您的位置: 首页  >  技术问答  >  单页应用程序(SPA)的单点登录(SSO)解决方案/体系结构

单页应用程序(SPA)的单点登录(SSO)解决方案/体系结构

分类: 技术问答 2022-05-11 19:43:25
问题描述:

一段时间以来,我一直在研究SPA的SSO解决方案.有很多解决方案存在细微的差异,而我也发现并不是每个人都对SSO有相同的理解,并且没有很多针对SPA的SSO既定模式.因此,我并不是要详细的设计/架构,而只是想看看是否有关于此主题的任何常规做法.

I've been investigating SSO solution for SPAs for some time. There're a lot of solutions with subtle difference, while I also found not really everyone has the same understanding of SSO and not many established pattern of SSO for SPA are out there. Thus I'm not asking for a detailed design/architecture, but just try to see if there's any common practice on this topic.

我对SSO意味着什么?

  1. 我们正在开发一些新的SPA(也可能是移动应用程序和平板电脑应用程序),它们将部署在不同的服务器上并具有不同的域.
  2. 我们还有一个*IdP(authServer),所有用户标识都将存储在其中.
  3. 一旦我登录 SPA1 ,然后单击一个按钮,即可将我带到 SPA2 (或 SPA3 SPA4 ,可能),则不必输入用户凭据,它会自动登录.
  1. We have a few new SPAs under development(also potentially mobile and tablet apps), which will be deployed in different servers and have different domains.
  2. We also have a central IdP (authServer) where all the user identify will be stored.
  3. Once I log into SPA1 and clicked a button which brings me to SPA2(or SPA3, SPA4, potentially), I don't have to enter user credentials and will be logged in automatically.

SPA有何区别? (而不是常规的Web应用程序)

我已经研究了一些解决方案,甚至是像SAML这样的旧解决方案(只是想了解SSO ..).我目前的候选人是 OpenId Connect ,但后来我意识到SPA的不同之处,如果我理解是正确的:与常规的Web应用程序不同,SPA通常不具有(或我们尝试不具有)后端服务器. SPA所具有的只是一个服务器,该服务器提供静态页面以及脚本,样式表以及图片.

I've looked at a few solutions, even old solutions like SAML(just want to get a sense about SSO..). my current candidate is OpenId Connect, but then I realized a difference for SPA, if my understanding is correct: Unlike regular web apps, SPA usually doesn't have (or we try not to have) a backend server. What SPA has is just a server serving static pages along with scripts, style sheets, and images.

现在出现了问题:

OpenId Connect 基于

OpenId Connect is based on OAuth2 Authorization Code grant type, which means either:

  1. 如果我想让每个SPA正常工作,则需要一个类似于后端代理的模块.
  2. 我使用其他解决方案来执行客户端SSO,例如 auth0提供
  3. 我还没有找到其他解决方案/示例

我的问题:

对于第一点,我的理解正确吗?最好不要让SPA具有像常规Web应用程序一样的后端代码?

For above point 1, is my understanding correct ? Is it better not to let SPA have backend code like a regular web app?

对于上述point2来说,这听起来像是一个解决方案,但与 OAuth2 有本质区别隐式授予类型?

For above point2, that sounds like a solution, but how is that essentially different than OAuth2 Implicit grant type ?

而且,还有其他我应该知道但尚未探索的解决方案(框架,协议等)吗?

And, are there other solutions(framework, protocol etc.) that I should know but haven't explored yet ?

除了使用授权代码授权的基本客户端配置文件外,OpenID Connect还具有一个基于OAuth 2.0的隐式授权的隐式客户端配置文件.此配置文件允许将令牌直接传递给浏览器/Javascript客户端,而无需后端.

In addition to the Basic Client Profile that uses the Authorization Code grant, OpenID Connect has an Implicit Client Profile that builds on the Implict grant from OAuth 2.0. This profile allows for tokens to be delivered directly to in-browser/Javascript clients without involving a backend.

相关推荐