问题
I am implementing single sign-in with OAuth2 and OpenID Connect for a distributed web application. The Authorization Server is running on its own. I've implemented the access token endpoint and currently trying to implement the authorization endpoint (for Authorization Code flow).
This is my understanding of what should happen
GET http://authserver/authorize?client_id=1&
state=BB&
_________ scope=read_user& ____________
| | redirect_uri=myapp/callback | |
| |----------------------------------------------------------------> | |
| Browser | | AuthServer |
| |<-----------------------------------------------------------------| |
|_________| 302 myapp/callback?code=AAA&state=BB |____________|
At this point the browser simply need to make a second request to the access token endpoint with the code and it will receive the access token.
However before all this happens, I'm a bit confused on how the Authorization Server really knows that the user is logged in
- Shouldn't the Authorization Server verify that the user is logged in somehow?
- If at a previous step, say the user logged in and got a cookie from another server, how could that be verified from the Authorization Server's point of view? How does the server know that the user requesting the code is John and not Bob or someone anonymous?
回答1:
I will try to answer your questions with RFC6749 The OAuth 2.0 Authorization Framework. Note that this is valid for OpenID Connect as it is an extension to OAuth 2.0
1 Shouldn't the Authorization Server verify that the user is logged in somehow?
3.1. Authorization Endpoint states following,
The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.
Before the redirect authorization server perform end user authorization for the request. This is done in form of a user login or a desired mechanism as given above. This is the point where actual end user validation happens. From your question perspective this is the login.
2 If at a previous step, say the user logged in and got a cookie from another server, how could that be verified from the Authorization Server's point of view?
I hope you know basics about cookies. They help browser based web applications to maintain state between front end and backend.
Depending on authorization server configurations, one could ask end user to mark the logged in state remembered. Then what your browser get is a secure cookie, which get stored in the browser. This is a string, which does not have a meaning to end user, but in the backend there is a correlation (think about an index key) against logged in user (ex:- A1 - Bob, A2 - Alex).
So the next time user opens the browser and use your application, authorization server get the cookie with the authorization request. If cookie is not expired/invalidated, authorization server can skip login dialog. And as highlighted in first section, end user grant occur through cookie.
来源:https://stackoverflow.com/questions/58854869/how-authorization-endpoint-knows-user-is-logged-in