选择、选择、选择:CAS还是OpenID?

来源:Choices, choices, choices: CAS or OpenID?

注:前一段时间研究CAS的Ruby和Python对比时看到的这篇文章。本文并未取得原文作者的授权,只做过个人翻译练习存在。如果有问题,敬请到原站查看。

With RubyCAS and Ruby-OpenID you have two choices to enable authentication for your application.
使用RubyCAS和Ruby-OpenID,你有两个选项可以用来为你的应用程序启用验证部分。

But which choice is the best one? Or rather the correct one? That depends on your usage scenario.
但是哪一个选项是最好的呢?或者说会有一个正确的选项? 这个取决于你使用的场合。

RubyCAS and OpenID solve, roughly, two different problems:
大体上,RubyCAS和OpenID是解决两个不同的问题的:

  • Single Sign On(单点登录)
  • User account management(用户账号管理)

Solving the Single Sign On problem(解决单点登录难题)
This is RubyCAS’ strength. If you want to offer multiple applications to your users (be it on the internet, or in an intranet), RubyCAS is the better choice. Since it allows proxy authentication, users only have to sign into their account once, and all applications available to them can be used without retyping their credentials when switching applications.
这个是RubyCAS的优势。如果你想为你的用户提供多项应用服务的话(在internet或者intranet上) ,RubyCAS是更好的选择。因为它允许代理认证,用户只需要登录他们的账户一次,所有的应用对于他们来说都是可用的,而不用他们在切换应用的时候重新输入他们的认证信息。

This is the classic environment prompting the need for SSO solutions in general, and RubyCAS fits the bill (especially since it provides Authenticators for common enterprisey storage solutions, like LDAP).
在一般的情况下,这是快速适应SSO需求的经典环境,RubyCas正符合这个要求。 (特别是它提供了适合一般企业存储方案的认证工具,比如使用LDAP)。

Simplifying sign up(简化的注册)
This is where OpenID shines. User’s only have to maintain one set of credentials, and can use it whereever they can log in with OpenID. This is a big bonus for you. No need to store passwords, you can automate account creation at the first sign in of your users (you can request account data like passwords, nicknames, first and last names, etc.), and don’t have to worry ( alot) about validation of this data. The user’s OpenID provider took care of that for them.
这是OpenID的闪光点。用户仅需要维护一组登录信息,就可以使用OpenID在任何(支持OpenID)的地方登录了。这对于你来说有更多好处。(整个过程)没有必要保存密码,你可以在你的用户第一次登录的时候自动创建账户(你可以请求账户信息,如密码、昵称、姓名等数据),(一点)也没有必要担心这个数据的验证。用户的OpenID提供者会关注这些。

You can of course offer them an OpenID services with your application, allowing them to use the credentials they use for your application to login everywhere else.
你可以理所当然的与你的应用一起为他们提供 OpenID服务,允许他们使用这些用来使用你的应用登录的信息到其它站点登录。

However, it seems that OpenID doesn’t allow proxy authentication out of the box (you could add it, or maybe the next version will provide support for that, but that is difficult to do in an essentially untrusted network, which leads to things like Kerberos).
然而,看起来OpenID并不允许开箱即用代理认证方式(你可以增加它,或者下一版本会提供它,但是在一个本质上非信任网络中,它导致如同Kerboros的情形)。

So, what should you use?(所以,你该使用哪一个呢?)

If you are user-centric, use RubyCAS. Examples of user-centric scenarios would be Google Apps for Domains: One account for all these services.
如果你是用户为中心的,使用RubyCAS。典型的用户为中心的场合 应该是Google Apps for Domains:一个账户可用于所有的服务。

If you are application-centric use OpenID. Users will only use one or few applications you offer, and you can thusly simplify the process for them, by cutting the amount of username/password credentials your users have to maintain drastically.
如果你是应用为中心的话,你应该使用OpenID。用户会仅使用一个或多个你提供的应用,你就应该以简化用户过程,(比如)采取裁减你的用户必须维护的用户名/密码等登录凭据的方式。

Remember, though, that OpenID is not an ID verification service! If you plan to use OpenID in an intranet, you should have users use an OpenID server you provide on the intranet, and not have them authenticate via, say myopenid.com. This also allows you to fine-tune the data stored with OpenID accounts, for example organizational units, supervisors, etc.
请记住,虽然,OpenID不是一套身份验证的服务!如果你计划在intranet上使用OpenID,那么你应该让你的用户使用你在intranet上提供的OpenID服务器,而不是让他们通过比如:myopenid.com这样的网站认证。这也可以让你微调OpenID账户的数据存储,比如组织机构、主管等信息。

As you can see, there is no single correct answer. Neither RubyCAS nor Ruby-OpenID are silver bullets, solving all your account problems. It is a question of what fits your usage-scenario the best.
就象你了解的那样,这里没有简单正确的答案。无论是RubyCAS还是Ruby-OpenID都不是所谓的“银弹” ,可以解决你关于账户管理的所有难题。它只是个关于哪个更适合你的使用场合更好一些。


说明:CAS的解决方案在独立的企业应用中,即不对外提供开放式服务的时候是一个非常容易布署和实施的方案。比如Server有官方的Java版,还可以使用诸如RubyCAS-Server、django-cas-provider这样的工具或库来自行建立。而且CAS工具集所提供的客户端基本涵盖目前进行B/S开发的语言,比如PHP、Ruby、Python、.NET等。

打赏

《选择、选择、选择:CAS还是OpenID?》有2个想法

发表评论

电子邮件地址不会被公开。 必填项已用*标注