iOS和node.js:如何验证传递的访问令牌? [英] iOS & node.js: how to verify passed access token?
问题描述
我有一个使用OAuth和OAuth2提供程序(Facebook,google,twitter等)的iOS来验证用户并提供访问令牌.除了名称和电子邮件地址等最少的数据外,该应用程序不将这些服务用于身份验证以外的任何用途.
I have an iOS which uses OAuth and OAuth2 providers (Facebook, google, twitter, etc) to validate a user and provide access tokens. Apart from minimal data such as name and email address, the app doesn't uses these services for anything except authentication.
然后,该应用将访问令牌发送到服务器,以指示用户已通过身份验证.
The app then sends the access token to a server to indicate that the user is authenticated.
服务器是用Node.js编写的,在执行任何操作之前,它需要根据正确的OAuth *服务验证提供的访问令牌.
The server is written in Node.js and before doing anything it needs to validate the supplied access token against the correct OAuth* service.
我一直在寻找,但是到目前为止,我发现的所有node.js身份验证模块似乎都是用于通过服务器提供的网页登录并进行身份验证的.
I've been looking around, but so far all the node.js authentication modules I've found appear to be for logging in and authenticating through web pages supplied by the server.
有人知道任何可以对提供的访问令牌进行简单验证的node.js模块吗?
Does anyone know any node.js modules that can do simple validation of a supplied access token?
推荐答案
据我所知(据我阅读规范所知),OAuth和OAuth 2规范未指定用于访问的单个端点令牌验证.这意味着您将需要为每个提供程序使用自定义代码,以仅验证访问令牌.
To the best of my knowledge (and as far as I can tell from reading the specifications) the OAuth and OAuth 2 specs do not specify a single endpoint for access token validation. That means you will need custom code for each of the providers to validate an access token only.
我查看了要为您指定的端点执行的操作:
I looked up what to do for the endpoints you specified:
其他似乎使用了图形API的供Facebook检查令牌是否有效.基本上,要求:
It seems others have used the graph API's 'me' endpoint for Facebook to check if the token is valid. Basically, request:
https://graph.facebook.com/me?access_token={accessToken}
Google有一个专用端点,用于通过漂亮的文档.基本上,要求:
Google have a dedicated endpoint for getting access token information, with nice documentation, too. Basically, request:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={accessToken}
Twitter似乎没有真正明显的方法来做到这一点.我会怀疑,因为帐户设置数据是非常静态的,那可能是验证的最佳方法(获取推文可能会有更高的延迟?),因此您可以请求(使用适当的OAuth签名等):
Twitter doesn't seem to have a really obvious way to do this. I would suspect that because the account settings data is pretty static, that might be the best way of verifying (fetching tweets would presumably have a higher latency?), so you can request (with the appropriate OAuth signature etc.):
https://api.twitter.com/1.1/account/settings.json
请注意,此API的速率限制为每个窗口15次.
Note that this API is rate-limited to 15 times per window.
总而言之,这似乎比第一次出现时要复杂得多.在服务器上实现某种会话/身份验证支持可能是一个更好的主意.基本上,您可以验证一次获得的外部OAuth令牌,然后为用户分配您自己的一些会话令牌,并使用您自己的服务器上的用户ID(电子邮件,FB ID等)进行身份验证.您收到的每个请求都会向OAuth提供程序发送请求.
All in all this seems trickier than it would first appear. It might be a better idea to implement some kind of session/auth support on the server. Basically, you could verify the external OAuth token you get once, and then assign the user some session token of your own with which you authenticate with the user ID (email, FB id, whatever) on your own server, rather than continuing to make requests to the OAuth providers for every request you get yourself.
希望有帮助!
这篇关于iOS和node.js:如何验证传递的访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
