Auth: Authn vs Authz
hhstore opened this issue · 4 comments
hhstore commented
AuthN(Authentication) vs AuthZ(Authorization):
概念:
- https://www.cloudflare.com/zh-cn/learning/access-management/authn-vs-authz/
- ✅ AuthN 是
Authentication(身份验证)的缩写. 侧重:登录 - 识别用户身份 - ✅ AuthZ 是
Authorization(授权)的缩写. 侧重:鉴权 - 判定用户权限 - ✅ 这是
身份和访问管理 (IAM)领域中两个独立但紧密交织的概念.
扩展:
hhstore commented
AuthN:
参考:
- ✅ https://blog.mimvp.com/article/37834.html
- ✅ https://blog.mimvp.com/article/37796.html
- ✅ https://zhuanlan.zhihu.com/p/38942172
方案:
- ✅ Basic Auth(HTTP 基本认证): http + password
- ✅ 基于 Session 的认证: http + cookie + session
- ✅ Bearer Token 或者 Basic Auth Password
- ✅ JWT(JSON WEB TOKEN)
- ✅ OAuth (开放授权)
- ✅ SSO
- ✅ 硬件加密设备: hardware tokens (FIDO U2F tokens, RSA tokens, Yubikey)
- ✅ 外部软件设备: mobile devices (SMS/call verification, push approvals, TOTP apps)
- ✅ 生物芯片: 指纹/人脸识别等
- ✅ Two-factor authentication: 2FA, TFA, second-factor authentication
- ✅ Multi-factor authentication (MFA)
JWT:
hhstore commented
AuthZ:
方案:
- ✅ Role-based access control (RBAC): 基于
角色的访问控制 - ✅ Attribute-based access control (ABAC): 基于
属性的访问控制
hhstore commented