Umhlahlandlela Onemifanekiso we-OAuth kanye ne-OpenID Connect

Qaphela. transl.: Lesi sihloko esihle kakhulu sika-Okta sichaza indlela i-OAuth ne-OIDC (OpenID Connect) esebenza ngayo ngendlela elula necacile. Lolu lwazi luzoba usizo kubathuthukisi, abaphathi besistimu, kanye "nabasebenzisi abavamile" bezinhlelo zokusebenza zewebhu ezidumile, okungenzeka ukuthi zishintshanisa idatha eyimfihlo namanye amasevisi.

Enkathini Yamatshe Ye-inthanethi, ukwabelana ngolwazi phakathi kwezinsizakalo kwakulula. Uvele wanikeza ukungena kwakho nephasiwedi kusuka kwenye isevisi kuya kwenye, ukuze afake i-akhawunti yakho futhi athole noma yiluphi ulwazi aludingayo.

"Nginike i-akhawunti yakho yasebhange." “Siyathembisa ukuthi konke kuzolunga nge-password nemali. Lokho kuyiqiniso, kuthembekile!" *Hheyi*

Okwethusayo! Akekho okufanele adinge umsebenzisi ukuthi abelane ngegama lomsebenzisi nephasiwedi, izifakazelo, nenye isevisi. Asikho isiqinisekiso sokuthi inhlangano eqhuba le sevisi izogcina idatha ivikelekile futhi ngeke iqoqe ulwazi lomuntu siqu oluningi kunalokho okudingekile. Kungase kuzwakale njengokuhlanya, kodwa ezinye izinhlelo zokusebenza zisawusebenzisa lo mkhuba!

Namuhla kunendinganiso eyodwa evumela isevisi eyodwa ukuthi isebenzise ngokuphephile idatha yenye. Ngeshwa, izindinganiso ezinjalo zisebenzisa i-jargon namagama amaningi, okwenza kube nzima ukuqonda kwawo. Inhloso yalesi sihloko ukuchaza ukuthi zisebenza kanjani kusetshenziswa imifanekiso elula (Ingabe ucabanga ukuthi imidwebo yami ifana nokudayiwa kwezingane? Hhayi-ke!).

Ngendlela, lo mhlahlandlela uyatholakala nangefomethi yevidiyo:

Madoda namanenekazi, siyakwamukela: OAuth 2.0

I-OAuth 2.0 izinga lokuvikeleka elivumela uhlelo lokusebenza olulodwa ukuthola imvume yokufinyelela ulwazi kolunye uhlelo lokusebenza. Ukulandelana kwezinyathelo zokukhishwa kwemvume [imvume] (noma imvume [imvume]) ukufona njalo ukugunyazwa [ukugunyazwa] noma ngisho ukugunyazwa okuphathisiwe [ukugunyazwa okuphathisiwe]. Ngaleli zinga, uvumela uhlelo lokusebenza ukuthi lifunde idatha noma lisebenzise imisebenzi yolunye uhlelo lokusebenza esikhundleni sakho ngaphandle kokulunikeza iphasiwedi yakho. Ikilasi!

Njengesibonelo, ake sithi uthola isayithi elibizwa nge-"Unlucky Pun of the Day" [I-Terrible Pun of the Day] futhi yanquma ukubhalisa kuyo ukuze ithole ama-puns nsuku zonke ngendlela yemiyalezo yombhalo ocingweni. Uyithande ngempela isayithi, futhi unqume ukwabelana ngayo nabo bonke abangani bakho. Phela, wonke umuntu uthanda ama-puns creepy, akunjalo?

"I-pun edabukisayo yosuku: Uzwile ngomfana olahlekelwe ingxenye yesokunxele yomzimba wakhe? Manje uhlezi eqinisile!” (ukuhumusha cishe, ngoba okwangempela kune-pun yayo - cishe. transl.)

Kuyacaca ukuthi ukubhalela umuntu ngamunye ohlwini loxhumana nabo akuyona inketho. Futhi, uma ufana nami kancane, khona-ke uzohamba kunoma yikuphi ukugwema umsebenzi ongadingekile. Ngenhlanhla, i-Terrible Pun of the Day ingamema bonke abangani bakho ngokwayo! Ukwenza lokhu, udinga nje ukuvula ukufinyelela ku-imeyili yoxhumana nabo - isayithi ngokwalo lizobathumela izimemo (imithetho ye-OAuth)!

