyo.

Ukuqukuqela kwe-OAuth

Sisanda kudlula kwinto ebizwa ngokuba yi ukuhamba [flow] OAuth. Kumzekelo wethu, oku kuhamba kuqulethwe ngamanyathelo abonakalayo, kunye namanyathelo amaninzi angabonakaliyo, apho iinkonzo ezimbini zivumelana ngokutshintshiselana ngokukhuselekileyo kolwazi. Umzekelo wangaphambili we-Terrible Pun of the Day usebenzisa i-OAuth 2.0 ehamba phambili eqhelekileyo, eyaziwa ngokuba yi "code yogunyaziso" flow. ["ikhowudi yogunyaziso" flow].

Ngaphambi kokuba ungene kwiinkcukacha zendlela esebenza ngayo i-OAuth, makhe sithethe ngentsingiselo yamanye amagama:

• uMnini weziXhobo:

  
  
  Nguwe! Ungumnikazi weenkcukacha zakho, idatha yakho, kwaye ulawule yonke imisebenzi enokwenziwa kwiiakhawunti zakho.

• umxhasi:

  
  
  Isicelo (umzekelo, i-Terrible Pun yenkonzo yoSuku) efuna ukufikelela okanye ukwenza izenzo ezithile egameni uMnini weziXhobo'a.

• Iseva yoGunyaziso:

  
  
  Isicelo esaziyo uMnini weziXhobo'a kwaye apho u uMnini weziXhobo'a sele unayo iakhawunti.

• umncedisi wesixhobo:

  
  
  Ujongano lwenkqubo yesicelo (API) okanye inkonzo leyo umxhasi ufuna ukusebenzisa egameni uMnini weziXhobo'a.

• Phinda uthumele i-URI:

  
  
  Ikhonkco ukuba Iseva yoGunyaziso izakuphinda iqondise uMnini weziXhobo'kwaye emva kokunika imvume umxhasi'kwe. Ngamanye amaxesha ibizwa ngokuba yi-"callback URL".

• Uhlobo lweMpendulo:

  
  
  Uhlobo lolwazi ekulindeleke ukuba lwamkelwe umxhasi. Eyona ixhaphakileyo Uhlobo lweMpendulo'ohm yikhowudi, oko kukuthi umxhasi ulindele ukufumana Ikhowudi yokugunyazisa.

• umda:

  
  
  Le yinkcazo eneenkcukacha yeemvume ezifunekayo umxhasi'y, njengokufikelela kwidata okanye ukwenza iintshukumo ezithile.

• imvume:

  
  
  Iseva yoGunyaziso kuthatha Imibauceliwe umxhasi'om, kwaye uyabuza uMnini weziXhobo'a, ukulungele ukubonelela umxhasi'neemvume ezifanelekileyo.

• Isazisi saBaxumi:

  
  
  Le ID isetyenziselwa ukuchonga umxhasi'iya Iseva yoGunyaziso'e.

• Imfihlo yabathengi:

  
  
  Eli ligama lokugqithisa elaziwa kuphela umxhasi'we kunye Iseva yoGunyaziso'kwe. Ibavumela ukuba babelane ngolwazi ngasese.

• Ikhowudi yokugunyazisa:

  
  
  Ikhowudi yethutyana kunye nexesha elifutshane lokuqinisekisa, leyo umxhasi ibonelela Iseva yoGunyaziso'y ngokutshintshiselana Ithokheni yokuFikelela.

• Ithokheni yokuFikelela:

  
  
  Isitshixo esiza kusetyenziswa ngumxhasi ukunxibelelana naye umncedisi wesixhobo'om. Uhlobo lwebheji okanye ikhadi elingundoqo elibonelela umxhasi'unemvume yokucela idata okanye wenze iintshukumo kwi umncedisi wesixhoboegameni lakho.

Qaphela:: Ngamanye amaxesha iSeva yoGunyaziso kunye neSeva yeZibonelelo zifana neseva. Nangona kunjalo, kwezinye iimeko, ezi zinokuba ziiseva ezahlukeneyo, nokuba azikho kumbutho omnye. Umzekelo, iSeva yoGunyaziso inokuba yinkonzo yomntu wesithathu ethenjwe yiSeva yoMthombo.

