pmg/assertion-grant 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

pmg/assertion-grant

Composer 安装命令:

composer require pmg/assertion-grant

包简介

An implemenation of the assertion authorization grant flows from RFC7521

README 文档

README

This implements the assertion grants described in RFC 7521. The goal is to be flexible enough to support JWT (RFC 7523) or SAML (RFC 7522) assertions.

https://www.rfc-editor.org/rfc/rfc7521

This was inspired by some needs that PMG's https://www.pmg.com/alli platform had as well as some prior art from from google.

Client Authentication

RFCs 7523 and 7522 are opened ended about this:

JWT authorization grants may be used with or without client
authentication or identification.  Whether or not client
authentication is needed in conjunction with a JWT authorization
grant, as well as the supported types of client authentication, are
policy decisions at the discretion of the authorization server.
However, if client credentials are present in the request, the
authorization server MUST validate them.

If the client_id is present in the request (in the Authorization header of request body), then the normal client validation methods are used. If a client is confidential, client secret would be required.

If client_id is not present, then the the assertion issuer is treated as the oauth client ID.

Scopes

scope may be sent in as a normal request parameter, but RFC 7521 has this to say:

The requested scope as described in Section 3.3 of
OAuth 2.0 [RFC6749].  When exchanging assertions for access
tokens, the authorization for the token has been previously
granted through some out-of-band mechanism.  As such, the
requested scope MUST be equal to or less than the scope originally
granted to the authorized accessor.  The authorization server MUST
limit the scope of the issued access token to be equal to or less
than the scope originally granted to the authorized accessor.

So somehow the assertion is made valid out of band. The assertion backend returns an Assertion implementation which has allowed scopes.

If a caller tries to request scopes outside of the assertion's allowed scopes, an error will be returned.

Assertion Issuers

Assertion issuers are treated as oauth client identifiers.

Assertion Subjects

Assertion subjects are treated as user identifiers in this library. No accomodations for client credentials as that would be better suited for the client_credentials grant with a client_assertion system.

pmg/assertion-grant 适用场景与选型建议

pmg/assertion-grant 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 4.79k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2022 年 11 月 17 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 pmg/assertion-grant 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 pmg/assertion-grant 我们能提供哪些服务?
定制开发 / 二次开发

基于 pmg/assertion-grant 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 4.79k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 17
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 13
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2022-11-17