“Wonke umuntu uyawathanda ama-puns! - Usuvele ungenile? “Ungathanda ukuvumela iwebhusayithi ye-Terrible Pun of the Day ukuthi ifinyelele ohlwini lwakho lokuxhumana? - Ngiyabonga! Kusukela manje kuqhubeke, sizothumela izikhumbuzi nsuku zonke kuwo wonke umuntu omaziyo, kuze kube sekupheleni kwesikhathi! Ungumngane omkhulu!"

1. Khetha isevisi yakho ye-imeyili.
2. Uma kunesidingo, yiya kusayithi lemeyili bese ungena ngemvume ku-akhawunti yakho.
3. Nikeza i-Terrible Pun of the Day imvume yokufinyelela abathintwayo bakho.
4. Buyela kusayithi le-Terrible Pun of the Day.

Uma kwenzeka ushintsha umqondo wakho, izinhlelo zokusebenza ezisebenzisa i-OAuth ziphinde zinikeze indlela yokuhoxisa ukufinyelela. Uma usunqume ukuthi awusafuni ukwabelana noxhumana nabo nge-Terrible Pun of the Day, ungaya kusayithi lemeyili futhi ususe isayithi le-pun ohlwini lwezinhlelo zokusebenza ezigunyaziwe.

Ukugeleza kwe-OAuth

Sisanda kudlula kulokho okuvame ukubizwa ngokuthi ukugeleza [geleza] OAuth. Esibonelweni sethu, lokhu kugeleza kuqukethe izinyathelo ezibonakalayo, kanye nezinyathelo ezimbalwa ezingabonakali, lapho izinsizakalo ezimbili zivumelana ngokushintshana okuphephile kolwazi. Isibonelo sangaphambilini Se-Terrible Pun of the Day sisebenzisa ukugeleza okuvame kakhulu kwe-OAuth 2.0, okwaziwa ngokuthi "ikhodi yokugunyaza". ["ikhodi yokugunyaza" ukuhamba].

Ngaphambi kokungena emininingwaneni yokuthi i-OAuth isebenza kanjani, ake sikhulume ngencazelo yamanye amagama:

• Umnikazi Wensiza:

  
  
  Nguwe! Ungumnikazi wemininingwane yakho, idatha yakho, futhi ulawula yonke imisebenzi engenziwa kuma-akhawunti akho.

• Client:

  
  
  Uhlelo lokusebenza (isibonelo, isevisi ye-Terrible Pun of the Day) olufuna ukufinyelela noma ukwenza izenzo ezithile egameni lika Umnikazi Wensiza'a.

• Iseva Yokugunyazwa:

  
  
  Uhlelo lokusebenza owaziyo Umnikazi Wensiza'a futhi lapho u Umnikazi Wensizavele unayo i-akhawunti.

• iseva yensiza:

  
  
  Isixhumi esibonakalayo sohlelo lokusebenza (API) noma isevisi leyo Client ufuna ukusebenzisa egameni Umnikazi Wensiza'a.

• Qondisa kabusha i-URI:

  
  
  Isixhumanisi ukuthi Iseva Yokugunyazwa izoqondisa kabusha Umnikazi Wensiza'futhi ngemva kokunikeza imvume Client'kwe. Kwesinye isikhathi ibizwa nge-"callback URL".

• uhlobo lokuphendula:

  
  
  Uhlobo lolwazi okulindeleke ukuthi lwamukelwe Client. Okuvame kakhulu uhlobo lokuphendula'ohm ikhodi, okungukuthi Client ulindele ukuthola Ikhodi yokugunyazwa.

• Scope:

  
  
  Lena incazelo enemininingwane yezimvume ezidingekayo Client'y, njengokufinyelela idatha noma ukwenza izenzo ezithile.

• Ukuvuma:

  
  
  Iseva Yokugunyazwa kuthatha Ama-Scopeskuceliwe Client'Om, futhi uyabuza Umnikazi Wensiza'a, ingabe ukulungele ukunikeza Client'ube nezimvume ezifanele.

• I-ID yeklayenti:

  
  
  Le ID isetshenziselwa ukukhomba Client'a ku Iseva Yokugunyazwa'e.

• Imfihlo Yamakhasimende:

  
  
  Lena iphasiwedi eyaziwa kuphela Client'we kanye Iseva Yokugunyazwa'kwe. Ibavumela ukuthi babelane ngolwazi ngasese.

• Ikhodi yokugunyazwa:

  
  
  Ikhodi yesikhashana enesikhathi esifushane sokuqinisekisa, okuyinto Client ihlinzeka Iseva Yokugunyazwa'y ngokushintshanisa Ithokheni Yokufinyelela.

