SpringBoot-Shiro-Vue | 提供一套基于Spring BootShiroVue的权限管理思路.前后端都加以控制,做到按钮/接口级别的权限 | Authorization library

You need to pass the actual instance of the question (and you don't need to pass the user class) if the policy is regarding a specific question:

$user in the policy is always the currently signed in user.

Yes you can :)

Create your own Passport client.

And update your App\Providers\AuthServiceProvider.

I consider if there is a way to use Istio to translate opaque token to JWT.

Unfortunately, Istio won't be able to translate the tokens. In your case, it seems to me that the easiest way is to get services in such a way that they work on one type of token.

Translation is possible, but not by Istio. Look at this question. You can also read more about Istio Authentication:

Istio provides two types of authentication:

• Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:

• Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds. - Secures service-to-service communication. - Provides a key management system to automate key and certificate generation, distribution, and rotation.

• Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:

• ORY Hydra

• Keycloak

• Auth0

• Firebase Auth

• Google Auth

In all cases, Istio stores the authentication policies in the Istio config store via a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.

To pass the Authorization header, you have to set up the headers in the request library:

However, if you use the Passport authentication, just using the keys and setting up the config like in the docs should do the trick:

A co-worker of mine found the solution: I had to check the "IIS Express" option in the menu under the debug button. So it was an issue of compatibility between the way of authentication used by visual studio and firefox.

There is this general confusion around token-based auth, so let's try to clear some of it up.

First, JWTs are not just "encoded" by the server, they are "signed" (which more precisely is message authentication usually). The purpose is that such a token can not be altered or changed by the client, any field (claim) in the token can be trusted to be as the issuer created it, otherwise validation will fail.

This yields two important takeaways:

• validating tokens is important (obviously) in any implementation
• the contents (claims) of a JWT are not encrypted, ie. it's not a secret and can be viewed by the client

Such a token can be used to maintain a session without server-side state, if it contains some kind of an identity for the subject (user, like a user id or email address), and an expiry.

Another important takeaway though:

• Logout (immediate session invalidation) is not possible in a stateless way, which is a drawback. To be able to log out as in invalidate an existing session, the server must store and check revoked tokens, which is necessarily a stateful operation.

Also a JWT token is typically stored in a way that it's accessible for client-side code (javascript), so things like who the user is and when the token will expire can be read by the client app. It need not be so, yet most implementations do this, eg. store it in localstorage. This makes these tokens susceptible to XSS attacks, meaning that any successful XSS will be able to get the token.

For the reasons discussed so far, JWT authentication is inherently less secure than a plain old session, and should only be used if there is a need. Many times when token auth is used, it is not actually necessary, just fancy.

Sometimes such a token is stored in a httpOnly cookie, but in that case the token cannot be sent to multiple origins (one benefit of localStorage) and a plain old session id could also have been used, and would actually be more secure.

Ok, so what are refresh tokens. As you correctly stated, limiting the lifetime of an access token is useful to limit the validity of a compromised token. So a refresh token can be used to get a new access token when the old one expired. The key is where these are stored.

A key takeaway:

• If a refresh token is stored the same way as the access token, it usually doesn't make any sense. This is a common mistake in implementations.

In a better architecture, the following can happen:

• There are (both logically and "physically" as much as it makes sense in today's cloud world) at least two separate components: the identity provider (IdP, or "login service"), and the resource server (eg. an API).
• When a user logs in, they actually create a session with the IdP. In this case either a plain old session id (acting as refresh token) or an actual JWT refresh token is set up for the IdP origin (domain name).
• An access token is then created when needed for the resource server origin, using the existing session with the identity provider.
• Now even if there is a total compromise of the resource server, like in case of successful XSS, the refresh token belongs to a completely separate origin, so cannot be accessed by the attacker. Even if it's the same origin, but the refresh token is in a httpOnly cookie, that helps, because the attacker then needs to be able to perform repeated XSS against a victim user to receive new access tokens.

There can be implementation variants of this, but the point is the above, separation of access to the two tokens.

