哪些OpenID Connect授权流程可对移动应用程序用户进行身份验证? [英] What OpenID Connect authorization flow to authenticate mobile app users?
问题描述
我正在构建一个与RESTful API交互的跨平台移动应用程序,并且我想使用OpenID Connect来验证我的用户.我将构建自己的OpenID Connect提供程序服务器.
I am building a cross-platform mobile app that interacts with a RESTful API, and I want to use OpenID Connect to authenticate my users. I will be building my own OpenID Connect provider server.
OpenID.net 声明:
OpenID.net claims that:
OpenID Connect允许包括基于浏览器的JavaScript和本机移动应用程序在内的所有类型的客户端启动登录流程,并接收有关已登录用户身份的可验证断言.
OpenID Connect allows for clients of all types, including browser-based JavaScript and native mobile apps, to launch sign-in flows and receive verifiable assertions about the identity of signed-in users.
但是,我找不到任何文档说明如何对移动应用程序客户端进行实际身份验证.
However, I can't find any documentation explaining how to actually authenticate for a mobile app client.
此StackExchange答案清楚表明OpenID Connect不支持基于资源所有者密码的授予"流程或客户凭据"流程.
This StackExchange answer makes it clear that OpenID Connect does not support the "resource owner password-based grant" flow or the "client credentials" flow.
仅留下授权码"流程(通常由服务器端应用程序使用)和隐式授予"流程(通常由客户端应用程序使用).这两个似乎都依赖于将用户重定向到提供程序的授权端点,以及使提供程序重定向回客户端URL.我看不到如何将其应用于移动应用程序.
That just leaves the "authorization code" flow (normally used by server-side apps) and the "implicit grant" flow (normally used by client-side apps). Both of these seem to rely on redirecting the user to the provider's authorisation endpoint, and having the provider redirect back to the client URL. I don't see how this can apply to a mobile app.
任何人都可以向我解释(甚至更好的是,向我介绍一个教程或一些示例代码)来解释如何执行此操作吗?
Can anyone explain to me (or even better, point me at a tutorial or some example code) which explains how to do this?
要澄清一下:OpenID Connect依赖于客户端将用户重定向到授权端点,然后提供程序将用户重定向回.如果客户端不是Web应用程序,该如何工作?
To clarify: OpenID Connect relies on the client redirecting the user to the Authorization Endpoint, and then the provider redirecting the user back to the client. In the case where the client isn't a web app, how can this work?
推荐答案
至少在iOS和Android上,移动应用程序可以注册自定义URL方案,以便通过浏览器进行重定向可以将用户与某些应用程序一起返回到您的应用程序查询参数.
Mobile apps, at least on iOS and Android, can register custom URL schemes so that a redirect from a browser can send the user back to your app along with some query parameters.
因此,您可以在本机移动应用程序中使用这些流,但这涉及将用户发送到Web浏览器(外部浏览器应用程序或应用程序内置的Web视图),以便他们通过OP进行身份验证
So, you can use these flows in a native mobile app, but it involves sending the user to a web browser (either an external browser app or a web view built into your application) in order for them to authenticate with the OP.
但是,我对整个方法的想法是,由于您正在开发自己的OP服务器和自己的本机移动应用程序,因此该移动应用程序确实是一个受信任的客户端,让用户直接输入其用户名和密码没有错进入您的应用.我可以理解为什么OpenID Connect规范不支持此功能,因为这并不是OIDC试图解决的真正问题,并且它可能会鼓励第三方应用程序要求用户直接输入用户名和密码.但是,我希望规范中对此问题提供更多指导,因为我正面临与您类似的情况,并且不确定如何进行操作.
However, my thoughts on this whole approach are that since you are developing your own OP server and your own native mobile app, the mobile app is really a trusted client and there is nothing wrong with having users directly enter their username and password into your app. I can understand perhaps why this isn't supported by the OpenID Connect spec because it isn't really the problem that OIDC is trying to solve, and it might encourage third party apps to request users to enter their username+password directly. However, I wish there was more guidance on this issue in the spec as I am facing a similar scenario to you and am not sure how to proceed.
这篇关于哪些OpenID Connect授权流程可对移动应用程序用户进行身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
