适用于移动应用的REST API上的OAuth [英] OAuth on REST API for mobile app
问题描述
我在移动应用程序方面没有太多经验,更多的是设计问题:对于您应该由谁负责Facebook身份验证,这两种方案中的哪一种(或者可能是第三种方案?)对您来说似乎是更好的设计: /p>
- 移动客户端负责.在不访问后端的情况下,它直接与Facebook对话,允许用户输入其凭据,当它从Facebook获得令牌时,它将首次访问后端,并在每次请求中将令牌传递给后端.
- 后端API负责.移动客户端尝试从中访问资源.后端没有从客户端获得身份验证令牌,因此它将重定向到Facebook登录.用户输入凭据,facebook通过令牌将其回复给后端.然后,后端愿意回答有关所需资源的客户端响应.
当然,第二种情况意味着后端应使用 DotNetOpenAuth 之类的软件包来处理OAuth,在第一种情况下,这些都发生在移动客户端中.
我认为第一种方法更正确,因为它更好地模仿了http的无状态性质(这等效于像Basic Auth之类的传统http auth方法).您将在每次调用时将facebook OAuth令牌发送到Web api.否则,服务器需要使用诸如cookie之类的机制来某种程度上保持已认证用户的状态,这种机制一开始看起来并不正确.仅当服务器需要使用其他需要身份验证的服务时,我才使用服务器端身份验证,但这确实与您的情况类似.
Ι'm working on the backend of a mobile app, building a RESTful API using ASP.NET MVC 4 Web Api. The app will run on iOS and Android. My users will be allowed to login only with their facebook account, and only when logged in, they will be able to use the whole functionality.
I don't have much experience with mobile apps and that's more of a design question: Which of the two scenarios (or maybe a third one?) seems better design to you about who should be responsible for the facebook authentication:
- The mobile client is responsible. Without accessing the backend, it speaks directly with facebook, allowing user to enter his credentials and when it gets the token from facebook, then it hits the backend for first time, passing the token to it in every request.
- The backend API is responsible. Mobile client tries to access a resource from it. Backend gets no authentication token from client, so it redirects to facebook login. User enters credentials and facebook replies back to the backend passing the token. Then, backend is willing to answer to the client response about the desired resource.
Of course, 2nd scenario means the backend should use a package like DotNetOpenAuth to handle OAuth, while in the 1st scenario, these all happen in mobile client.
I think the first approach is more correct as it emulates the stateless nature of http better (it would be equivalent to a traditional http auth method like Basic Auth). You would be sending the facebook OAuth token to the web api on every call. Otherwise, the server needs to keep state somehow about the authenticated user using a mechanism like cookies for example, which does not look correct in first place. I would use the server side authentication only when the server needs to consume other services that require authentication, but it does look like your case here.
这篇关于适用于移动应用的REST API上的OAuth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
