2

I use OAuth 2 for authorization and need to implement it in a load balanced cluster. I've considered a few approaches, but it seems there is no way around a centralized approach. Here are my thoughts:

1. Balancing using source IP

Caching the tokens on one server and balancing by IP would be ideal, however, the IP can not assumed to be static. So when the same user tries to access services that require authorization from another IP with a valid token, it will fail, because it is not cached on this machine. Also other devices logged in with this user will not reach the same machine.

2. Balancing using a load balancing cookie

Also not really an option, since it cannot be assumed that every client implements cookie storage.

3. Balancing using the Authorization header

Balancing by hashing the Authorization: Bearer token header is problematic, because the first request (for requesting the authorization token) has no Authorization header, thus, the following request might not hit the same instance.

My current approach is to use a central Redis instance for authorization token storage. Is there an option left, where a centralized approach can be avoided?

4

1 回答 1

2

我认为您仍然有两个选择要考虑。

一种是通过会话 ID 进行平衡。应用程序服务器通常可以配置为通过 cookie 或添加到每个链接的 GET 参数来管理会话,因此它不一定需要 cookie 存储。此外,很少有 HTTP 客户端仍未实现 cookie 存储,因此您可能需要重新考虑列表中的第 2 项。

另一种是使用自包含令牌,例如带有签名的 JSON Web 令牌 (JWT) (JWS)。自包含令牌的验证可能不需要中央数据库,每个服务器实例可以单独检查令牌签名并从令牌本身中提取授权详细信息。但是,如果您需要支持撤销令牌,您可能仍需要一个中央数据库来存储至少一个已撤销令牌的黑名单。

虽然我无法为您提供完整的解决方案,但希望这能给您一些想法。

于 2013-07-19T14:19:25.410 回答