12 | 架构案例：基于OAuth 2.0/JWT的微服务参考架构

杨波 2020-07-25

                                   
                                      你好，我是王新栋。
                                     
                                      在前面几讲，我们一起学习了 OAuth 2.0 在开放环境中的使用过程。那么 OAuth 2.0 不仅仅可以用在开放的场景中，它可以应用到我们任何需要授权 / 鉴权的地方，包括微服务。
                                     
                                      因此今天，我特别邀请了我的朋友杨波，来和你分享一个基于 OAuth 2.0/JWT 的微服务参考架构。杨波，曾先后担任过携程框架部的研发总监和拍拍贷基础架构部的研发总监，在微服务和 OAuth 2.0 有非常丰富的实践经验。
                                     
                                      其中，在携程工作期间，他负责过携程的 API 网关产品的研发工作，包括它和携程的令牌服务的集成；在拍拍贷工作期间，他负责过拍拍贷的令牌服务的研发和运维工作。这两家公司的令牌服务和 OAuth 2.0 类似，但要更简单些。
                                     
                                      接下来，我们就开始学习杨波老师给我们带来的内容吧。
                                     
                                     你好，我是杨波。
                                    
                                     从单体到微服务架构的演进，是当前企业数字化转型的一大趋势。
                                    
                                      OAuth 2.0
                                     
                                     是当前业界标准的授权协议，它的核心是若干个针对不同场景的令牌颁发和管理流程；而
                                    
                                      JWT
                                     
                                     是一种轻量级、自包含的令牌，可用于在微服务间安全地传递用户信息。
                                    
                                     据我目前了解到的情况，虽然有不少企业已经部分或全部转型到微服务架构，但是在授权认证机制方面，它们一般都是定制自研的，比方说携程和拍拍贷的令牌服务。之所以定制自研，主要原因在于标准的 OAuth 2.0 协议相对比较复杂，门槛也比较高。定制自研固然可以暂时解决企业的问题，但是不具备通用性，也可能有很多潜在的安全风险。

