Permission term
A complete authorization process includes four steps: authentication, authorization, authorization check, and authentication
-
Authentication
identify
: The client requests the server to confirm the identity through the identity credentials. The identity credentials generally includeUsername/Password、ClientId/ClientSecret、AppId/AppSecret等
-
Authorization
authorize
: After the authentication is passed, the server issues and maintains the authorization certificate to the client. The authorization certificate generally includesSessionID、OAuth2Token、JwtToken等
, and the authentication and authorization are often completed continuously. -
Authentication/authorization check
authcheck
: Before the client accesses restricted resources, itauth中间件
checks whether it has obtained authentication and authorization. Some modes require the client to provide authorization credentials in theHttp
request header field.Authorization
-
Authentication
authenticate
: On theauthcheck
basis, further authenticate whether the current identity has sufficient rights to access resources. The authentication methods includeOAuth2的scope权限分组
,HttpBasic的realm保护域
,WEB的RBAC/ACL权限系统
etc.
Authentication Mode Comparison
-
HttpBasic
: The development cost is the lowest, the authentication is stateless (but the browser scenario can be automatically maintained), andrealm
the authentication granularity of the group protection interface set is provided, which is suitable for intranet communication -
Session
: The development cost is average, the authentication is stateful, and it can be combined with an authentication system to protect resources byRBAC/ACL
grouping , which is suitable for login scenariosWeb
Web
-
Signature
: General development cost, stateless authentication, does not support authentication, suitable for communication with a single service interface -
OAuth2
: The development cost is slightly higher, the authentication is stateful, andscope
the authentication granularity of the group protection interface set is provided, which is suitable for the enterprise open platform -
JWT
: The development cost is general, and the authentication is stateless (but the self-contained feature realizes the continuity and cross-platform of the authentication identity). It can be combined withWeb
the authentication system, suitable for cross-platform stateless login authorization, and can alsoOAuth2
provide simplified non-storage authentication. authorization mechanism.