问题
Scenario:
- A controller process obtains a short-lived JWT access token and a refresh token handle using client credentials grant.
- The controller spawns one or more isolated worker nodes and passes the access and refresh token to the node(s).
- The child node may continue with a long running task where the access token may expire and a refresh needs to occur.
- In a background thread, before expiration, the agent refreshes its token, the access token is regenerated. The need for short lived access tokens and a refresh lifecycle is to regenerate temporal JWT claims (claims that are time-transitive such as uris).
- The child may return a response to the parent. Both the parent and children need to maintain an independent session validation lifecycle without invalidating the other.
Assumptions: Assume each process is an atomic unit of work with independent state. The access token is authenticated once by the controller and passed down with its refresh token to N+1 or N*N worker nodes.
Any given N process may proactively regenerate its access token with the refresh token handed down to it to extend its lifetime and prevent expiration.
The process may run in a trusted (private) or untrusted (public) environment over HTTPS & SSL.
There is one authorization server and one api resource server.
Problem: How would the agent validate both the access token and refresh token lifetime ensuring that any child or parent process can refresh its session during its lifetime without exposing any security attack vectors or invalidating another agent in the pool?
回答1:
Mutual TLS client certificate authentication may be a good option for this. It involves parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity. In technology terms, it refers to a client application authenticating themselves to a server and that server also authenticating itself to the client through verifying the public key certificate/digital certificate issued by the trusted Certificate Authorities (CAs).
来源:https://stackoverflow.com/questions/46305577/oauth-2-0-many-to-many-delegated-client-credential-flow-scenario