</div></div></div></div> <div class="simplebar-placeholder" style="width: 490px; height: 240px;"/></div> <div class="simplebar-track simplebar-horizontal" style="visibility: hidden;"><div class="simplebar-scrollbar simplebar-visible" style="width: 0px; display: none;"/></div> <div class="simplebar-track simplebar-vertical" style="visibility: visible;"><div class="simplebar-scrollbar simplebar-visible" style="; display: none;"/></div></div> <div style="display: none;"><div class="_1KDQg3Bq_0">确认放弃笔记？</div> <div class="mJWK5em0_0">放弃后所记笔记将不保留。</div></div> <div style="display: none;"><div class="_1KDQg3Bq_0">新功能上线，你的历史笔记已初始化为私密笔记，是否一键批量公开？</div> <div class="mJWK5em0_0">批量公开的笔记不会为你同步至部落</div></div> <div class="_3tbfXQau_0" style="display: none;"/></div> <div class="_1Ax_ZpPk_0"><div class="_3U0NAxB3_0"><div class="_17Ja2uDw_0 _3KVt1gDg_0">公开</div> <div class="_2AW1oZ2h_0">同步至部落</div></div> <div class="_2OgrMv3n_0">取消</div> <div class="FKyaWb-t_0">完成</div>    </div> <div class="_3MpaRWpt_0"><span>0/1000字</span></div></div> <div class="zbKHG1ec_0"><div class="tXxk8mk7_0 yCLoyPjo_0"><span>划线</span></div> <div class="_2YBWosuL_0"/> <div class="_25lruFgJ_0"/> <div class="_3wLabARi_0"/> <div class="tXxk8mk7_0 _1FlP7Fck_0"><span>笔记</span></div> <div class="_2YBWosuL_0"/> <div class="tXxk8mk7_0 _3nXUSEVZ_0"><span>复制</span></div></div></div>      <div class="_2sg1Tei__0"><span>©</span> 版权归极客邦科技所有，未经许可不得传播售卖。 页面已增加防盗追踪，如有侵权极客邦将依法追究其法律责任。
          </div> <div class="_3qftfzyH_0"><div class="_2rnRKKqV_0">该试读文章来自付费专栏《OAuth 2.0实战课》，如需阅读全部文章，<br/>请订阅文章所属专栏<span class="_1IYQcC1P_0"><span class="xX-jTv6t_0">，</span>新⼈⾸单<span class="_3bES2NpG_0">¥</span>9.9</span></div> <div class="CJJSHwZ8_0">立即订阅</div></div></div> <div class="_2Vlfl3UO_0"><div class="_3SZaEKao_0"><img src="data:image/jpeg;base64,/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABkAAD/4QN5aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjYtYzE0MCA3OS4xNjA0NTEsIDIwMTcvMDUvMDYtMDE6MDg6MjEgICAgICAgICI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6YWE3YmZhMDItMzBhMC00MDg3LTg3MmYtOGMwMjMxNjNhZWRjIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOjI2MTlEODM3NTgzMTExRTk5NDY4Qjk3QUFCNDFBN0QzIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjI2MTlEODM2NTgzMTExRTk5NDY4Qjk3QUFCNDFBN0QzIiB4bXA6Q3JlYXRvclRvb2w9IkFkb2JlIFBob3Rvc2hvcCBDQyAyMDE1IChNYWNpbnRvc2gpIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6OTYyRTNCMDNBREI4MTFFOEFFNTJDODlGREQ1OTUzMDMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6OTYyRTNCMDRBREI4MTFFOEFFNTJDODlGREQ1OTUzMDMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz7/7gAOQWRvYmUAZMAAAAAB/9sAhAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAgICAgICAgICAgIDAwMDAwMDAwMDAQEBAQEBAQIBAQICAgECAgMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP/wAARCADuAO4DAREAAhEBAxEB/8QAfAABAAICAwEBAAAAAAAAAAAAAAYHBAgBAwUCCgEBAAAAAAAAAAAAAAAAAAAAABAAAgIBAgIECwQJBQAAAAAAAAECAwQRBSEGMWESF0FRgVITk+MUVJTUIkJiB5EyhBVFhbXFNnFygqJTEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwD9vAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGHmbhg7fD0mbl4+LF69l32wrctPBCMmpTfUk2BG7ue+Wqm4rNsua6XTi5DWvVKyutPyaoDmnnrlq19l506W9NPTYuSk2/xQqnGPlaQElxM7Dzq/S4WVj5VfhlRbC1Rfil2G3GXU9GBlAAAAAAAAAAAAAAAAAAAAAAAAAAAA4bUU5SajGKblJtJJJattvgkkBVHMnP8AJSswtilHSLcLdxcVLV9DWHCWsdF/6ST1+6uiQFW35F+VbK/Jutvum9Z23WSssk/xTm3JgdIADvx8nIxLY34t9uPdD9W2myVc1412otPR6cV0MC1uWufvTTrwd8cITlpCrcYpQhKT4KOXBaQrbf346R8aXFgWmnrxXFPimvCAAAAAAAAAAAAAAAAAAAAAAAAAAFUfmBzHKLexYVjjrGMtxsg+LU12oYia6E4tSn400vOQFTAAAAAAAuDkDmSWRFbHm2OVtUHLb7ZvWU6oLWeK2+LdMV2ofgTX3UBaAAAAAAAAAAAAAAAAAAAAAAAABi52XDAwsvNs4wxce6+S10cvRQlNQX4ptaLrYGr+RfblX3ZN8nO7Itsutk/vWWSc5Pq4sDpAAAAAABlYWXbgZeNmUPS3Guruhx0TcJJ9mWnTGa4NeFMDaDGvrysejJqeteRTVfW/HC2EbI/9ZAdwAAAAAAAAAAAAAAAAAAAAAACJc8WurlncOzwdrxateqeVT2v0wTXlA18AAAAAAAAAbFcnXSu5a2mcnq402U/8cfJuoivJGtASYAAAAAAAAAAAAAAAAAAAAAABFOdqXdyzuSjxlWse7yVZVMp/or1YGvQAAAAAAAADY3lGiWPy3tNclo5Yzv8AF9nJusyYvyxtQEjAAAAAAAAAAAAAAAAAAAAAAAdGVj15eNkYty1qyaLaLF4exbCVctOvSXADWDNxLsDLycLIj2bsa6dM/E3B6KUfHCa0afhTAxQAAAAAAZ224Nu55+LgUp+kyboV6pa9iDetljXm1VpyfUgNnqaoUU1UVLs101wqrj4oVxUILyRQHYAAAAAAAAAAAAAAAAAAAAAAAAVrz5yzPNh++cGtzyaK1HNpgtZX0QX2bopcZW0R4NdLhp5ujCmQAAAAAAXbyLyzPbaXumdW4ZuVX2aKprSWNjS0bck+Mbr9FqumMeHS2gLDAAAAAAAAAAAAAAAAAAAAAAAAAACuOZOQ6c+dmbtDrxcubc7cWX2cbIm+LlW0n7vbLw8OxJ+bxbCpM7bM/bLXVn4l+NPVpekg1CenhrsWtdseuLaAwQAHo7ftO47raqsDEuyZapSlCOlVevhtul2aql/uaAt3lrkWjbJ15u5yry86Gk6qYrXFxpripfaSd90X0NpRi+hNpSAsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4sqrug67a4W1y/WhZCM4P/AFjJNMDw7eVuXrm5T2jCTfT6Kr0C49VLrQHNPK/L1ElKvaMJtcU7alfo/Gle7FqB7cK4VQVdcIVwitIwhFQhFeJRikkgPsAAAAAAAAAAAAAAAAAAAAAAAAAY2XmYuBRPKzL68aiv9ay2XZjq+iKXTKcvBFJt+BARGf5g8uRk4q3LsSeinDFkoy60pyhPR9aQHz3h8u+dm/K+0Ad4fLvnZvyvtAHeHy752b8r7QB3h8u+dm/K+0Ad4fLvnZvyvtAHeHy752b8r7QB3h8u+dm/K+0Ad4fLvnZvyvtAMjG575cybY1PKtxnJpRnk0Trq1fglZHtxrXXLRLxgTCMozjGUZKUZJSjKLTjKLWqlFrVNNPgwOQAAAAAAAAAAAAAAAAAAAAUZ+YW43ZG9ywHOSx9vqpUa9fsu7IphkTta8MnCyMepLrYECAAAAAAAAAAAF0/lxuN2Tt+Zg2zlOO320uhyerhTlK1qpPzYWUSa8Xa06NALHAAAAAAAAAAAAAAAAAAAABr3zx/lO6fsX9OxAImAAAAAAAAAAALY/K/+Ofyz+4AWwAAAAAAAAAAAAAAAAAAAADXvnj/ACndP2L+nYgETAAAAAAAAAAAFsflf/HP5Z/cALYAAAAAAAAAAAAAAAAAAAABVvMfJG7bxvOZuONkbdCjI937Eb7cmNq9DiUUS7Ua8S2C1nU2tJPgB4fdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAJvyby1ncvfvH323Et989z9F7rZdPs+7+9dvt+loo019OtNNfD0ATcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//Z" class="_1162B7i7_0"/> <div class="_20XltAts_0"><span class="ieiqepdd_0">登录</span> <span class="_2xgUAzrs_0">后留言</span></div></div> <div class="_1tbWAlsU_0 _23Q5Ko9I_0"><textarea placeholder="由作者筛选后的优质留言将会公开显示，欢迎踊跃留言。" rows="16" readonly="readonly" class="_2KHEOPSr_0"/></div> </div> <div class="_3-W_zrq4_0"><h2>精选留言(9)</h2> <ul><li><div class="_2sjJGcOH_0"><img