OpenID Connect（OIDC）：為什麼對身份驗證和身份管理很重要

探索OpenID Connect（OIDC），一種現代身份驗證方法，可簡化登錄，增強安全性並改善各種應用程序的用戶體驗。

Let's face it, login systems are everywhere. From ordering pizza to accessing office tools, every app asks you to 'Sign in with Google' or 'Log in with Microsoft'. OpenID Connect (OIDC) is the modern way for apps to authenticate users, building upon OAuth 2.0 to not only grant access but also verify user identity.

面對現實，登錄系統無處不在。從訂購披薩到訪問辦公工具，每個應用都要求您“使用Google登錄”或“使用Microsoft登錄”。 OpenID Connect（OIDC）是應用程序對用戶進行身份驗證的現代方式，它不僅在OAuth 2.0上以授予訪問權限，還可以驗證用戶身份。

What is OpenID Connect (OIDC)?

什麼是OpenID Connect（OIDC）？

In simple terms, OIDC is a modern way for apps to authenticate users by piggybacking on OAuth 2.0. While OAuth is all about granting access to stuff like calendars and photos, OIDC adds an identity layer on top. This means it can also confirm who you are, not just whether you have permission to do something.

簡而言之，OIDC是應用程序通過在OAuth 2.0上進行Piggyback來驗證用戶身份驗證用戶的現代方法。雖然Oauth就是要授予對日曆和照片之類的內容的訪問，但OIDC在頂部添加了身份層。這意味著它也可以確認您是誰，而不僅僅是您是否有權做某事。

Consider SSOJet, a product designed to connect apps with multiple identity providers (like Google, Azure AD, and Okta) using standards like SAML and OIDC. When a customer wants users to log in with their Google or Azure AD account, SSOJet uses OIDC behind the scenes.

考慮使用SAML和OIDC等標準，旨在將應用程序與多個身份提供商（例如Google，Azure AD和Okta）連接起來的產品SSOJET。當客戶希望用戶使用其Google或Azure AD帳戶登錄時，SSOJET會在幕後使用OIDC。

Why Should You Care About OIDC?

您為什麼要關心OIDC？

OIDC makes logins faster, safer, and easier for both developers and users. No one wants to remember another password, and you don’t want to store passwords you don’t have to. With OIDC, you can offload that to trusted providers while still knowing exactly who’s using your app.

OIDC可以使開發人員和用戶更快，更安全，更容易地登錄。沒有人想記住另一個密碼，您不想存儲不必存儲密碼。使用OIDC，您可以將其卸載給受信任的提供商，同時仍然確切地知道誰在使用您的應用程序。

In a nutshell:

簡而言之：

• It’s a standard: Based on OAuth 2.0, widely adopted.
• It’s simple: Easy to implement with existing libraries.
• It’s secure: Offloads authentication to trusted providers.

How the OIDC Login Flow Works

OIDC登錄流程如何工作

When you hit that 'Login with Google' button, here’s what happens: Your app (the Relying Party) delegates the password management to a trusted Identity Provider (IdP) like Google or Microsoft. The IdP handles the login and then tells your app who just signed in.

當您點擊“使用Google登錄”按鈕時，這就是發生的事情：您的應用程序（依賴方）將密碼管理委託給值得信賴的身份提供商（IDP），例如Google或Microsoft。 IDP處理登錄名，然後告訴您的應用程序誰剛剛登錄。

The OIDC Login Flow in Quick Steps:

OIDC登錄流量快速步驟：

1. User clicks “Login.”
2. App redirects the user to the IdP (e.g., Google).
3. User logs in at the IdP.
4. IdP redirects the user back to your app with a special code.
5. Your app exchanges the code for an ID Token (and optionally, an Access Token).
6. Your app validates the ID Token to confirm the user’s identity.

Key Endpoints You’ll Use:

您將使用的關鍵端點：

• /authorize: Where the login flow starts.
• /token: Where you exchange the code for tokens.
• /userinfo: Where you can request more user details (like email, name, etc.).

OIDC standardizes this process, so you don’t have to build a new flow for every IdP.

