每个设备是否应该让 Keycloak 中的用户通过资源所有者密码凭证进行身份验证
Should each device get a user in Keycloak authenticated through Resource Owner Password Credentials
我正在 Keycloak 中使用人类用户和物联网设备实施身份验证系统。
人类用户: 通过 spa 访问系统并使用基于标准重定向的身份验证流程。
物联网设备:该用例涉及许多高价值设备,这些设备不具有交互性,需要将遥测数据传输到后端并访问它们自己的数据以及来自关联用户的数据.我目前的计划是使用资源所有者密码凭据授予,因为嵌入式系统可以在供应期间使用凭据进行设置。
我的想法是,这将使我能够使用 Keycloak 组和角色进行权限管理和用户 <-> 设备关联。
这种方法有什么本质上的错误吗?
My current plan is to use the Resource Owner Password Credentials
Grant since the embedded system can be setup with credentials during
provisioning.
从source可以读到:
The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.
This grant type is suitable for clients capable of obtaining the
resource owner’s credentials (username and password, typically using
an interactive form). It is also used to migrate existing clients
using direct authentication schemes such as HTTP Basic or Digest
authentication to OAuth by converting the stored credentials to an
access token:
您的用例是否满足这些限制条件?
如果不是,请考虑使用 Client Credentials Grant 代替:
With machine-to-machine (M2M) applications, such as CLIs, daemons, or
services running on your back-end, the system authenticates and
authorizes the app rather than a user. For this scenario, typical
authentication schemes like username + password or social logins don't
make sense. Instead, M2M apps use the Client Credentials Flow (defined
in OAuth 2.0 RFC 6749, section 4.4), in which they pass along their
Client ID and Client Secret to authenticate themselves and get a
token.
因此在后者中,您将使用客户端密码代替用户名和密码进行身份验证。
My thinking is that this would enable me to use Keycloak Groups and
Roles for permission management and User <-> Device Association.
您仍然可以向机密客户端添加声明,并将其用于权限管理。
我正在 Keycloak 中使用人类用户和物联网设备实施身份验证系统。
人类用户: 通过 spa 访问系统并使用基于标准重定向的身份验证流程。
物联网设备:该用例涉及许多高价值设备,这些设备不具有交互性,需要将遥测数据传输到后端并访问它们自己的数据以及来自关联用户的数据.我目前的计划是使用资源所有者密码凭据授予,因为嵌入式系统可以在供应期间使用凭据进行设置。
我的想法是,这将使我能够使用 Keycloak 组和角色进行权限管理和用户 <-> 设备关联。
这种方法有什么本质上的错误吗?
My current plan is to use the Resource Owner Password Credentials Grant since the embedded system can be setup with credentials during provisioning.
从source可以读到:
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
This grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token:
您的用例是否满足这些限制条件?
如果不是,请考虑使用 Client Credentials Grant 代替:
With machine-to-machine (M2M) applications, such as CLIs, daemons, or services running on your back-end, the system authenticates and authorizes the app rather than a user. For this scenario, typical authentication schemes like username + password or social logins don't make sense. Instead, M2M apps use the Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4), in which they pass along their Client ID and Client Secret to authenticate themselves and get a token.
因此在后者中,您将使用客户端密码代替用户名和密码进行身份验证。
My thinking is that this would enable me to use Keycloak Groups and Roles for permission management and User <-> Device Association.
您仍然可以向机密客户端添加声明,并将其用于权限管理。