yhzhu的随手记

A gateway-level Per-Client authorization isolation design for protecting multiple applications with one IAM platform, covering X-Expected-Client-Id, access levels, and entitlement policy boundaries.

在统一 IAM 平台保护多个业务应用的场景下，通过网关层 Per-Client 鉴权隔离防止跨应用 Token 滥用，覆盖 X-Expected-Client-Id 机制、访问级别与 entitlement 策略链的设计边界。

在 OAuth2/JWT 体系下，用 HMAC 签名 Cookie + Redis SID 双层结构管理浏览器会话，把浏览器登录态、令牌生命周期和撤销信号放到同一套治理模型里。

Managing browser sessions in an OAuth2/JWT system with a dual-layer structure: HMAC-signed cookies plus Redis-backed SIDs, aligning browser login state, token lifecycle, and revocation signals under one governance model.

探讨企业 IAM 架构中同时保留联合登录与本地密码认证的设计考量，分析容灾场景、安全成本分布与认证路径收敛的工程实践。

Building an enterprise-grade identity relay architecture based on standard OAuth2/OIDC protocols for unified access decisions and identity profile aggregation across systems, covering federated login flow, transparent authentication, SID session management, and instant permission propagation.

基于标准 OAuth2/OIDC 协议构建企业级身份中继架构，实现跨系统的统一准入决策与身份画像汇聚，覆盖联合登录流程、透明鉴权流、SID 会话管理与权限即时生效机制。

梳理 OAuth2/OIDC 中 access token、refresh token、授权码、浏览器会话与服务端会话撤销之间的边界，说明前后端常见超时现象与推荐的时间配置思路。

Clarifying the boundaries between access tokens, refresh tokens, authorization codes, browser sessions, and server-side session revocation in OAuth2/OIDC, with explanations of common timeout phenomena and recommended time configuration strategies.

A detailed walkthrough of troubleshooting OAuth2 redirect URLs with incorrect ports in a multi-layer proxy architecture using APISIX, and the complete solution via configuring trusted_addresses.