A one-to-one mapping of refresh tokens to access tokens as you described would I think be unusual and also unnecessary, but one session per user is in fact sometimes a requirement (especially in financial applications where you want to have a very clear audit trail of what a user did). But this is not much related to the things discussed above.

Also as stated above, proper logout (session invalidation) is not possible in a stateless way. Fortunately, very few applications actually need to be truly stateless on the server-side.

The JWT ID Token is only needed during Sign-in

Correct this is called Open Id connect, the id token is used to verify that the user behind the computer is the owner of the account as they know the login and password. Think of it as your birth certificate it proves you are you.

This JWT ID Token is completely different from the Authentication Token

Correct Id token or open id connect is built on top of Oauth2 which is used for authorization.

The Authentication Token represents a user's session, and it can be generated using any library.

Incorrect Oauth2 allows your application to request consent of the user who has been authenticated via Open id connect in some cases to grant the application access to their data. It has nothing to do with a session. With an access token your application has access to data for an amount of time. with a refresh token your app would be able to request a new access token when ever it expires. Consider authencation is more like your drivers license you are authorized to drive a car.

I will have many Access Tokens, which I use to access third-party APIs

Correct each third party api has their own authorization server. Your app will need to be registered by them they give you a client id and secret which you can use to generate access tokens to access your users data via their api.

Client id + client secret + user consent = access token & refresh token to the api that the scope granted

At one point, I was actually using my Google Calendar API Access Token as my Web App's Authentication Token, but realized this may be wrong.

Pre open id connect this probably happened a lot and still does.

The Access Token would Authorize a user to use Google/Third-Party APIs, but I need a separate Authentication Token to Authenticate users into My Web App.

Technically yes you do. But if you have an internal login system where your users create accounts in your system that that is your authentication there, your just requesting additional authorization to the users google account and you can store their refresh token as part of your internal authentication.

You can use multiple authentication providers (Facebook, twitter, google) but its best to have an internal one that maps them all together otherwise the user may end up with three accounts in your system.

Ok so I had obviously made a mistake when trying the Header route.

It works now if I provide a header key called Authorization and the API key and Auth Token in the following format OAuth oauth_consumer_key="{{apiKey}}", oauth_token="{{apiToken}}".

OTP and User Login/Registration are two separate process. It is the developers who decide how OTP and Login/Registration will be connected. I have implemented this requirement couple of months ago. Here is how you can do this:

• 1st step: User inputs a valid phone number. Then redirect the user to a screen where he can input an OTP (Optional - the phone number from the previous step can be in a hidden field)
• 2nd step: Generate the 4 digit OTP and store the phone number and the OTP in a database lets call it 'OTP' table. Send the OTP to the user
• 3rd Step: On the OTP input screen user inputs the OTP
• 4th Step: Check the OTP in the 'OTP' table. If the OTP is Valid then:
• • If the phone number exists in the 'User' table then this is a returning user. Login this user in step 5. You already have this User ID in the 'User' table
• • If the phone number does not exists in the 'User' table then create the user profile with the phone number only (You can get the other information like Name later). After that login the user in step 5
• 5th Step: Login the user. To do this you just need an user entity which you already have from the previous step. To login you can implement any login provider. I would suggest use JWT (JSON Web Token) to authentication.

When you have the user who has successfully verified an OTP, use the User ID to authenticate the user. Here is how you can implement JWT:

That will generate a token with 120 minute validity like this:

Send the JSON token to the application/mobile app. As long as the application/mobile app has the token and sends it along the requests (in header) the app and user is authenticated. You have to check the token and its validity against a Database table. Here is a complete implementation of the JWT part.

In my experience the easiest way to test permissions is to leave the admin secret in place and then just set the relevant headers.

Generally you just add additional headers for x-hasura-role and x-hasura-user-id and any other session variables that are relevant for your app.

In the screenshot below you can see that I've explicitly set these values. Any query that you run will be evaluated based on the permissions associated with the role (in my case its organization-admin)

This is especially useful if you want to be able to use the Analyze functionality to do query profiles that take permissions into account.