Ngoku sele sigubungele iingqikelelo ezingundoqo ze-OAuth 2.0, masibuyele kumzekelo wethu kwaye sijonge ngakumbi okwenzekayo kwi-OAuth flow.

1. Wena, uMnini weziXhobo, ufuna ukubonelela ngenkonzo eyoyikekayo yePun yoSuku (umxhasiy) ukufikelela kubafowunelwa bakho ukuze bathumele izimemo kubo bonke abahlobo bakho.
2. umxhasi iphinda iqondise isikhangeli kwiphepha Iseva yoGunyaziso'a kwaye uquke kumbuzo Isazisi saBaxumi, Phinda uthumele i-URI, Uhlobo lweMpendulo kwaye enye okanye ngaphezulu Imiba (iimvume) iyayidinga.
3. Iseva yoGunyaziso iyakuqinisekisa, icela igama lomsebenzisi kunye negama lokugqitha ukuba kuyimfuneko.
4. Iseva yoGunyaziso ibonisa ifom imvume (iziqinisekiso) ngoluhlu lwabo bonke Imibauceliwe umxhasi'om. Uyavuma okanye uyala.
5. Iseva yoGunyaziso ikubuyisela kwindawo umxhasi'a, usebenzisa Phinda uthumele i-URI kunye Ikhowudi yokugunyazisa (ikhowudi yogunyaziso).
6. umxhasi unxibelelana ngqo ne Iseva yoGunyaziso'ohm (ugqitha isikhangeli uMnini weziXhobo'a) kwaye ithumela ngokukhuselekileyo Isazisi saBaxumi, Imfihlo yabathengi и Ikhowudi yokugunyazisa.
7. Iseva yoGunyaziso ijonga idatha kwaye iphendule nge Ithokheni yokuFikelela'om (uphawu lofikelelo).
8. Ngoku umxhasi inga sebenzisa Ithokheni yokuFikelela ukuthumela isicelo ku umncedisi wesixhobo ukufumana uluhlu lwabafowunelwa.

Isazisi soMthengi kunye neMfihlo

Kwakudala ngaphambi kokuba uvumele i-Pun eyoyikisayo yoSuku ukuba ifikelele kubafowunelwa bakho, iSeva yoMthengi kunye neSigunyaziso iseke ubudlelwane bokusebenza. Iseva yoGunyaziso yenze iSazisi soMxumi kunye neMfihlo yoMthengi (ngamanye amaxesha ibizwa ngokuba I-ID yesicelo и Imfihlo ye-App) kwaye uzithumele kuMthengi ukuze aqhubeke nokusebenzisana ngaphakathi kwe-OAuth.

"- Mholo! Ndingathanda ukusebenza nawe! - Ngokuqinisekileyo, akukho ngxaki! Nasi isazisi sakho soMthengi kunye neMfihlo!”

Igama libonisa ukuba iMfihlo yoMthengi kufuneka igcinwe iyimfihlo ukuze ibe nguMxhasi kunye noGunyaziso kuphela abayaziyo. Ngapha koko, kungoncedo lwakhe ukuba iSeva yoGunyaziso iqinisekisa ubunyani boMthengi.

Kodwa akuphelelanga apho... Nceda wamkele i-OpenID Connect!

I-OAuth 2.0 yenzelwe kuphela ugunyaziso - ukubonelela ukufikelela kwidatha kunye nemisebenzi ukusuka kwisicelo esinye ukuya kwesinye. I-OpenID Qhagamshela (OIDC) ngumaleko obhityileyo ngaphezulu kwe-OAuth 2.0 eyongeza ukungena kunye neenkcukacha zeprofayile zomsebenzisi ongene kwiakhawunti. Umbutho weseshoni yokungena udla ngokubhekiswa njenge uqinisekiso [uqinisekiso], kunye nolwazi malunga nomsebenzisi ongene kwinkqubo (i.e. malunga uMnini weziXhobo'e), - idatha yakho [isazisi]. Ukuba iSeva yoGunyaziso ixhasa i-OIDC, ngamanye amaxesha ibizwa ngokuba umboneleli wedatha yomntu [umboneleli wesazisi]kuba iyabonelela umxhasi'unolwazi malunga uMnini weziXhobo'e.

