OpenID Connect（OIDC）：为什么对身份验证和身份管理很重要

探索OpenID Connect（OIDC），一种现代身份验证方法，可简化登录，增强安全性并改善各种应用程序的用户体验。

Let's face it, login systems are everywhere. From ordering pizza to accessing office tools, every app asks you to 'Sign in with Google' or 'Log in with Microsoft'. OpenID Connect (OIDC) is the modern way for apps to authenticate users, building upon OAuth 2.0 to not only grant access but also verify user identity.

面对现实，登录系统无处不在。从订购披萨到访问办公工具，每个应用都要求您“使用Google登录”或“使用Microsoft登录”。 OpenID Connect（OIDC）是应用程序对用户进行身份验证的现代方式，它不仅在OAuth 2.0上以授予访问权限，还可以验证用户身份。

What is OpenID Connect (OIDC)?

什么是OpenID Connect（OIDC）？

In simple terms, OIDC is a modern way for apps to authenticate users by piggybacking on OAuth 2.0. While OAuth is all about granting access to stuff like calendars and photos, OIDC adds an identity layer on top. This means it can also confirm who you are, not just whether you have permission to do something.

简而言之，OIDC是应用程序通过在OAuth 2.0上进行Piggyback来验证用户身份验证用户的现代方法。虽然Oauth就是要授予对日历和照片之类的内容的访问，但OIDC在顶部添加了身份层。这意味着它也可以确认您是谁，而不仅仅是您是否有权做某事。

Consider SSOJet, a product designed to connect apps with multiple identity providers (like Google, Azure AD, and Okta) using standards like SAML and OIDC. When a customer wants users to log in with their Google or Azure AD account, SSOJet uses OIDC behind the scenes.

考虑使用SAML和OIDC等标准，旨在将应用程序与多个身份提供商（例如Google，Azure AD和Okta）连接起来的产品SSOJET。当客户希望用户使用其Google或Azure AD帐户登录时，SSOJET会在幕后使用OIDC。

Why Should You Care About OIDC?

您为什么要关心OIDC？

OIDC makes logins faster, safer, and easier for both developers and users. No one wants to remember another password, and you don’t want to store passwords you don’t have to. With OIDC, you can offload that to trusted providers while still knowing exactly who’s using your app.

OIDC可以使开发人员和用户更快，更安全，更容易地登录。没有人想记住另一个密码，您不想存储不必存储密码。使用OIDC，您可以将其卸载给受信任的提供商，同时仍然确切地知道谁在使用您的应用程序。

In a nutshell:

简而言之：

• It’s a standard: Based on OAuth 2.0, widely adopted.
• It’s simple: Easy to implement with existing libraries.
• It’s secure: Offloads authentication to trusted providers.

How the OIDC Login Flow Works

OIDC登录流程如何工作

When you hit that 'Login with Google' button, here’s what happens: Your app (the Relying Party) delegates the password management to a trusted Identity Provider (IdP) like Google or Microsoft. The IdP handles the login and then tells your app who just signed in.

当您点击“使用Google登录”按钮时，这就是发生的事情：您的应用程序（依赖方）将密码管理委托给值得信赖的身份提供商（IDP），例如Google或Microsoft。 IDP处理登录名，然后告诉您的应用程序谁刚刚登录。

The OIDC Login Flow in Quick Steps:

OIDC登录流量快速步骤：

1. User clicks “Login.”
2. App redirects the user to the IdP (e.g., Google).
3. User logs in at the IdP.
4. IdP redirects the user back to your app with a special code.
5. Your app exchanges the code for an ID Token (and optionally, an Access Token).
6. Your app validates the ID Token to confirm the user’s identity.

Key Endpoints You’ll Use:

您将使用的关键端点：

• /authorize: Where the login flow starts.
• /token: Where you exchange the code for tokens.
• /userinfo: Where you can request more user details (like email, name, etc.).

OIDC standardizes this process, so you don’t have to build a new flow for every IdP.

