security - What's the most secure way to authenticate background queue workers using IdentityServer 4?
问题描述
I have tasks that are placed onto a background queue for async processing. The standalone queue worker needs to authenticate to a separate API using IdentityServer 4, essentially "impersonating" the original user that triggered the task.
The two options I can see for doing this are:
- Push the access and refresh tokens of the user into the queue's payload, and use these to authenticate when the task is picked up and executed. The main issue with this is that the queue's payload is stored in a database for an extended period of time, even after execution, meaning access and refresh tokens will be stored.
- Try and recreate this type of user impersonation in IdentityServer 4, https://www.moonlightbytes.com/blog/impersonation-in-identity-server-3. This would mean saving the original user's username in the queue's payload.
My questions are:
- Which one of these two options is preferable and more secure?
- Is there any other way to achieve what I need?
解决方案
I would suggest to use delegation, i.e. to push the access token (only) into the queue's payload (to identify the user later on) and use your worker's ClientCredentials to authenticate at the moment of the call.
Refresh token is definitely not to be shared. It is a property of an app it was requested for.
推荐阅读
- python - 使用 docker 开发时运行预提交挂钩(例如 pylint)
- flutter - 许多 BlocListener 在 Flutter 上注册了 Navigation.pushName()
- python - 为什么我在 Django 中收到“MySQL 服务器已消失”异常?
- sonarqube - SonarQube 7.1 - Debian 安装 - 连接被拒绝
- ruby-on-rails - 弃用警告:ActionView::Base 实例应使用查找上下文、分配和控制器构造
- php - 根据用户选择跨多个页面显示正确的下载表单
- docker - docker-compose.yml 不会读取主机名的环境变量
- spring - 如何注册外部注释以供弹簧验证使用
- python - 格式化 yaml 以包含嵌套字典?
- react-native - 抽屉中的图像不显示在 react-native