src="data:image/jpeg;base64,/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABkAAD/4QN5aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjYtYzE0MCA3OS4xNjA0NTEsIDIwMTcvMDUvMDYtMDE6MDg6MjEgICAgICAgICI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6YWE3YmZhMDItMzBhMC00MDg3LTg3MmYtOGMwMjMxNjNhZWRjIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOjI2MTlEODM3NTgzMTExRTk5NDY4Qjk3QUFCNDFBN0QzIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjI2MTlEODM2NTgzMTExRTk5NDY4Qjk3QUFCNDFBN0QzIiB4bXA6Q3JlYXRvclRvb2w9IkFkb2JlIFBob3Rvc2hvcCBDQyAyMDE1IChNYWNpbnRvc2gpIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6OTYyRTNCMDNBREI4MTFFOEFFNTJDODlGREQ1OTUzMDMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6OTYyRTNCMDRBREI4MTFFOEFFNTJDODlGREQ1OTUzMDMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz7/7gAOQWRvYmUAZMAAAAAB/9sAhAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAgICAgICAgICAgIDAwMDAwMDAwMDAQEBAQEBAQIBAQICAgECAgMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP/wAARCADuAO4DAREAAhEBAxEB/8QAfAABAAICAwEBAAAAAAAAAAAAAAYHBAgBAwUCCgEBAAAAAAAAAAAAAAAAAAAAABAAAgIBAgIECwQJBQAAAAAAAAECAwQRBSEGMWESF0FRgVITk+MUVJTUIkJiB5EyhBVFhbXFNnFygqJTEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwD9vAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGHmbhg7fD0mbl4+LF69l32wrctPBCMmpTfUk2BG7ue+Wqm4rNsua6XTi5DWvVKyutPyaoDmnnrlq19l506W9NPTYuSk2/xQqnGPlaQElxM7Dzq/S4WVj5VfhlRbC1Rfil2G3GXU9GBlAAAAAAAAAAAAAAAAAAAAAAAAAAAA4bUU5SajGKblJtJJJattvgkkBVHMnP8AJSswtilHSLcLdxcVLV9DWHCWsdF/6ST1+6uiQFW35F+VbK/Jutvum9Z23WSssk/xTm3JgdIADvx8nIxLY34t9uPdD9W2myVc1412otPR6cV0MC1uWufvTTrwd8cITlpCrcYpQhKT4KOXBaQrbf346R8aXFgWmnrxXFPimvCAAAAAAAAAAAAAAAAAAAAAAAAAAFUfmBzHKLexYVjjrGMtxsg+LU12oYia6E4tSn400vOQFTAAAAAAAuDkDmSWRFbHm2OVtUHLb7ZvWU6oLWeK2+LdMV2ofgTX3UBaAAAAAAAAAAAAAAAAAAAAAAAABi52XDAwsvNs4wxce6+S10cvRQlNQX4ptaLrYGr+RfblX3ZN8nO7Itsutk/vWWSc5Pq4sDpAAAAAABlYWXbgZeNmUPS3Guruhx0TcJJ9mWnTGa4NeFMDaDGvrysejJqeteRTVfW/HC2EbI/9ZAdwAAAAAAAAAAAAAAAAAAAAAACJc8WurlncOzwdrxateqeVT2v0wTXlA18AAAAAAAAAbFcnXSu5a2mcnq402U/8cfJuoivJGtASYAAAAAAAAAAAAAAAAAAAAAABFOdqXdyzuSjxlWse7yVZVMp/or1YGvQAAAAAAAADY3lGiWPy3tNclo5Yzv8AF9nJusyYvyxtQEjAAAAAAAAAAAAAAAAAAAAAAAdGVj15eNkYty1qyaLaLF4exbCVctOvSXADWDNxLsDLycLIj2bsa6dM/E3B6KUfHCa0afhTAxQAAAAAAZ224Nu55+LgUp+kyboV6pa9iDetljXm1VpyfUgNnqaoUU1UVLs101wqrj4oVxUILyRQHYAAAAAAAAAAAAAAAAAAAAAAAAVrz5yzPNh++cGtzyaK1HNpgtZX0QX2bopcZW0R4NdLhp5ujCmQAAAAAAXbyLyzPbaXumdW4ZuVX2aKprSWNjS0bck+Mbr9FqumMeHS2gLDAAAAAAAAAAAAAAAAAAAAAAAAAACuOZOQ6c+dmbtDrxcubc7cWX2cbIm+LlW0n7vbLw8OxJ+bxbCpM7bM/bLXVn4l+NPVpekg1CenhrsWtdseuLaAwQAHo7ftO47raqsDEuyZapSlCOlVevhtul2aql/uaAt3lrkWjbJ15u5yry86Gk6qYrXFxpripfaSd90X0NpRi+hNpSAsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4sqrug67a4W1y/WhZCM4P/AFjJNMDw7eVuXrm5T2jCTfT6Kr0C49VLrQHNPK/L1ElKvaMJtcU7alfo/Gle7FqB7cK4VQVdcIVwitIwhFQhFeJRikkgPsAAAAAAAAAAAAAAAAAAAAAAAAAY2XmYuBRPKzL68aiv9ay2XZjq+iKXTKcvBFJt+BARGf5g8uRk4q3LsSeinDFkoy60