I-OpenID Connect ikuvumela ukuba uphumeze iimeko apho ukungena okukodwa kunokusetyenziswa kwizicelo ezininzi - le ndlela yaziwa ngokuba ukungena-kwinye (SSO). Umzekelo, isicelo sinokuxhasa ukudityaniswa kwe-SSO kunye neenethiwekhi zentlalo ezifana ne-Facebook okanye i-Twitter, evumela abasebenzisi ukuba basebenzise i-akhawunti esele benayo kwaye bakhethe ukuyisebenzisa.

Ukuqukuqela (ukuhamba) I-OpenID Connect ijongeka ngokufanayo kwimeko ye-OAuth. Umahluko kuphela kukuba kwisicelo sokuqala, umda othile osetyenziswayo ngu openid, - A umxhasi ekugqibeleni iba ngathi Ithokheni yokuFikelela, kwaye Umqondiso wesazisi.

Kanye njengokuqukuqela kwe-OAuth, Ithokheni yokuFikelela kwi-OpenID Connect, eli lixabiso elithile elingacacanga umxhasi'kwe. Ngokwembono umxhasi'a Ithokheni yokuFikelela imele uluhlu lwamagama olugqithisiweyo kunye nesicelo ngasinye ukuya umncedisi wesixhobo'y, emisela ukuba umqondiso uyasebenza na. Umqondiso wesazisi imele into eyahlukileyo ngokupheleleyo.

Umqondiso we-ID yi-JWT

Umqondiso wesazisi luludwe lwamagama olufomathwe ngokukhethekileyo owaziwa ngokuba yi-JSON Web Token okanye i-JWT (ngamanye amaxesha iithokheni zeJWT zibizwa njenge "jots").. Kubabukeli bangaphandle, i-JWT inokubonakala ngathi yi-gibberish engaqondakaliyo, kodwa umxhasi inokukhupha iinkcukacha ezahlukeneyo kwi-JWT, njenge-ID, igama lomsebenzisi, ixesha lokungena, umhla wokuphelelwa Umqondiso wesazisi'a, ubukho bamalinge okuphazamisana ne-JWT. Idatha ngaphakathi Umqondiso wesazisi'a babizwa izicelo [amabango].

Kwimeko ye-OIDC, kukwakho indlela eqhelekileyo umxhasi inokucela ulwazi olongezelelweyo malunga nomntu [isazisi] ukusuka Iseva yoGunyaziso'a, umzekelo, idilesi ye-imeyile usebenzisa Ithokheni yokuFikelela.

Funda ngakumbi nge-OAuth kunye ne-OIDC

Ke, sihlolisise ngokufutshane indlela i-OAuth kunye ne-OIDC esebenza ngayo. Ngaba ukulungele ukugrumba nzulu? Nazi izixhobo ezongezelelweyo zokukunceda ufunde ngakumbi nge-OAuth 2.0 kunye ne-OpenID Connect:

• Yintoni i-OAuth?
• Akukho mntu ukhathalayo nge-OAuth okanye i-OpenID Connect
• Sebenzisa i-OAuth 2.0 yeKhowudi yoGunyaziso nge-PKCE Flow
• Yintoni udidi lweSibonelelo se-OAuth 2.0?
• I-OAuth 2.0 Ukusuka kumgca womyalelo
• Yakha i-App ye-Node.js eKhuselekileyo nge-SQL Server

Njengesiqhelo, zive ukhululekile ukuphawula. Ukuze uhlale usazi ngeendaba zethu zamva nje, bhalisa ku Twitter и YouTube Okta kubaphuhlisi!

PS evela kumguquleli

Funda nakwibhlog yethu:

• «I-ABC yoKhuseleko kwi-Kubernetes: Ukuqinisekiswa, uGunyaziso, uPhicotho-zincwadi";
• «Abasebenzisi kunye noGunyaziso lwe-RBAC eKubernetes";
• «33+ Kubernetes izixhobo zokhuseleko";
• «Ukhuseleko lwezikhongozeli zeDocker».

umthombo: www.habr.com