ngrok验证auth
Authentication with an Identity as a Service provider, such as Auth0, is pretty straight forward in a web application, but we also want to provide the same convenient SSO experience for our CLI users.
在Web应用程序中,使用身份验证即服务提供程序(例如Auth0)进行身份验证非常简单,但是我们也希望为CLI用户提供相同的便捷SSO体验。
In this article, we’ll take a look at the traditional way to do authentication in the terminal and how we can improve the experience for our users.
在本文中,我们将介绍在终端中进行身份验证的传统方法,以及如何改善用户体验。
TL; DR (TL;DR)
Skip to the Implementation section to see the steps and code samples.
跳至“ 实现”部分以查看步骤和代码示例。
The code in this article was simplified for a better reading experience. We also published an open source library that implements the solution and can save you some work. The library sources are available at https://github.com/altostra/altostra-cli-login-auth0 and an NPM package at https://www.npmjs.com/package/@altostra/cli-login-auth0
本文中的代码经过简化,以获得更好的阅读体验。 我们还发布了实现该解决方案并可以为您节省一些工作的开源库。 库资源位于 https://github.com/altostra/altostra-cli-login-auth0,NPM 软件包位于 https://www.npmjs.com/package/@altostra/cli-login-auth0
传统解决方案:使用机密 (The traditional solution: using secrets)
One way to approach this challenge is to generate a secret for users to store in a file manually (e.g. AWS access keys, GitHub SSH Keys, and NPM Auth Tokens).
解决此挑战的一种方法是为用户生成一个秘密,以手动存储在文件中(例如,AWS访问密钥,GitHub SSH密钥和NPM Auth令牌)。
There are a few drawbacks to this approach:
这种方法有一些缺点:
- The secrets don’t rotate — an attacker may use a stolen secret until the user manually revokes it 机密不会旋转-攻击者可能会使用被盗的机密,直到用户手动将其撤消为止
- Users must log in and create a secret for each machine they use 用户必须登录并为他们使用的每台计算机创建一个秘密
- Users must manually delete the files that hold the sec