authentication - OAuth2.0的用例

Question

我正在构建一个 Multi-Tenancy saas(软件即服务)架构。我必须为系统构建身份验证系统。

根据我的研究，我认为我需要构建基于OAuth2.0 和带有JWT token 的不记名 token 的身份验证系统。

在阅读了很多有关如何构建 OAuth2.0 服务器的 OAuth2.0 之后，我仍然不明白OAuth 的完整概念，并且对无论我是否需要它或者我需要一些其他的身份验证系统。

我的系统需要的是我们将向所有客户提供一个SDK，每个客户将有一个Application Id和一个 key 使用 SDK 客户端将连接到我们系统中存在的他的应用程序。

application ID 会将客户映射到他在我们系统中的应用程序，client secret key 将在应用程序内验证客户端。我还需要构建吗基于OAuth2.0的认证系统还是我可以根据需要构建自己的认证系统？

OAUTH2.0 的用例是什么？我们什么时候不需要它来实现？

Answer 1

首先，正如OAuth authentication中明确指出的那样

OAuth 2.0 is not an authentication protocol.

Authentication in the context of a user accessing an application tells an application who the current user is and whether or not they're present. A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an email address, and what to call them when the application says "Good Morning".

However, OAuth tells the application none of that.
OAuth says absolutely nothing about the user, nor does it say how the user proved their presence or even if they're still there.
As far as an OAuth client is concerned, it asked for a token, got a token, and eventually used that token to access some API. It doesn't know anything about who authorized the application or if there was even a user there at all.

有一个使用 OAuth 进行用户身份验证的标准:OpenID Connect，与 OAuth2 兼容。

The OpenID Connect ID Token is a signed JSON Web Token (JWT) that is given to the client application along side the regular OAuth access token.
The ID Token contains a set of claims about the authentication session, including an identifier for the user (sub), the identifier for the identity provider who issued the token (iss), and the identifier of the client for which this token was created (aud).

在 Go 中，您可以查看 coreos/dex ，一个 OpenID Connect Identity (OIDC) 和 OAuth 2.0 Provider with Pluggable Connector。