OAuth：存储访问令牌和机密 [英] OAuth: Storing Access Token and Secret

问题描述

我们有许多使用我们的API为其网站提供动力的客户。

We have a number of clients that use our API to power their websites.

我已经开始使用OAuth进行经过身份验证的API调用的对话。
我们将同时拥有两个和三个分支流。

I have started a conversation at work about using OAuth to make authenticated API Calls. We will have both, two and three legged flows.

对于三个分支流，我们仍未就如何存储访问令牌和机密。

For the 3-legged flow, we still have not come to a consensus on how to store the access token and secret.

解决此问题的常用方法是让客户端将访问令牌和密码存储在自己的数据库中，但这是不可能的，因为客户端不会这样做。不想处理代码更改和实现问题。

The common approach to this problem would be to have the clients store the access token and secret in their own DB, but that is out of the question as the clients don't want to deal with code changes and implementation issues.

我们正在考虑的其他选择：

The other options we are considering:

1）将访问令牌和秘密保存在cookie中

1) Saving the access token and secret in a cookie

2）在会话中保存它们。

2) Saving them in the session.

我是不知道这两个是不是一个好主意。有人有任何建议吗？

I'm not sure whether either of these is a good idea. Does anyone have any suggestions?

谢谢。

推荐答案

I假设您是在谈论典型的服务提供商，消费者和用户类型的设置。如果您的使用者（客户）拒绝进行任何更改，我不知道您是否能够实施三足oAuth。

I'm assuming you're talking about the typical "Service Provider," "Consumer" and "User" type of setup. I don't know if you will be able to implement three-legged oAuth if your Consumers (client) refuse to make any changes.

该会话和cookie可以用于保存令牌，但问题是需要保存令牌的是您的消费者（您的客户），而不是您。对API的调用发生在后端，因此该范围内没有可用的实际会话或cookie。如果您仅进行JavaScript调用，也许确实可以，但是即使那样，通常也要通过代理进行调用，以免出现跨域脚本问题。

The session and cookies would work for saving tokens, but the problem is that it's your Consumer (your clients) that needs to be saving them - not you. The calls to your API are happening on the back-end and so there is no real session or cookie available within that scope. If you are only making JavaScript calls, perhaps that does work but even then usually the calls are being made through a proxy in order to not have cross-domain scripting issues.

在任何一种情况下，如果令牌存储在会话或cookie中，则它们将是临时密钥，并且当会话或cookie过期时，用户将必须重新进行身份验证。但是就oAuth规范而言，这没有什么问题-只要用户不介意重新认证即可。

In either case, if the tokens are stored in the session or cookies, they will be "temporary" keys and the User will have to re-authenticate when the session or cookies expire. But there is nothing wrong with that as far as the oAuth spec goes - as long as the Users don't mind re-authenticating.

您可以参考使用MVC 5 Razor引擎编写的.NET示例应用程序

这篇关于OAuth：存储访问令牌和机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！