Teburin Abubuwan Ciki
1 Gabatarwa
Ƙungiyar Aiki ta Amincin Token da Bincike (TTT) tana magance manyan ƙalubale a cikin al'ummomin kwamfutocin rarraba (WLCG, EGI, IGWN) yayin sauyawa daga takaddun shaida na X.509 zuwa tsarin Tabbatar da Ainihi da Izinin (AAI) na tushen token. Wannan sauyi na tsari yana buƙatar sake tunani game da manufofi da hanyoyin da aka ƙera da farko don tsarin X.509 da VOMS.
Kafa Ƙungiyar Aiki
2023
Shekarar da aka kafa don magance ƙalubalen sauyin token
Manyan Kayayyakin More Rayuwa
5+
WLCG, EGI, IGWN, SKA, EuroHPC suna amfani da tokoki
2 Tokoki, Aminci da Bincike
2.1 Bayanan Baya na Token
Mafita na tushen token, waɗanda masu samarwa na kasuwanci (Google, Microsoft) suka ƙera da farko, ana amfani da su ta hanyar kayayyakin more rayuwa na kwamfutocin rarraba. Sauyin ya ƙunshi Masu Samar da Haɗin OpenID (OPs) ciki har da Indigo IAM, RCIAM, Dandalin GEANT Core AAI, da CILogon.
2.2 Tsarin Aminci a cikin Tsarin Token
Tsarin aminci yana canzawa daga tsarin PKI mai matsayi zuwa tabbatar da ainihi na tushen token mai rarrabawa. Manyan ƙalubale sun haɗa da tabbatar da mai bayarwa, soke token, da kafa aminci a cikin yankuna daban-daban.
2.3 Ƙalubalen Bincike
Kiyaye binciken aikin daidai da tsarin X.509 yana haifar da manyan ƙalubale a cikin yanayin token, yana buƙatar sabbin hanyoyin aiki ga masu gudanar da tsarin.
3 Aiwatar da Fasaha
3.1 Tsarin Token na JWT
Tokokin Yanar Gizo na JSON (JWT) suna bin ƙayyadaddun RFC9068 tare da muhimman fage:
- iss: Alamar mai bayar da token
- sub Batun (daidai da DN a cikin takaddun shaida)
- aud Masu sauraro da aka yi niyya
- scope Ayyuka masu izini
- jti Alamar token na musamman
- exp/iat/nbf Da'awar ingancin lokaci
3.2 Tushen Lissafi
Amincin token ya dogara ne akan sa hannu na sirri. Ana iya wakilta tsarin tabbatarwa kamar haka:
$\text{Tabbatar}(token, makulli) = \text{gaskiya} \iff \text{Sa hannu}(header.payload) = \text{sa hannu}$
Inda algorithm ɗin sa hannu yawanci yake amfani da RS256: $\text{RSASSA-PKCS1-v1_5 ta amfani da SHA-256}$
3.3 Aiwarar da Lambar
// Misalin lambar ingancin token
function validateToken(token, issuerConfig) {
// Rarrabe kan token
const header = base64decode(token.split('.')[0]);
// Tabbatar da sa hannu ta amfani da makullin jama'a na mai bayarwa
const signingKey = getPublicKey(issuerConfig.iss, header.kid);
const isValid = verifySignature(token, signingKey);
// Tabbatar da da'awar
if (isValid) {
const payload = getTokenPayload(token);
return validateClaims(payload, {
issuer: issuerConfig.iss,
audience: expectedAudience,
expiration: currentTime
});
}
return false;
}4 Sakamakon Gwaji
Ƙungiyar aiki ta gudanar da gwaji mai yawa a cikin tarin tsaka-tsakin tsarin da yawa. Manyan binciken sun haɗa da:
Ayyukan Tabbatar da Token
Gwaji ya nuna tabbatar da JWT yana aiki da sauri kashi 40% fiye da tabbatar da sarkar takaddun shaida na X.509 a cikin yanayin rarraba. Duk da haka, duba soke token yana haifar da ƙarin jinkiri wanda dole ne a sarrafa shi ta hanyar dabarun ajiya.