OIDC標準化了此過程，因此您不必為每個IDP構建一個新的流程。

Picking the Right Identity Provider (IdP)

選擇正確的身份提供商（IDP）

The next thing you’ll need to figure out is which identity provider your app should use. If you’re building for yourself, it’s simple — maybe you just need Google or Microsoft. But if you’re building something where your customers might use different providers (Google, Azure AD, Okta, etc.), you need to be a bit smarter about it.

您需要弄清楚的下一件事是您的應用程序應使用的身份提供商。如果您為自己構建，這很簡單 - 也許您只需要Google或Microsoft。但是，如果您正在構建客戶可能會使用不同的提供商（Google，Azure AD，Okta等）的東西，則需要對此更加聰明。

An IdP is basically the service that handles your users’ authentication. It’s the one saying, “Yep, this person is who they claim to be.”

IDP基本上是處理用戶身份驗證的服務。這是一句話：“是的，這個人是他們自稱是的人。”

OIDC Login Example — .NET Web App

OIDC登錄示例 - .NET Web應用程序

Here’s how to set up a basic OIDC login in a .NET web app:

這是在.NET Web應用中設置基本OIDC登錄的方法：

1. Configure Your Application in your IdP’s developer console.
2. Add NuGet Packages to your .NET project.
3. Update Program.cs / Startup.cs with your IdP details.
4. Add Login and Logout Endpoints to handle the redirects.

Run your app, visit /login, and you’ll get redirected to Google’s sign-in page. Log in, and your app now knows who you are — using OIDC.

運行您的應用程序，訪問 /登錄，您將重定向到Google的登錄頁面。登錄，您的應用現在知道您是誰 - 使用OIDC。

Tokens in OIDC

OIDC中的令牌

When the IdP sends your app a response after a successful login, you’ll typically get:

成功登錄後，當IDP向您的應用發送響應時，您通常會得到：

• ID Token: A JWT that contains user information.
• Access Token: Used to access protected resources.
• Refresh Token: Used to get new Access Tokens without prompting the user to log in again.

Key parts to check in the ID Token:

檢查ID令牌的關鍵部分：

• iss: Issuer (who issued the token).
• sub: Subject (the user’s unique ID).
• aud: Audience (who the token is intended for).
• exp: Expiration time (when the token expires).

Validating Tokens

驗證令牌

Don’t just accept any token you get. Validate it. Here’s what to check before trusting any ID Token:

不要只是接受任何您得到的令牌。驗證它。這是在信任任何ID令牌之前要檢查的內容：

• Check the signature to ensure the token hasn’t been tampered with.
• Verify the issuer (iss) matches your IdP.
• Confirm the audience (aud) is your application.
• Ensure the token hasn’t expired (exp).

Where Should You Store Tokens?

您應該在哪裡存儲令牌？

• ID Tokens: In a secure, HttpOnly cookie (server-side).
• Access Tokens: In memory on the client-side (if needed for API calls).
• Refresh Tokens: Server-side only.

Handling Token Expiry

處理令牌到期

Tokens don’t live forever — and that’s a good thing. When an Access Token or ID Token expires:

令牌不會永遠存在 - 這是一件好事。當訪問令牌或ID令牌到期時：

• Redirect the user to the login page to reauthenticate.
• Use a Refresh Token to get a new Access Token (if you have one).

Wrapping Up

總結

From understanding what OIDC is and how its login flow works, to picking your IdP, wiring it up in a .NET app, handling tokens safely, and managing sessions and logouts like a pro, you're now well-equipped to implement modern authentication in your applications.

從了解OIDC是什麼以及其登錄流程的工作原理，到選擇IDP，將其接線到.NET應用程序，安全處理令牌，以及像專業人士一樣管理會議和登錄，現在您已經準備好在應用程序中實現現代身份驗證。

Next move? Spin up your own test project, plug in Google as an IdP, and watch the magic happen. Once you get the basics down, you’ll be ready to connect Azure AD, Auth0, or any other OIDC-compliant provider you want.

下一步？旋轉您自己的測試項目，將Google插入IDP，然後觀察魔術的發生。一旦獲得基礎知識，您就可以隨時連接Azure AD，Auth0或您想要的任何其他符合OIDC的提供商。

Happy coding, and may your authentication flows always be secure and seamless!

愉快的編碼，願您的身份驗證流總是安全和無縫的！