• Ithokheni Yokufinyelela:

  
  
  Ukhiye ozosetshenziswa iklayenti ukuxhumana nawo iseva yensiza'om. Uhlobo lwebheji noma ikhadi elingukhiye elihlinzekayo Client'ube nemvume yokucela idatha noma wenze izenzo iseva yensiza'e egameni lakho.

Ukubhala: Kwesinye isikhathi Iseva Yokugunyazwa kanye Neseva Yensiza kuyiseva efanayo. Nokho, kwezinye izimo, lezi zingase zibe amaseva ahlukene, ngisho noma zingezona ezenhlangano efanayo. Isibonelo, Iseva Yokugunyazwa ingase ibe isevisi yenkampani yangaphandle ethenjwa Iseva Yensiza.

Manje njengoba sesihlanganise imiqondo eyinhloko ye-OAuth 2.0, ake sibuyele esibonelweni sethu futhi sibhekisise ukuthi kwenzekani ekugelezeni kwe-OAuth.

1. Wena, Umnikazi Wensiza, ufuna ukunikeza isevisi ye-Terrible Pun of the Day (Clienty) ukufinyelela koxhumana nabo ukuze bakwazi ukuthumela izimemo kubo bonke abangani bakho.
2. Client iqondisa kabusha isiphequluli ekhasini Iseva Yokugunyazwa'a futhi ufake embuzweni I-ID yeklayenti, Qondisa kabusha i-URI, uhlobo lokuphendula futhi eyodwa noma ngaphezulu Ama-Scopes (izimvume) idinga.
3. Iseva Yokugunyazwa iyakuqinisekisa, icela igama lomsebenzisi nephasiwedi uma kunesidingo.
4. Iseva Yokugunyazwa ubonisa ifomu Ukuvuma (iziqinisekiso) ngohlu lwakho konke Ama-Scopeskuceliwe Client'om. Uyavuma noma wenqaba.
5. Iseva Yokugunyazwa ikuqondisa kabusha kusayithi Client'a, usebenzisa Qondisa kabusha i-URI kanye Ikhodi yokugunyazwa (ikhodi yokugunyazwa).
6. Client uxhumana ngqo ne Iseva Yokugunyazwa'ohm (ngokweqa isiphequluli Umnikazi Wensiza'a) futhi ithumela ngokuphephile I-ID yeklayenti, Imfihlo Yamakhasimende и Ikhodi yokugunyazwa.
7. Iseva Yokugunyazwa ihlola idatha bese iphendula ngokuthi Ithokheni Yokufinyelela'om (ithokheni yokufinyelela).
8. Manje Client angasebenzisa Ithokheni Yokufinyelela ukuthumela isicelo ku iseva yensiza ukuze uthole uhlu loxhumana nabo.

I-ID Yeklayenti kanye Nemfihlo

Kudala ngaphambi kokuthi uvumele i-Terrible Pun of the Day ukuthi ifinyelele koxhumana nabo, Iklayenti kanye Neseva Yokugunyazwa yayisungule ubudlelwano bokusebenzisana. Iseva Yokugunyaza ikhiqize i-ID Yeklayenti kanye Nemfihlo Yeklayenti (ngezinye izikhathi ibizwa ngokuthi Ubunikazi bohlelo lokusebenza и Imfihlo Yohlelo Lokusebenza) futhi iwathumele kuKlayenti ukuze kuqhubeke nokusebenzisana ngaphakathi kwe-OAuth.

"- Sawubona! Ngingathanda ukusebenza nawe! - Impela, akuyona inkinga! Nansi i-ID yeklayenti lakho kanye nemfihlo!”

Igama lisikisela ukuthi Imfihlo Yeklayenti kufanele igcinwe iyimfihlo ukuze kuphela Iklayenti Neseva Yokugunyaza ikwazi. Phela, kungosizo lwakhe ukuthi i-Authorization Server iqinisekisa iqiniso leKlayenti.

Kodwa akugcini lapho... Sicela wamukele i-OpenID Connect!

I-OAuth 2.0 yakhelwe kuphela ukugunyazwa - ukunikeza ukufinyelela kudatha nemisebenzi kusuka kuhlelo lokusebenza olulodwa kuya kolunye. I-OpenID Connect (I-OIDC) iyisendlalelo esincanyana phezulu kwe-OAuth 2.0 esingeza imininingwane yokungena nephrofayela yomsebenzisi ongene ngemvume ku-akhawunti. Ukuhlelwa kweseshini yokungena ngemvume kuvame ukubizwa ngokuthi ubuqiniso [ubuqiniso], kanye nolwazi olumayelana nomsebenzisi ongene ohlelweni (okungukuthi Umnikazi Wensiza'e), - idatha yomuntu siqu [ubunikazi]. Uma i-Authorization Server isekela i-OIDC, ngezinye izikhathi ibizwa ngokuthi umhlinzeki wedatha yomuntu siqu [umazisi]ngoba inikeza Client'unolwazi mayelana Umnikazi Wensiza'e.

