Shulou(Shulou.com)06/01 Report--

Table 1 Comparative analysis of authentication mechanisms

HTTP Basic Auth

Digital signature / digital certificate

OAuth protocol mode (Token)

SSO (Token)

Mode of realization

Before sending, the client appends a colon to the user name, then concatenates the password, and encodes the resulting string with the Base64 algorithm. For example, if you provide a user name of Aladdin and a password of open sesame, the result is Aladdin:open sesame, which is then encoded with Base64 to get QWxhZGRpbjpvcGVuIHNlc2FtZQ==. Finally, the Base64-encoded string is sent out, and the receiver decodes it to get a string of username and password separated by colons.

Assign a key to each access party and specify a method for calculating the signature. A signature parameter must be added to the request of the access party. At the same time, to prevent Replay***, you need to add a timestamp to the request.

There are three steps for OAUTH authentication authorization, which are summarized as follows:

1. Get unauthorized Request Token

two。 Get Request Token authorized by the user

3. Exchange authorized Request Token for Access Token.

When the application gets the Access Token, it can have access to the resources authorized by the user.

When the user visits application system 1 for the first time, he will be directed to the authentication system to log in because he has not yet logged in. According to the login information provided by the user, the authentication system verifies the identity. If it passes the verification, the user should be returned with an authentication credential-ticket. When users visit other applications, they will bring this ticket with them as their own authentication credentials. After receiving the request, the application system will send the ticket to the authentication system for verification to check the validity of the ticket. If the verification is passed, the user can access application system 2 and application system 3 without logging in again.

Scope of application

Applies to requests for the HTTP protocol.

Applies to the REST/SOAP interface.

For example: AWS REST/SOAP API.

The OAuth protocol is suitable for authorizing access to local resources for external applications. The encryption mechanism is more secure than HTTP Digest authentication. It should be noted that OAuth authentication and HTTP Digest authentication do not replace each other, and their applicable scenarios are different. OAuth protocol is more suitable for providing authorization for end-user-oriented API, such as obtaining Weibo information belonging to users, and so on. If API is not oriented to the end-user dimension, such as storage services such as Qiniu Cloud Storage, this is not a typical scenario for OAuth protocol.

It is suitable for scenarios where users do not need to repeatedly enter usernames and passwords between different web pages or applications.

Advantages

Simple, easy to understand and implement.

Basically all popular web browsers support basic authentication.

Simple, easy to understand and implement.

In use, OAuth will not make the third-party website or application contact with the user's account information (such as user name and password), and the authorized http communication will no longer transmit user information but will be replaced by digital signature and access token (AccessToken). Even if the data packet is intercepted, the user's login information can not be restored. This is the biggest advantage of OAuth, and it is also the reason why it has gradually become the general authorization standard.

Improve the usability of the system. It is very convenient for end users. You only need to record a set of usernames and passwords, and you only need to enter them once.

Improve the efficiency of system development. For developers, there is only one authentication framework in a good SSO architecture, and application developers can focus on business logic without having to design their own authentication programs.

Simplify administrator management. For system administrators, with SSO, users have only one set of account and management system, which is convenient to manage and reduce the burden.

Shortcoming

Although basic authentication is very easy to implement, the scheme is based on the assumption that the connection between the client and the server host is secure and trusted. In particular, keys and passwords transmitted in clear text can easily be intercepted without using a transport layer secure protocol such as SSL/TLS. The scheme also does not protect the information returned by the server.

You need to bear the burden of keeping the key securely and updating the key regularly, and pay attention to guard against replay***. And it is not flexible enough, so it is difficult to update the key and upgrade the signature algorithm. If you add a timestamp to the request, you need to ensure that the client and server time are synchronized.

OAuth as an authorization agreement, rather than an authentication protocol, OAuth provides permission allocation rather than authentication. The essence of authorization itself is that the system opens a back door for third-party websites / applications, and your authorization is to allow them to enter through the back door to obtain your private information and access.

For details, see: http://www.oschina.net/news/31399/oauth30-road-to-hell

The harm is greater after suffering from *. Because the authentication system is centralized, if * breaks this system, it means that the entire application system can be endangered; by stealing a user's user name and password in a certain system, the user's resources in all systems in the SSO system can be stolen.

Information disclosure that forgot to lock the personal desktop. If the user forgets to lock the computer and is seen by others, the user's information in the entire system will be disclosed. Compared with systems with multiple logins, in the same case, only a specific type of data from a subsystem may be compromised.

Table 2 Analysis of ForgeRock open source IDM and AM products

OpenIDM

OpenAm

OpenDJ

Function

User management functions, including: user identity cycle management, user and group management, password management, role management, rights management, policy management, authentication and authorization, synchronization and other core functions.

And provide REST interface for management.

The user data of OpenIDM can be synchronized to OpenDJ.

OpenAM is a leading open source certified and licensed product that can be used to replace OpenSSO that is about to be cancelled.

OpenAM provides core identification services to simplify the implementation of transparent single sign-on in a network architecture, including centralized or distributed single sign-on. The main features are:

Fully compliant with open source AAA products

AAA protocol: a protocol in the field of computer security. AAA refers to authentication, authorization, Accounting (Authentication, Authorization, Accounting).

Easy to use and easy to configure

Pure Java development

The joint authentication system can be easily configured and integrated into existing projects.

And provide REST interface for management.

Provide LDAP services, and provide REST interface for convenient management.

Role

IDM (user identity Management)

SSO (single sign on)

LDAP (lightweight Directory access Protocol)

Scope of application

User management.

It is mainly suitable for single sign-on (SSO) application scenarios.

LDAP application.

Authentication mechanism

When the client authenticates, the user name and password is provided to the OpenIDM (plaintext transmission), and the OpenIDM authenticates and returns the authentication result.

The authentication mechanism provided by OpenAM is mainly the user login function. The user provides the user name and password in the interface. After successful OpenAM verification, a TokenId will be returned for subsequent SSO steps.

Provides a standard LDAP authentication mechanism.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.