Muhimman Hasashe
- Tsarin tushen token yana rage yawan aikin gudanarwa da kashi 60% idan aka kwatanta da X.509
- Bincike yana buƙatar daidaitaccen rajista a duk sassan tsaka-tsakin tsarin
- Hanyoyin haɗin gwiwa na iya zama dole a lokutan sauyi
5 Aikace-aikacen Gaba
Tsarin AAI na tushen token yana ba da damar sabbin iyawa ciki har da:
- Ainihi na tarayya a cikin kayayyakin more rayuwa na bincike
- Izinin kuzari dangane da halaye na ainihin lokaci
- Ingantaccen kwarewar mai amfani ta hanyar rage sarrafa takaddun shaida
- Ingantaccen tsaro ta hanyar takaddun shaida masu gajeren rai
6 Nassoshi
- Jones, M., da sauransu. "Yanayin Token na Yanar Gizo na JSON (JWT) don Tokokin Shiga na OAuth 2.0" RFC 9068 (2021)
- Ƙungiyar Aiki ta Izinin WLCG. "Izinin Tushen Token don WLCG" (2023)
- Hardt, D. "Tsarin Izinin OAuth 2.0" RFC 6749 (2012)
- Sakimura, N., da sauransu. "OpenID Connect Core 1.0" (2014)
Binciken Kwararre: Muhimmancin Sauyin Token
Maganar Gaskiya: Ƙungiyar kwamfutocin rarraba ta motsa daga X.509 zuwa tokoki ba kawai haɓaka fasaha ba ne—yana da muhimmin sauyi na gine-gine wanda zai buɗe haɗin gwiwa da ba a taɓa ganin irinsa ba ko kuma ya haifar da mafarkin tsaro idan an aiwatar da shi mara kyau.
Sarkar Ma'ana: Sauyin yana bin ci gaba maras makawa: amfani da girgijen kasuwanci → lura da kayayyakin more rayuwa na bincike → ƙoƙarin daidaitawa → aiwatarwa. Kamar sauyi daga IPv4 zuwa IPv6, wannan sauyin yana motsawa ta hanyar iyakokin iyawar tsohon tsarin. Kayayyakin more rayuwa na X.509, duk da ƙarfi, suna haifar da toshewar gudanarwa wanda ke kawo cikas ga haɗin gwiwar cibiyoyi na zamani da kimiyya ke buƙata. Kamar yadda aka lura a cikin Mafi kyawun Aikin Tsaro na OAuth 2.0 (RFC 6819), tsarin tushen token yana rage wuraren kai hari ta hanyar iyakance fallasa takaddun shaida.
Abubuwan Haske da Matsaloli: Sanin ƙungiyar aiki cewa buƙatun bincike ba su canza ba—kawai hanyoyin aiwatarwa—yana da mahimmanci. Wannan yayi daidai da darussan daga takardar CycleGAN (Zhu et al., 2017), inda ainihin aikin ya kasance iri ɗaya (fassarar hoto) yayin da hanyar aiki ta haɓaka sosai. Duk da haka, takardar ba ta nuna ƙalubalen mulki ba. Tsarin tushen token yana canza yanke shawara na aminci daga hukumomin takaddun shaida masu matsayi zuwa masu ba da ainihi masu rarrabawa, suna haifar da yuwuwar gibi tilasta manufofi. Tsarin "mai bayarwa na musamman kowace VO" a cikin WLCG yana aiki don tsarin su amma bazai iya haɓaka zuwa ƙarin haɗin gwiwa mai ƙarfi ba.
Gargaɗin Aiki: Ya kamata masu aiki na kayayyakin more rayuwa su fara aiwatar da tabbatar da token tare da tsarin X.509 da ke akwai nan da nan, suna bin tsarin tarin biyu da aka yi amfani da shi cikin nasara a cikin sauyin IPv6. Dole ne masu ba da ainihi su daidaita siffofin da'awar da ayyukan rajista. Mafi mahimmanci, haɗin gwiwar bincike ya kamata kafa tsarin aminci bayyananne kafin aiwatar da fasaha, koyo daga aikin ƙwanƙwasa na Aminci da Ainihi na GEANT akan ainihin tarayya. Kyakkyawan lissafi na tabbatar da JWT ($\text{Tabbatar}(token, makulli)$) ya ɓoye rikitarwar aiki—nasarar tana buƙatar kulawa daidai ga duka biyun.