pyhPR9aQHz3h8u+dm/K+0Ad4fLvnZvyvtAHeHy752b8r7QB3h8u+dm/K+0Ad4fLvnZvyvtAHeHy752b8r7QB3h8u+dm/K+0Ad4fLvnZvyvtAMjG575cybY1PKtxnJpRnk0Trq1fglZHtxrXXLRLxgTCMozjGUZKUZJSjKLTjKLWqlFrVNNPgwOQAAAAAAAAAAAAAAAAAAAAUZ+YW43ZG9ywHOSx9vqpUa9fsu7IphkTta8MnCyMepLrYECAAAAAAAAAAAF0/lxuN2Tt+Zg2zlOO320uhyerhTlK1qpPzYWUSa8Xa06NALHAAAAAAAAAAAAAAAAAAAABr3zx/lO6fsX9OxAImAAAAAAAAAAALY/K/+Ofyz+4AWwAAAAAAAAAAAAAAAAAAAADXvnj/ACndP2L+nYgETAAAAAAAAAAAFsflf/HP5Z/cALYAAAAAAAAAAAAAAAAAAAABVvMfJG7bxvOZuONkbdCjI937Eb7cmNq9DiUUS7Ua8S2C1nU2tJPgB4fdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAHdrvvxe0+vzPoAJvyby1ncvfvH323Et989z9F7rZdPs+7+9dvt+loo019OtNNfD0ATcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//Z" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>Geek_334e32</span> </div> <div class="_2_QraFYR_0">场景 2：第一方移动应用 + 授权码许可模式。  这个不合适吧？现在app登陆都是用户名和密码或者验证码模式。</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: 请看我在文中给出的解释连接，用户名/密码模式对于无线App并不安全：<br/>"We have learned the hard way, so let’s warn everyone else here ������ DO NOT USE grant_type=password in any place where a hacker can de-compile your app or find your client_id plus client_secret. If you create a mobile app, you MUST use the full 3-legged Oauth via an embedded web form (with captcha or similar protection on it). Never ever create a native app login screen, which can ask your server via a simple post if the used credentials are correct (e.g. like the password grant type). Having this allows someone to start massively guessing for passwords. We know, app-developers do not like non-native things, but believe me, this is the only simple way to prevent attacks AND maintain super fast flexibility in changing the login procedure without having to roll out a new app version and trying to kill off old versions of the app. Having the web form login allows us to easily add for example 2-factor authentication when we want or need to."</p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-29</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span/></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class="">1</span></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/12/59/0f/dfb310b5.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>西</span> </div> <div class="_2_QraFYR_0">全程使用oauth2令牌，那么网关之后的每个微服务都需要自己根据令牌token去idp或者redis或者mysql中去查询用户信息，如果全程使用jwt令牌，主要是还是由于jwt自包含用户信息，存在暴露用户信息的安全风险。（如果jwt中只存在用户名，不存在其他相关信息也可以考虑全程使用jwt令牌）</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: 不错⛽️</p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-25</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span/></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class="">1</span></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/12/da/ec/779c1a78.