我正在运行Ory Hydra作为 OAuth 2.0/OpenID 提供商。
我想组合一个解决方案,以便中继方可以检查最终用户的 OpenID session 状态。他们是否登录、注销等。OpenID 规范有一个使用指定 iframe 的解决方案 here 。 OpenID Connect session 管理规范 here 的第 5.1 节描述了此解决方案的主要问题。 :
Note that at the time of this writing, some User Agents (browsers) are starting to block access to third-party content by default to block some mechanisms used to track the End-User's activity across sites.
Specifically, the third-party content being blocked is website content with an origin different that the origin of the focused User Agent window.
Site data includes cookies and any web storage APIs (sessionStorage, localStorage, etc.).
This can prevent the ability for notifications from the OP at the RP from being able to access the RP's User Agent state to implement local logout actions.
In particular, cookies and web storage APIs may not be available in the OP frame loaded in the RP context. The side effect here is that, depending on the used mechanism (cookies or web storage), the data needed to recalculate session_state might not be available.
Cookie based implementations might then return changed for every single call, resulting in infinite loops of re-authentications.
Therefore, deployments of this specification are recommended to include defensive code to detect this situation, and if possible, notify the End-User that the requested RP logouts could not be performed.
The details of the defensive code needed are beyond the scope of this specification; it may vary per User Agent and may vary over time, as the User Agent tracking prevention situation is fluid and continues to evolve.
是否有其他方法可以在不使用 iframe 实现的情况下查看最终用户是否具有 OpenID session ?
最佳答案
您始终可以使用访问 token 询问 token 自省(introspection)端点,以查看访问 token 是否仍然有效。使用这种方法,您可以避免使用 iframe。作为替代方案,您可以使用短期访问 token 并使用刷新 token 来获取新的访问 token 。对于大多数情况来说,这可能是一个合适的折衷方案。
请参阅 token 自省(introspection)规范 here还有这个tutorial也是一个很好的起点
在调用此端点的响应中,您应该找到一个事件字段,如果用户仍处于登录状态,则该字段应设置为 true。
规范说:
active REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).
关于oauth-2.0 - 使用 ORY Hydra 进行 OpenID session 管理,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65443884/