包阅导读总结
1. 关键词:JWT 、Access Tokens 、RFC 9068 、Auth0 、Identity Management
2. 总结:
本文介绍了新的 OAuth 2.0 JWT 访问令牌标准 RFC 9068 在 Auth0 已通用可用。对比了 Auth0 原有令牌配置和 RFC 9068 的差异,阐述了采用 RFC 9068 配置的优势,还说明了生成兼容 RFC 9068 访问令牌的流程,并对其背后的 Vittorio Bertocci 表达敬意。
3. 主要内容:
– JWT Access Tokens Profiles
– 想象设备统一充电类比访问令牌格式统一的需求
– IETF 发布新的访问令牌标准 RFC 9068
– Access Token Profiles in Auth0
– Auth0 现提供两种访问令牌配置选择:默认的 Auth0 令牌配置和 RFC 9068
– 两者格式的主要差异
– 采用 RFC 9068 配置的优势
– 与遵循标准的 API 网关和服务器直接互操作
– 便于更换身份提供商
– 可利用支持的 SDKs 和工具
– 生成 RFC 9068 兼容的访问令牌
– 生成流程与获取普通访问令牌相同
– 示例:通过 client_credentials 授权用 cURL 请求访问令牌
– 对 Vittorio Bertocci 的敬意
– 称赞其在身份行业的贡献
– 分享对他很重要的两个事业
思维导图:
文章地址:https://auth0.com/blog/jwt-access-tokens-profiles-now-in-ga/
文章来源:auth0.com
作者:Auth0 Blog
发布时间:2024/7/10 15:01
语言:英文
总字数:752字
预计阅读时间:4分钟
评分:85分
标签:身份和访问管理 (IAM),JSON Web 令牌 (JWT),OAuth 2.0,RFC 9068,身份验证
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
Imagine if you could charge every single one of your devices with one, single charger.
Your smartphone, the family printer, your kiddo’s tablet, and your work computer. How great would this be? You’d no longer be searching your junk drawer for that one, specific cord.
Similarly, access tokens are the lifeblood of an IAM (Identity and Access Management) infrastructure, impacting gateways, microservices and teams. Consequently, changing access token formats can be costly, time-consuming, and a pain.
This issue led to the IETF standards community brainstorming and then publishing a new standard detailing how to encode and validate an OAuth 2.0 JWT access token. The standardization process, led by Vittorio Bertocci, has been captured in this insightful blog.
We’re happy to announce that RFC 9068 is now Generally Available on Auth0 for all customers. We continue to focus on enabling everyone to safely use any technology, and we hope that RFC 9068 supports you and your team’s Identity solutions. Let’s talk about how to use it.
Access Token Profiles in Auth0
Auth0 now offers the option to choose, on a per-API basis, between two access token profiles: the Auth0 token profile, which remains the default, and RFC 9068.
Based on the selected access token profile for an API, the format of the generated JWT access token changes. The main differences are:
- The RFC 9068 profile incorporates the jti claim, providing a unique identifier for the JWT.
- The Auth0 profile uses the azp claim to represent the client ID, whereas the RFC 9068 profile uses the client_id claim.
- The RFC 9068 profile does not use the gty claim, which is an Auth0-specific claim that represents the authentication flow.
Image snapshot of how tokens of two different profiles look, highlighting the difference. To learn more, please refer to Auth0 Access Tokens Documentation.
Adopting the RFC 9068 profile offers several advantages. Your Auth0 access tokens will be directly interoperable with API gateways and servers that follow the standard, eliminating the need for custom token validation. This flexibility facilitates changing Identity Providers if you need to at some point. Additionally, you can leverage SDKs and tools that support RFC 9068, aligning with well-vetted Identity standards and evolving best practices.
Generate a RFC 9068-Compliant Access Token
The RFC 9068 token profile is Generally Available and supported across all tenants and plans.You can generate an RFC 9068-compliant access token using the same process as obtaining any access token: create a client, configure an API, and request a token.
To create a client, you can simply follow the normal process as explained in our Get Started guide. The RFC 9068 profile works for all application types and grant-types.
Configure an API
Go to Dashboard > Applications > APIs, and select + Create API.
The JSON Web Token (JWT) Profile field determines the format of the API access tokens issued. The available values are Auth0 and RFC 9068.
Image snapshot of the API creation page where the user can configure an access token profile. To learn more, refer to Register APIs
Get an access token
As an example, let’s see how you can request an access token with client_credentials grant via cURL:
curl --request POST \ --url https://YOUR_AUTH0_DOMAIN/oauth/token \ --header 'content-type: application/json' \ --data '{"client_id":"YOUR_CLIENT_ID","client_secret":"YOUR_CLIENT_SECRET","audience":"https://your-api-endpoint","grant_type":"client_credentials"}'Replace the placeholders YOUR_AUTH0_DOMAIN, YOUR_CLIENT_ID, and YOUR_CLIENT_SECRET with the respective values from your client configuration.
This request generates a response as the following:
{ "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Im...", "scope":"read:blogs", "expires_in":86400, "token_type":"Bearer"}The generated access_token will be RFC 9068 compatible.
This works for all grant-types for the API. Simply follow the normal flow of a grant-type and you will get RFC 9068 compliant access tokens. Easy!
Image snapshot of a RFC 9068-compatible access token generated using a client_credentials grant type
An Ode to the Great…
Now, this post wouldn’t be complete without taking some time to acknowledge the brains behind RFC 9068, Vittorio Bertocci.
Vittorio was and will continue to be a titan of the Identity industry. Not only was Vittorio a luminary genius in his own right, but he was a funny, witty and authentic human being. His legacy will forever be woven into the work we, and our fellow Identity friends, create for the next years, decades, and beyond. (To read a bit more about our beloved Vittorio, take a look at our celebratory blog about his life here).
To continue Vittorio’s legacy and his passion for giving back to the community, we’d love to share two causes that were incredibly important to Vittorio:
- Questbridge: providing higher education to lower income students.
- Pancan: pancreatic cancer research.