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>往事随风，顺其自然</span> </div> <div class="_2_QraFYR_0">全程采用JWt，用户信息容易暴露，对于安全级别高，最好不使用，对于oauth在安全级别更高，但是实现用户信息更复杂，混合之后，权衡了安全性和易用性，个人理解</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: 不错</p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-25</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span>1</span></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class="">1</span></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/10/4d/54/9c214885.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>kylexy_0817</span> </div> <div class="_2_QraFYR_0">其实全程使用JWT，也没啥问题，只是如果想其较为安全，就要把公钥放在客户端，让其加密后再传输（或者获取到令牌后就直接加密存放在cookies或localstorage），但JWT的内容较多，即使加密后的内容也会较长，公网环境传输效率不高。而访问令牌，就是为了解决公网传输效率问题。不知有没理解对。</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: JWT是自包含令牌，里头可以包含一部分用户信息，全程使用JWT也可以，JWT内部的数据本身只是加签防篡改，本来就是客户端可见的，一般服务器端启用HTTPS就可以了，再做一次加密意义并不大。<br/><br/>相比JWT，普通访问令牌机制还有一个好处，就是可以集中吊销令牌，而JWT一般需要等到自然过期，因为它是自校验的。<br/><br/></p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-08-02</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span/></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class=""/></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/12/88/23/a0966b4d.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>Tim Zhang</span> </div> <div class="_2_QraFYR_0">网关获得 JWT 令牌，校验 Scope 是否有权限调用 API，如果有就转发到后台 API 进行调用。<br/><br/>校验是如何校验的？ 并且scope 和 authority有啥区别么</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: 企业根据具体场景，需要定义一个scope和API之间的权限关系表，这个表需要单独维护，并且可以缓存在网关上，加快网关的校验。所谓校验，就去查这张表，看某个scope能否访问某个API。<br/><br/>scope和authority并没有所谓官方定义，你可以根据上下文赋予它们具体的语义。<br/><br/></p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-27</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span>1</span></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class=""/></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/16/bc/25/1c92a90c.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>tt</span> </div> <div class="_2_QraFYR_0">有一个问题，JWT一般是加密的，在网关之后使用JWT仍然需要加密么？那会不会因为加解密带来性能问题？如果此时对报文内容也采用对称加密，性能下降会更严重。<br/><br/>该怎么处理呢？有了客户端凭据（appid + appsecret）对三方软件做认证的情况下，还需要公私钥证书或者硬Token么？</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: jwt不是加密，是加签名，消息不能篡改，内容还是可以看到的。<br/><br/>具体要看业务场景，如果企业内网是授信的，安全风险级别低，也可以考虑不用jwt，直接传普通json格式的用户信息。<br/><br/>对于一些涉及银行资金业务的场景，普通的OAuth2/JWT都还不够，还需要双因素和硬token等配套安全机制。</p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-26</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span>2</span></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class=""/></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/12/8a/a3/aee7ded7.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>在路上</span> </div> <div class="_2_QraFYR_0">全程采用JWT令牌模式，包含很多用户信息，权限信息，有泄露风险；jwt信息如果被修改，有权限越界的风险。采用OAuth令牌模式用户信息安全无问题，在领域层每次都要通过令牌查询用户级权限信息，加大的领域服务的开销，影响性能。</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: 基本正确，但是jwt信息只是可以被客户端看到，一般也是没办法篡改的，只要secret key或者私钥不泄密。