使用自己的Web应用程序API-OAuth2的身份验证过程 [英] Consuming own API for web app - Authentication process with OAuth2
问题描述
我目前正在为图像共享应用程序创建API,该API将在网络上以及将来的某个时间在移动设备上运行.我了解API构建的逻辑部分,但是我仍在努力满足自己对身份验证部分的要求.
I am currently in the process of creating an API for an image sharing app that will run on the web and sometime in the future, on mobile. I understood the logical parts of API building, but I'm still struggling to meet my own requirements for the authentication part.
因此,我的API必须是全世界都可以访问的:具有访客访问权限的用户(例如,未登录的用户可以上传),以及注册用户.因此,当已注册的用户上传时,我显然希望将用户信息与请求一起发送,并通过数据库中的外键将该用户信息附加到上传的图像上.
So, my API must be accessible to the world: those with guest access (non logged in people can upload, for example), and also to registered users. So when a registered user uploads, I obviously want the user information to be sent along with the request and to attach that user information to the uploaded image via foreign keys in my database.
我了解OAuth2是API身份验证的必经之路,因此我将实现这一身份,但是我真的很努力地思考如何处理 my 情况.我想到了使用client credentials授予并为我的Web应用程序生成仅一个凭据集,然后让它使用client secret向API发送请求以获取访问令牌并让用户执行东西.用户注册过程本身将通过此授权来处理.
I have understood that OAuth2 is the way to go when it comes to API authentication, so I am going to implement this one, but I'm really struggling to wrap my head around on how to handle my situation. I thought of using the client credentials grant and generating only one set of credentials for my web app, and having it send requests to the API with its client secret to obtain the access token and let users do stuff. The user registration process itself would be handled with this grant.
但是,当用户注册并登录时该怎么办?现在如何处理身份验证?这是否需要另一笔赠款来接管?我正在考虑在用户登录期间执行一些授权过程,以生成新的访问令牌.这种方法是错误的吗?
But what about when the user is registered and logged in? How do I handle authentication now? Would this require another grant to take over? I was thinking of doing some authorization process during user signin, to generate a new access token. Is this approach wrong?
我需要您提供有关如何针对我的情况正确处理身份验证流程的信息.这种双向身份验证过程可能不是我所需要的,但这是我所了解的方式.非常感谢您的支持.
I need your input on how to handle the authentication flow correctly for my case. This two-way authentication process might not be what I need, but it is the way I've understood it. I would highly appreciate your support.
推荐答案
iandayman的答案有很多有用的信息,但我认为较窄的更具体的答案可能会对您有所帮助.
iandayman's answer has lots of good information, but I think a narrower more specific answer might help you.
因此对于初学者来说,客户端凭据授予不适合您.如果我们查看 OAuth2规范,则客户端凭据授予用于
So for starters, the client credentials grant is not for you. If we look at the OAuth2 spec, the client credentials grant is for
当授权范围是 仅限于由客户控制的受保护资源...当客户代表自己行事时
when the authorization scope is limited to the protected resources under the control of the client ... when the client is acting on its own behalf
这对您来说不合适,有两个原因.
其次,正如我提到的,客户永远不会代表自己行事.它始终代表可能登录或可能未登录的用户.
This is not right for you for two reasons.
Firstly there are no protected resources under the control of your client. All resources you are accessing are either unprotected (non-logged in people uploading) or are under the control of an end user. Further, you cannot keep secrets (such as the client secret) in the browser; any user of your application could just use the developer tools of the browser to view and compromise the secret.
Secondly, as I mentioned, the client is never acting on it's own behalf. It's always acting on behalf of a user who may or may not be logged in.
您希望授予资源所有者密码凭据.
如果用户未登录(如您提到的上载),则您没有授权.用户登录后,会将其凭据发送到授权服务器.如果密码与用户名匹配,授权服务器将创建一个令牌,并保留从该令牌到用户的映射,并返回该令牌.然后,每次您的客户端再次请求登录用户时,您都将该令牌放在Authorization标头中.在后端,您说:授权标头中是否有令牌,找出与之对应的用户,并将其与此上传相关联(或检查是否允许他们上传)".
You want the resource owner password credentials grant.
When a user is not logged in (like you mentioned for uploads) you just have no authorization. When a user logs in, you send their credentials to the authorization server. If the password matches the username, the authorization server makes a token and persists a mapping from that token to the user and returns the token. Then every time your client makes another request for a logged in user, you put that token in the Authorization header. On the back end you say "if there is a token in the authorization header, find out which user it corresponds to, and associate them with this upload (or check if they're allowed to upload at all)".
用户注册如何工作?很简单,您发布了
How does user registration work? Simple, you post some user object like
name: jim beam
username: jimb
password: correct horse battery staple
到用户创建端点(POST /users或类似内容).您生成盐并哈希密码,然后将用户信息以及盐和哈希存储在数据库中.该端点上没有任何授权.
to your user creation endpoint (POST /users or something). You generate a salt and hash the password, and then store the user's information along with the salt and hash in the database. There is no authorization on this endpoint whatsoever.
希望这是您正在寻找的更多东西.
Hopefully this is more what you are looking for.
这篇关于使用自己的Web应用程序API-OAuth2的身份验证过程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
