Back to Details

identity-access

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Identity & Access Management

身份与访问管理

Authentication vs Authorization

身份验证(AuthN) vs 授权(AuthZ)

  • Authentication (AuthN): Who are you?
  • Authorization (AuthZ): What can you do?
  • 身份验证(AuthN): 你是谁?
  • 授权(AuthZ): 你能做什么?

OAuth 2.0 Flows

OAuth 2.0 流程

Authorization Code (Web Apps)

授权码模式(Web应用)

User -> App -> Auth Server -> User Login
User -> Auth Server -> App (code)
App -> Auth Server (code + secret) -> tokens
User -> App -> Auth Server -> User Login
User -> Auth Server -> App (code)
App -> Auth Server (code + secret) -> tokens

PKCE (Mobile/SPA)

PKCE模式(移动应用/单页应用)

Like Authorization Code but with code verifier/challenge instead of secret.
类似授权码模式,但使用验证码验证器/挑战码替代密钥。

Client Credentials (Machine-to-Machine)

客户端凭证模式(机器对机器)

App -> Auth Server (client_id + secret) -> token
App -> Auth Server (client_id + secret) -> token

OpenID Connect (OIDC)

OpenID Connect(OIDC)

OAuth 2.0 + identity layer.
Key additions:
  • ID Token (JWT with user info)
  • UserInfo endpoint
  • Standard claims (sub, email, name)
OAuth 2.0 + 身份层。
核心新增功能:
  • ID Token(包含用户信息的JWT)
  • UserInfo端点
  • 标准声明(sub, email, name)

JWT Structure

JWT 结构

header.payload.signature

Header: {"alg": "RS256", "typ": "JWT"}
Payload: {"sub": "123", "exp": 1234567890}
Signature: RSASHA256(header + payload, privateKey)
header.payload.signature

Header: {"alg": "RS256", "typ": "JWT"}
Payload: {"sub": "123", "exp": 1234567890}
Signature: RSASHA256(header + payload, privateKey)

Role-Based Access Control (RBAC)

基于角色的访问控制(RBAC)

typescript
interface Role {
  name: string;
  permissions: Permission[];
}

interface Permission {
  resource: string;
  action: 'read' | 'write' | 'delete';
}

function hasPermission(user: User, resource: string, action: string): boolean {
  return user.roles.some(role =>
    role.permissions.some(p =>
      p.resource === resource && p.action === action
    )
  );
}
typescript
interface Role {
  name: string;
  permissions: Permission[];
}

interface Permission {
  resource: string;
  action: 'read' | 'write' | 'delete';
}

function hasPermission(user: User, resource: string, action: string): boolean {
  return user.roles.some(role =>
    role.permissions.some(p =>
      p.resource === resource && p.action === action
    )
  );
}

Best Practices

最佳实践

Passwords

密码管理

  • Minimum 12 characters
  • Hash with Argon2id or bcrypt
  • Never store plaintext
  • Implement rate limiting
  • 最小长度12个字符
  • 使用Argon2id或bcrypt进行哈希
  • 绝不存储明文
  • 实现速率限制

Sessions

会话管理

  • Use secure, HttpOnly cookies
  • Implement CSRF protection
  • Set appropriate expiration
  • Invalidate on logout
  • 使用安全的HttpOnly Cookie
  • 实现CSRF防护
  • 设置合适的过期时间
  • 登出时使会话失效

Tokens

令牌管理

  • Short-lived access tokens (15 min)
  • Longer refresh tokens (days)
  • Rotate refresh tokens
  • Store securely (not localStorage)
  • 短生命周期的访问令牌(15分钟)
  • 较长生命周期的刷新令牌(数天)
  • 轮换刷新令牌
  • 安全存储(不要使用localStorage)

MFA

多因素认证(MFA)

  • Support TOTP (Google Authenticator)
  • Consider WebAuthn/passkeys
  • Backup codes for recovery
  • 支持TOTP(如Google Authenticator)
  • 考虑使用WebAuthn/密钥
  • 提供恢复用的备份码