适用于具有最简单的客户端-服务器架构的移动应用的OAuth2吗? [英] OAuth2 for mobile apps with simplest client-server architecture?

问题描述

我们有一个经典的C-S(客户端-服务器)架构，即移动应用和业务服务器.我们有我们自己的帐户系统(不使用第三方帐户，例如Google/Facebook帐户).我知道我应该使用OAuth2进行身份验证.问题是，我应该如何实现?

We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?

我在互联网上找不到两件事:

There are two things that I did not found on the Internet:

1. 我们正在使用我们的拥有帐户系统-没有Google/Facebook帐户.
2. 用户应在 native 应用UI中输入密码，而不是在应用中嵌入的浏览器网页中输入密码.

1. We are using our own account system - no Google/Facebook account.
2. The user should input his password in the native app UI, not in a browser webpage embedded in the app.

问题:

1. 我认为我们可以使用资源所有者密码授予"模式.用户在本机UI中输入密码，然后我们收集HTTPS请求并将其发送到服务器，等等.但是我有本地用户界面中输入密码?

1. I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
2. If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?

非常感谢！

_{p.s.如果我们没有自己的帐户系统，而只是依靠Google/Facebook的帐户，那么一切就简单了.我们可以使用任何博客或}文章或answer .但是，我们需要我们自己的帐户系统.

_{p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.}

推荐答案

与第三方身份验证一起使用时，资源所有者流被认为是不安全的，例如您的移动应用正在尝试访问用户的Dropbox或Gmail电子邮件中的文件.如果您拥有系统帐户系统，资源和应用程序的所有部分，那么资源所有者密码流应该是安全的.

The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.

这是一个简单得多的流程，但是它有一些缺点.就像您将无法与其他第三方或企业系统联合一样，也无法从单点登录中受益.如果这些都不适合您，请继续使用资源所有者密码流.

It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.

您可以在这里找到关于此主题的好方法: https://auth0.com/blog/oauth-2-best-practices-for-native-apps/

You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/

这篇关于适用于具有最简单的客户端-服务器架构的移动应用的OAuth2吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！