I-OpenID Connect ikuvumela ukuthi usebenzise izimo lapho ukungena ngemvume okukodwa kungasetshenziswa ezinhlelweni eziningi - le ndlela yaziwa nangokuthi ukungena ngemvume okukodwa (I-SSO). Isibonelo, uhlelo lokusebenza lungase lusekele ukuhlanganiswa kwe-SSO nezinkundla zokuxhumana ezifana ne-Facebook noma i-Twitter, okuvumela abasebenzisi ukuthi basebenzise i-akhawunti asebevele benayo futhi bancamele ukuyisebenzisa.

Ukugeleza (ukugeleza) I-OpenID Connect ibukeka ngendlela efanayo nasesimweni se-OAuth. Umehluko kuphela ukuthi esicelweni sokuqala, ububanzi obuthile obusetshenzisiwe buthi openid, -A Client ekugcineni uthola like Ithokheni Yokufinyelela, futhi Ithokheni ye-ID.

Njengokugeleza kwe-OAuth, Ithokheni Yokufinyelela ku-OpenID Connect, leli inani elithile elingacacile Client'kwe. Ngokombono Client‘а Ithokheni Yokufinyelela imele uchungechunge lwezinhlamvu oludluliswa kanye nesicelo ngasinye kuzo iseva yensiza'y, okunquma ukuthi ithokheni livumelekile yini. Ithokheni ye-ID imele into ehluke ngokuphelele.

I-ID Token yi-JWT

Ithokheni ye-ID iwuchungechunge olufomethwe ngokukhethekile lwezinhlamvu olwaziwa nge-JSON Web Token noma i-JWT (kwesinye isikhathi amathokheni e-JWT abizwa ngokuthi “amajothi”). Kubabukeli bangaphandle, i-JWT ingase ibukeke njenge-gibberish engaqondakali, kodwa Client ingakhipha imininingwane ehlukahlukene ku-JWT, njenge-ID, igama lomsebenzisi, isikhathi sokungena, usuku lokuphelelwa yisikhathi Ithokheni ye-ID'a, ukuba khona kwemizamo yokuphazamisa i-JWT. Idatha ngaphakathi Ithokheni ye-ID'a babizwa izicelo [izimangalo].

Endabeni ye-OIDC, kukhona futhi indlela ejwayelekile Client ingase icele ulwazi olwengeziwe mayelana nomuntu [ubunikazi] kusukela Iseva Yokugunyazwa'a, isibonelo, ikheli le-imeyili elisetshenziswayo Ithokheni Yokufinyelela.

Funda kabanzi mayelana ne-OAuth ne-OIDC

Ngakho-ke, sibuyekeze kafushane ukuthi i-OAuth ne-OIDC zisebenza kanjani. Ulungele ukumba ujule? Nazi izinsiza ezengeziwe zokukusiza ufunde kabanzi mayelana ne-OAuth 2.0 kanye ne-OpenID Connect:

• Iyini i-OAuth?
• Akekho Onendaba Ne-OAuth noma i-OpenID Connect
• Sebenzisa Ikhodi Yokugunyaza ye-OAuth 2.0 ngokugeleza kwe-PKCE
• Luyini Uhlobo Lwesibonelelo Se-OAuth 2.0?
• I-OAuth 2.0 Kusuka ku-Command Line
• Yakha i-Secure Node.js App nge-SQL Server

Njengenhlalayenza, zizwe ukhululekile ukuphawula. Ukuze uhlale unolwazi lwakamuva ngezindaba zethu zakamuva, bhalisela Twitter и YouTube I-Okta yonjiniyela!

I-PS evela kumhumushi

Funda futhi kubhulogi yethu:

• «I-ABC Yokuvikeleka ku-Kubernetes: Ukuqinisekisa, Ukugunyazwa, Ukucwaninga";
• «Abasebenzisi kanye Nokugunyazwa kwe-RBAC ku-Kubernetes";
• «33+ amathuluzi okuphepha e-Kubernetes";
• «Ukuphepha kweziqukathi ze-Docker".

Source: www.habr.com