</p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-26</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span/></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class=""/></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/13/03/e2/5768d26e.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>inrtyx</span> </div> <div class="_2_QraFYR_0">第六点是关于 Web Session，这个不太明白。token信息肯定要放浏览器啊！不然岂不是每次请求都要登录？</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: 网站会话有几种做法，一种是Session数据都存在服务器端，客户端浏览器cookie中只存sesssionID，我把这种称为Web Session，这种是服务器端有状态的Session技术。另外一种是Session数据都存在浏览器cookie中，我把这种称为客户端Session，这种是服务器端无状态的Session技术。</p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-25</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span>2</span></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class=""/></div></div></div></div></div> </li><li><div class="_2sjJGcOH_0"><img src="https://static001.geekbang.org/account/avatar/00/1f/50/e5/4048aa15.jpg" class="_3FLYR4bF_0"/> <div class="_36ChpWj4_0"><div class="_2zFoi7sd_0"><span>Zhou</span> </div> <div class="_2_QraFYR_0">Anonymous user的请求在网关和oauth2上面应该怎么处理比较好？</div> <div class="_10o3OAxT_0"><p class="_3KxQPN3V_0">作者回复: 具体要看API对安全的要求，某些API如果安全不敏感，Anonymous user也可以访问的话，那么在网关上可以做开放授权的策略。</p></div> <div class="_3klNVc4Z_0"><div class="_3Hkula0k_0">2020-07-25</div> <div class="_3_7joXrw_0"> <div class="_3r0uuaYZ_0"><i class="iconfont"></i> <span/></div> <div class="_24fTab90_0"><i class="iconfont"></i> <span class=""/></div></div></div></div></div> </li></ul> <div class="_1DRwKyCv_0">
            收起评论<span class="iconfont _1QBZRYBq_0"></span></div></div></div></div></div></div></div> <div class="simplebar-placeholder" style="width: 1000px; height: 4932px;"/></div> <div class="simplebar-track simplebar-horizontal" style="visibility: hidden;"><div class="simplebar-scrollbar simplebar-visible" style="width: 0px; display: none;"/></div> <div class="simplebar-track simplebar-vertical" style="visibility: visible;"><div class="simplebar-scrollbar simplebar-visible" style="height: 177px; display: block; transform: translate3d(0px, 0px, 0px);"/></div></div></div> <div class="_35V_pofE_0"><div class="_19KVU7IX_0 iconfont OJ1-O2lA_0 _3zAMGadh_0"><span>9</span></div> <div class="_3QWdWikl_0 iconfont OJ1-O2lA_0 _3zAMGadh_0"></div> <div class="P00Ux77Z_0 iconfont OJ1-O2lA_0 _3zAMGadh_0"></div> <div class="_3UobFqyS_0 iconfont OJ1-O2lA_0 _3zAMGadh_0"><span></span></div> <div class="_3qLBNfWY_0 iconfont OJ1-O2lA_0 _3zAMGadh_0"></div>   <div class="FSrxdnjI_0 iconfont OJ1-O2lA_0 _3zAMGadh_0"><a href="//time.geekbang.org/download" target="_blank"><span class="_2NDI-Prg_0"></span><span class="_15yXCNVi_0">下载<br/>客户端</span></a></div> <div class="_2nVCVrRU_0 iconfont OJ1-O2lA_0 _3zAMGadh_0"><span class="_2NDI-Prg_0"></span><span class="_15yXCNVi_0">返回<br/>顶部</span></div></div> <div class="k7LpsVQS_0"></div> </div></div> <div class="_2sRsF5RP_0"/></div>