oauth - 有多个资源时使用Auth2进行身份验证(Authenticating using Auth2 when there are several resources)

Question

I need to implement a single sign on of a user, which can get services from several different services.

(我需要实现一个用户的单一登录，它可以从多个不同的服务中获取服务。)

When there was only a single service, the user could log in from the client side, send the request to a backend, gets a URL back to a JWT token issuer server, from which he can get a token which he sends back to the BE and he is now authenticated.

(当只有一项服务时，用户可以从客户端登录，将请求发送到后端，将URL返回给JWT令牌发行者服务器，从中他可以获得令牌，然后将其发送回BE现在他已通过身份验证。)

What is now changing, is that he needs to get more services.

(现在正在发生的变化是，他需要获得更多的服务。)

Each service has its own frontend and backend, but everyone are using the same issuer.

(每个服务都有自己的前端和后端，但是每个人都使用同一发行者。)

Meaning there are both services with FE and BE, and also there is another general BE for the authentication.

(意味着同时具有FE和BE的服务，并且还有另一个用于认证的常规BE。)

What is the correct flow to authenticate in the scenario?

(在场景中进行身份验证的正确流程是什么？)

Can the general BE issue a token for the client for each of the required services?

(普通BE是否可以为客户提供每项所需服务的令牌？)

Or should the BE respond the client with the services's BE url and let the client itself send an authentication token response from each service?

(还是BE应该使用服务的BE URL响应客户端，并让客户端本身从每个服务发送身份验证令牌响应？)

Or something else?

(或者是其他东西？)

  ask by Yonatan Nir translate from so

Answer 1

I assume you mean OpenID Connect, since OAuth2.0 is not used for authentication and does not require the use of JWTs.

(我假设您的意思是OpenID Connect，因为OAuth2.0不用于身份验证，并且不需要使用JWT。)

Also, in your scenario there are not multiple resources, but multiple clients / relying parties.

(另外，在您的方案中，没有多个资源，但是有多个客户/依赖方。)

Using the OpendID Connect Implicit flow, the issuer will eventually send an id token (JWT) to the user's browser.

(使用OpendID Connect Implicit流，发行者最终将向用户的浏览器发送ID令牌（JWT）。)

This JWT can be used to authenticate to a service.

(该JWT可以用于对服务进行身份验证。)

Each JWT will contain an aud (audience) claim to identify the service it should be used for.

(每个JWT都会包含一个aud （听众）声明，以标识其应用于的服务。)

Using the Authorization Code flow, the issuer will eventually send an authorization code to the user's browser.

(使用授权码流程，发行者最终将向用户的浏览器发送授权码。)

The user will send the code to a service, and the service will send the code plus its client id to the issuer in exchange for an id token (JWT) and an access token.

(用户将代码发送给服务，服务会将代码及其客户ID发送给发行方，以换取ID令牌（JWT）和访问令牌。)

In both cases, the service identifies the end user using the iss (issuer) claim, and verifies the JWT by checking the signature, expiry and audience.

(在这两种情况下，该服务都使用iss （签发人）声明标识最终用户，并通过检查签名，有效期限和受众来验证JWT。)