oauth2 openid connect javascript(电子)桌面应用程序 [英] oauth2 openid connect javascript (electron) desktop application

问题描述

对于桌面应用程序，正确的oauth2流是什么?除了桌面应用程序外，我还有一个SPA Web GUI，它确实使用了隐式流程.如果客户端在3600秒后重定向到IdP发出新的访问令牌，则没有关系.

但是桌面应用程序需要运行24/7，或者可以运行24/7.因此，它需要通过refresh_token自动刷新访问令牌.但是，由于隐式流程不提供刷新令牌，因此对于桌面应用程序来说可能是错误的流程，不是吗?

我猜我需要身份验证代码流，它确实提供了refresh_token.但是身份验证请求需要一个redirect_uri.假设我想使用Google作为我的openid提供程序.使用Google似乎无法使用自定义URI方案注册客户端凭据( https://developers.google.com/identity/protocols/OpenIDConnect ).有效的方法是注册例如 http://localhost:9300 ，理论上可以由应用处理. /p>

A

桌面应用程序接收refresh_token的正确的oauth2流程是什么?

B

是否可以通过自定义URI方案而不使用隐式流(Google IdP)来捕获redirect_uri?侦听自定义uri方案比侦听本地tcp端口要容易得多.

C

这是一个更普遍的问题.通常，桌面应用程序是公共应用程序，因此我不应该包括client_secret对吗?因此，唯一剩下的流程就是隐式流程.但是，如何在不每隔3600秒就打扰桌面用户的情况下根据规格续订访问令牌? 就我而言，我可以在本地发布该应用程序，而不是公开发布，但对于公共应用程序来说又如何呢?

解决方案

A-授权代码授予

B-不确定此处，您可以注册自定义URI方案

C-没有足​​够的信息. 您是否在使用 AppAuth 库?如果是这样，您应该使用 PKCE ，那么就不必为刷新令牌采取其他安全措施，假设客户端从不通过安全连接与IDP以外的任何其他人发送刷新令牌.

有帮助吗?

What is the correct oauth2 flow for a desktop application? Besides a desktop application I have a SPA Web GUI which does use the Implicit flow. There it does not matters if the client Redirects after 3600s to the IdP to issue a new Access token.

But the desktop application needs to be running 24/7 or could be running 24/7. So it needs to automatically refresh the access token via a refresh_token. But since the implicit flow does not provide refresh tokens it is probably the wrong flow for a desktop app, isn't it?

I guess I need the auth code flow, which does provide a refresh_token. But authentication requests needs a redirect_uri. Let's say I want to use Google as my openid provider. With google it looks like I can't register client credentials with a custom URI scheme (https://developers.google.com/identity/protocols/OpenIDConnect). What does work is to register for example http://localhost:9300, which theoretically could be handled by the app.

A

Whats the correct oauth2 flow for a desktop app to receive a refresh_token?

B

Can I catch the redirect_uri via a custom URI scheme without using the implicit flow (Google IdP)? It is way easier to listen for a custom uri scheme than listening on a local tcp port.

C

This is more a general question. Usually desktop apps are public apps, so I should not include client_secret right? So the only flow which would be left is the implicit flow. But how can I renew access tokens according to specs without bother the desktop user every 3600s? In my case I could publish the app locally so not public, but how is it for a public app?

解决方案

A - Authorization Code Grant

B - Not sure here, You can register a Custom URI Scheme

C - Not enough information provided. Are you using the AppAuth libraries? If so you SHOULD use PKCE and then additional security measures for the refresh token should not be necessary, on the assumption that the client never sends the refresh token with anyone other than the IDP over a secure connection.

Does this help?

这篇关于oauth2 openid connect javascript(电子)桌面应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！