pmg/assertion-grant
Composer 安装命令:
composer require pmg/assertion-grant
包简介
An implemenation of the assertion authorization grant flows from RFC7521
README 文档
README
This implements the assertion grants described in RFC 7521. The goal is to be
flexible enough to support JWT (RFC 7523) or SAML (RFC 7522) assertions.
https://www.rfc-editor.org/rfc/rfc7521
This was inspired by some needs that PMG's https://www.pmg.com/alli platform had as well as some prior art from from google.
Client Authentication
RFCs 7523 and 7522 are opened ended about this:
JWT authorization grants may be used with or without client
authentication or identification. Whether or not client
authentication is needed in conjunction with a JWT authorization
grant, as well as the supported types of client authentication, are
policy decisions at the discretion of the authorization server.
However, if client credentials are present in the request, the
authorization server MUST validate them.
If the client_id is present in the request (in the Authorization header of
request body), then the normal client validation methods are used. If a client
is confidential, client secret would be required.
If client_id is not present, then the the assertion issuer is treated as the
oauth client ID.
Scopes
scope may be sent in as a normal request parameter, but RFC 7521 has this to
say:
The requested scope as described in Section 3.3 of
OAuth 2.0 [RFC6749]. When exchanging assertions for access
tokens, the authorization for the token has been previously
granted through some out-of-band mechanism. As such, the
requested scope MUST be equal to or less than the scope originally
granted to the authorized accessor. The authorization server MUST
limit the scope of the issued access token to be equal to or less
than the scope originally granted to the authorized accessor.
So somehow the assertion is made valid out of band. The assertion backend
returns an Assertion implementation which has allowed scopes.
If a caller tries to request scopes outside of the assertion's allowed scopes, an error will be returned.
Assertion Issuers
Assertion issuers are treated as oauth client identifiers.
Assertion Subjects
Assertion subjects are treated as user identifiers in this library. No
accomodations for client credentials as that would be better suited for
the client_credentials grant with a client_assertion system.
pmg/assertion-grant 适用场景与选型建议
pmg/assertion-grant 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 4.79k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2022 年 11 月 17 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 pmg/assertion-grant 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 pmg/assertion-grant 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 4.79k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 17
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2022-11-17