使用OAuth通过自己的API在移动设备和网站上使用OAuth的正确方法是什么? [英] What is the correct way to use OAuth for mobile and website consuming my own API?

问题描述

我还有一个问题与OAuth 2的工作方式有关，但由于使用IdentityServer来实现OAuth，因此我认为这很重要.我在任何地方都找不到答案.

I have a question more related to the way OAuth 2 is working but since using IdentityServer to implement OAuth I think it's relevant. I could not find an answer anywhere.

我正在建立一个使用我自己的API的网站和一个移动应用程序.我的应用程序的每个用户都将具有一个用户名和密码，这将使他能够访问该应用程序/网站，并通过其信息访问API.

I'm building a website and a mobile app that consumes my own API. Each user of my app will have a username and password, that will give him access to the app/website and though the API to his information.

我不确定处理用户登录流程的正确方法:

I'm not sure about the right way to handle the flow for user login:

1. 在网站上，我有自己设计的登录表单.我不想将用户转移到我的身份验证服务器上进行登录，然后让他批准他提供的信息-他是我系统上的用户-我可以访问所有信息-像facebook一样的kida可以登录并访问信息-他们不会问您愿意给他们什么.那么隐式真的是这样吗?
2. 在移动应用上，我也有一个登录表单，现在我在这里阅读(

1. On the website I have my own designed login form. I don't want to move the user to my auth server to login, and then have him approve the information he gives - he is the user on my system - I have access to all information - kida like facebook has a login and access to the informatio - they don't ask what you're willing to give them. So is implicit really the way for this?
2. On the mobile app I also have a login form and now I read here (https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10) that the OAuth approach is to have the login in a WebView?? Doesn't look like facebook login is in a WebView on their mobile app.
3. The approach I was first lookin at is the Resource Owner. Users will login, get the token and the refresh token and can start working against my APIs. But storing my client_id and secret on the mobile app? on the website javascript files? doesn't feel right. I can of course make a call to an API that will mask those and be a proxy to the login process... but... (read #4).
4. In the future I would like to allow access for third-party developers. For them to allow login for users of my system I will use the implicit flow. Also, I plan for those developer accounts to have restricted API access (for example, the number of calls to the API will be limited by plan). What prevents those developers from asking for the username and password of their account on my system on their website, getting the response from my servers with the access token and refresh token, and using my API however they want, without restrictions, and having access to the entire user profile?
5. Lets say I'm sticking to the resource owner flow, receiving back from the server a token and a refresh token. What should I store on the mobile device and how? What should be stored in the browser and how? the refresh token? and each time he opens the app get a new updated token with that refresh token?

修改

请澄清一下，因为我发现很多讲座和文章都从API使用者(即第三方开发人员)的角度解释了该过程:我是API所有者和auth服务器所有者，我是在用户帐户的所有者(他们是我的服务用户)中，我也是我自己的消费者(尽管是网站和移动应用程序)，并且将来我希望允许第三方开发人员允许我的用户用他们的服务帐户(如Facebook或Google之类的帐户)登录

Just to clarify, because I find a lot of lectures and articles that explain the process from an API consumer point of view (ie. the third-party developer): I am the API owner and the auth server owner, I'm the owner of the user accounts (they are my users of my services), I'm also my own consumer (though the website and the mobile app), and in the future I want to enable third-party developers to allow my users to login with their accounts of my service (kinda like Facebook or Google)

推荐答案

您是正确的，不应将client_secret存储在应用程序中，但是我怀疑您会不会存储client_id.您也可以禁用应用程序的同意屏幕，并构建本机登录视图.如果您不希望用户每次使用您的应用程序登录时，都需要将access_token和refresh_token存储在设备上(可能已在数据库中加密).

You're correct that you shouldn't store the client_secret in your app, but I doubt you will get around storing the client_id. You could disable the consent screen for your app as well, and build a native login view. You need to store the access_token and the refresh_token on the device (maybe encrypted in a database) if you don't want the user to login everytime they use your app.

对于问题4，您可以执行以下操作:

As for problem 4, you could do the following:

1. 在您的(网络)应用中嵌入client_secret
2. 设置哪些主机可以访问IdentityServer上的api
3. IdentityServer生成一个盐并将其发送给客户端
4. 客户端使用hash(ip_address + session_salt)
计算session_secret
5. 客户端将session_secret和client_secret用于API调用
6. 服务器验证hash和client_secret

1. Embed the client_secret in your (web) app
2. Set up which hosts have access to your api on the IdentityServer
3. The IdentityServer generates a salt and sends it to the client
4. The client calculates a session_secret using hash(ip_address + session_salt)
5. The client uses the session_secret and the client_secret for the API call
6. Server validates the hash and client_secret

完全阻止某人使用您的API几乎是不可能的.但是您应该添加各种速率限制方法，例如限制IP地址，API调用等.但是没有什么可以阻止某人反编译您的应用程序并访问您的client_id.

It's nearly impossible to completely prevent someone from using your API. But you should add various rate limiting methods, such as limiting IP addresses, API calls etc. But nothing will stop someone decompiling your app and accessing your client_id.

这篇关于使用OAuth通过自己的API在移动设备和网站上使用OAuth的正确方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！