更新时间:2021-07-20 15:39:45
所以我的问题是,为什么现在不支持它们(是否存在任何体系结构问题),并且最终有计划支持它?
So my question is why they are not supported at the moment (are there any architectural problems) and are there plans to support it eventually?
虽然我不能代表ASP.NET团队谈论为什么他们不希望从事身份提供者项目(我
While I can't speak for the ASP.NET team about why they don't want to work on an identity provider project (I guess it would directly conflict with Microsoft's commercial offers, Azure AD and Azure B2C), I can tell you why directly accepting third-party tokens that were not designed to be used by your app is not a good idea, and thus, why it has never been supported in OWIN/Katana and ASP.NET Core.
原因实际上很简单:实施起来极具风险,因为它容易受到低估的攻击:混乱的副手攻击.关于此攻击如何工作的详细信息,请参见这样的答案(注意:它提到了隐式流程,但是当 confused agent of 是API本身时,它实际上适用于任何流程):
The reason is actually simple: it's extremely risky to implement, as it's prone to an underestimated class of attack: the confused deputy attack. Details about how this attack works can be found in this great SO answer (note: it mentions the implicit flow, but it actually works with any flow when the confused deputy is the API itself):
FileStore的错误是未与Google确认所获得的访问令牌是否确实发给了FileStore;该令牌确实已发行给EvilApp.
FileStore's mistake was not verifying with Google that the access token it was given was truly issued to FileStore; the token was really issued to EvilApp.