OIDC标准化了此过程，因此您不必为每个IDP构建一个新的流程。

Picking the Right Identity Provider (IdP)

选择正确的身份提供商（IDP）

The next thing you’ll need to figure out is which identity provider your app should use. If you’re building for yourself, it’s simple — maybe you just need Google or Microsoft. But if you’re building something where your customers might use different providers (Google, Azure AD, Okta, etc.), you need to be a bit smarter about it.

您需要弄清楚的下一件事是您的应用程序应使用的身份提供商。如果您为自己构建，这很简单 - 也许您只需要Google或Microsoft。但是，如果您正在构建客户可能会使用不同的提供商（Google，Azure AD，Okta等）的东西，则需要对此更加聪明。

An IdP is basically the service that handles your users’ authentication. It’s the one saying, “Yep, this person is who they claim to be.”

IDP基本上是处理用户身份验证的服务。这是一句话：“是的，这个人是他们自称是的人。”

OIDC Login Example — .NET Web App

OIDC登录示例 - .NET Web应用程序

Here’s how to set up a basic OIDC login in a .NET web app:

这是在.NET Web应用中设置基本OIDC登录的方法：

1. Configure Your Application in your IdP’s developer console.
2. Add NuGet Packages to your .NET project.
3. Update Program.cs / Startup.cs with your IdP details.
4. Add Login and Logout Endpoints to handle the redirects.

Run your app, visit /login, and you’ll get redirected to Google’s sign-in page. Log in, and your app now knows who you are — using OIDC.

运行您的应用程序，访问 /登录，您将重定向到Google的登录页面。登录，您的应用现在知道您是谁 - 使用OIDC。

Tokens in OIDC

OIDC中的令牌

When the IdP sends your app a response after a successful login, you’ll typically get:

成功登录后，当IDP向您的应用发送响应时，您通常会得到：

• ID Token: A JWT that contains user information.
• Access Token: Used to access protected resources.
• Refresh Token: Used to get new Access Tokens without prompting the user to log in again.

Key parts to check in the ID Token:

检查ID令牌的关键部分：

• iss: Issuer (who issued the token).
• sub: Subject (the user’s unique ID).
• aud: Audience (who the token is intended for).
• exp: Expiration time (when the token expires).

Validating Tokens

验证令牌

Don’t just accept any token you get. Validate it. Here’s what to check before trusting any ID Token:

不要只是接受任何您得到的令牌。验证它。这是在信任任何ID令牌之前要检查的内容：

• Check the signature to ensure the token hasn’t been tampered with.
• Verify the issuer (iss) matches your IdP.
• Confirm the audience (aud) is your application.
• Ensure the token hasn’t expired (exp).

Where Should You Store Tokens?

您应该在哪里存储令牌？

• ID Tokens: In a secure, HttpOnly cookie (server-side).
• Access Tokens: In memory on the client-side (if needed for API calls).
• Refresh Tokens: Server-side only.

Handling Token Expiry

处理令牌到期

Tokens don’t live forever — and that’s a good thing. When an Access Token or ID Token expires:

令牌不会永远存在 - 这是一件好事。当访问令牌或ID令牌到期时：

• Redirect the user to the login page to reauthenticate.
• Use a Refresh Token to get a new Access Token (if you have one).

Wrapping Up

总结

From understanding what OIDC is and how its login flow works, to picking your IdP, wiring it up in a .NET app, handling tokens safely, and managing sessions and logouts like a pro, you're now well-equipped to implement modern authentication in your applications.

从了解OIDC是什么以及其登录流程的工作原理，到选择IDP，将其接线到.NET应用程序，安全处理令牌，以及像专业人士一样管理会议和登录，现在您已经准备好在应用程序中实现现代身份验证。

Next move? Spin up your own test project, plug in Google as an IdP, and watch the magic happen. Once you get the basics down, you’ll be ready to connect Azure AD, Auth0, or any other OIDC-compliant provider you want.

下一步？旋转您自己的测试项目，将Google插入IDP，然后观察魔术的发生。一旦获得基础知识，您就可以随时连接Azure AD，Auth0或您想要的任何其他符合OIDC的提供商。

Happy coding, and may your authentication flows always be secure and seamless!

愉快的编码，愿您的身份验证流总是安全和无缝的！