适用于具有最简单的客户端-服务器架构的移动应用的OAuth2吗? [英] OAuth2 for mobile apps with simplest client-server architecture?
问题描述
我们有一个经典的C-S(客户端-服务器)架构,即移动应用和业务服务器.我们有我们自己的帐户系统(不使用第三方帐户,例如Google/Facebook帐户).我知道我应该使用OAuth2进行身份验证.问题是,我应该如何实现?
We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?
我在互联网上找不到两件事:
There are two things that I did not found on the Internet:
- 我们正在使用我们的拥有帐户系统-没有Google/Facebook帐户.
- 用户应在 native 应用UI中输入密码,而不是在应用中嵌入的浏览器网页中输入密码.
- We are using our own account system - no Google/Facebook account.
- The user should input his password in the native app UI, not in a browser webpage embedded in the app.
问题:
- 我认为我们可以使用资源所有者密码授予"模式.用户在本机UI中输入密码,然后我们收集HTTPS请求并将其发送到服务器,等等.但是我有本地用户界面中输入密码?
- I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
- If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?
非常感谢!
p.s.如果我们没有自己的帐户系统,而只是依靠Google/Facebook的帐户,那么一切就简单了.我们可以使用任何博客或文章或answer .但是,我们需要我们自己的帐户系统.
p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.
推荐答案
与第三方身份验证一起使用时,资源所有者流被认为是不安全的,例如您的移动应用正在尝试访问用户的Dropbox或Gmail电子邮件中的文件.如果您拥有系统帐户系统,资源和应用程序的所有部分,那么资源所有者密码流应该是安全的.
The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.
这是一个简单得多的流程,但是它有一些缺点.就像您将无法与其他第三方或企业系统联合一样,也无法从单点登录中受益.如果这些都不适合您,请继续使用资源所有者密码流.
It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.
您可以在这里找到关于此主题的好方法: https://auth0.com/blog/oauth-2-best-practices-for-native-apps/
You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/
这篇关于适用于具有最简单的客户端-服务器架构的移动应用的OAuth2吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!