Django-OAuth-ToolKit:使用OAuth2.0的客户端凭据授予类型为多个资源/服务生成访问令牌 [英] Django-OAuth-ToolKit : Generating access token's for multiple resources/services using client credentials grant type of OAuth2.0

问题描述

我有几个后端API，它们是Django项目.他们有一个UI(单页应用程序)和一个基于用户名密码的登录名.

I have a couple of backend API's which are Django projects. They have a UI ( single page app) to it and a user name password based login.

我的客户通常是开发人员，他们不想要UI，他们想要的只是对后端API的访问权，他们可以构建自己的仪表板等.他们希望将API与他们的后端系统集成在一起.

My clients are usually developers and they don't want the UI , all they want is the access to the backend API's and they can build their own dashboards etc. They would want to integrate the API's with their backend system's.

问题

问题1.我计划使用django-oauth-tool工具包，在我看来，客户端凭据授予类型将适合于该用例.我说的对吗?

question 1. I am planning to use django-oauth-tool kit , it seems to me that the client credentials grant type would be suitable for this use case . Am I right ?

为了进行实验，我启动了一个本地8000端口上运行的单独的oauth服务器，我在8001上启动了资源服务器(r1)，在8002上启动了资源服务器(r2).

To experiment , I started a seperate oauth server locally running on port 8000, I started the resource server ( r1 ) on 8001 and resource server ( r2 ) on 8002.

第1步:

我去了oauth服务器的管理面板，为资源r1创建了用户u1，为资源r2创建了用户u2.我进入了使用授权类型资源所有者password在应用程序中注册的r1和r2的管理面板中的应用程序模块.为了生成访问令牌，我将其称为令牌端点

I went to the admin panel of oauth server created a user u1 for resource r1 and user u2 for resource r2. I went to the applications module in admin panel registered r1 and r2 in the applications with grant type resource owner password . To generate the access token I called the token end point

POST -d "grant_type=password&username=u1&password=u1password" -u "clientid of R1:clientsecre of fR1" http://localhost:8000/o/token/

我获得了访问令牌

{"access_token": "KdAOMZBiMomVxpvjAWErwVGog6NRRH", "expires_in": 86400, "token_type": "Bearer", "scope": "read write introspection", "refresh_token": "ffgkZZ5NtVFh4REs0TbFAALNkJqXVQ"}

第2步:

说我为资源服务器R1生成的上述访问令牌，所以我转到R1的设置文件并添加了该令牌以进行自省

Say the above access token I generated for Resource server R1 so I went to the settings file of R1 and added this token for introspection

OAUTH2_PROVIDER = {

'RESOURCE_SERVER_INTROSPECTION_URL': 'http://localhost:8000/o/introspect/',
'RESOURCE_SERVER_AUTH_TOKEN': '9b2uVud7WXHEdyolznvvkM3KwWfkVe',  # OR this but not both:
#'RESOURCE_SERVER_INTROSPECTION_CREDENTIALS': ('5sRVXLoTQj9vlkLWaziIMZrgra1keupWIQ2On2hX','5jwMxls1JiAiQiNVnRTtbjmzgRO20FEHD0BBdiSAwvSL1XswZKqglDRke2L8Ig77ol7OE3ZdsA9SE7sry0u3BXwd1OvfFfhDVJFSLWlPG6g1vB3w4ZFc1g8ZwgzXJooc'),

}

步骤3: 我对资源服务器R2也执行了相同的过程.

step 3: I did the same process for the resource server R2 as well.

问题2:这个注册多个资源服务器的过程正确吗?我是否正确设置了自省功能?

Question 2 : Is this process of registering multiple resource server's correct ? Have I set up the introspection correctly ?

问题3:如何注册运行在同一资源服务器上的不同微服务?

Question 3 : How would I register different micro services running on the same resource server ?

步骤4: 假设现在我已经准备好一个身份验证服务器来为r1和r2资源生成令牌.

step 4: Assuming that now I have a auth server ready to generate token for both r1 and r2 resources.

现在要模拟一个场景，如果开发人员想要将我的API与他的应用程序集成在一起并想生成访问令牌，则必须先在auth服务器上注册他的应用程序，我在auth服务器上注册了一个应用程序(开发人员的应用程序)授予类型客户端凭据.

Now to simulate a scenario where a developer who wants to integrate my API with his app wants to generate a access token would have to first register his app with the auth server , I registered an App ( developer's app) on auth server with Grant type client credentials.

我的管理面板现在的外观是R1的用户为U1，R2的用户为U2，注册为资源服务器，开发人员应用程序与任何要访问这些资源的客户端用户均不相关.

This how my admin panel looks now with R1 with user U1 and R2 with U2 registered as resource server's and developer app not associated with any user being the client who wants to access any of these resources.

第5步: 模拟开发人员如何生成访问令牌，我像这样生成了访问令牌

step 5 : Simulating how a developer would have generated the access token , I generated the access token like this

注意:我使用了资源R1的客户端ID和客户端密钥并生成了访问令牌，但是即使对于资源R2及其工作，我也能够成功使用相同的访问令牌.

Note : I used the client Id and client secret of Resource R1 and generated the access token , but I am able to successfully use the same access token even for Resource R2 and its working.

问题3:为什么我使用R1的客户ID和客户机密生成的访问令牌甚至对于R2也有效.我在这里做错什么了吗? 基本上，我希望能够为开发人员专门为资源生成访问令牌.我知道有范围和权限，但是我只能为特定资源生成访问令牌吗?为此，我需要做些什么?我需要扩展还是添加一些逻辑?

Question 3 : Why is the access token I generated using R1's client id and client secret working even for R2. Am I doing something wrong here ? Basically , I want to be able to produce access tokens for developer's specifically for a resource. I know there are scope and permissions but can I generate access token for a specific resource only ? what do I need to do to achieve this , do I need extend or add some logic ?

问题4:我对使用客户端凭据授予类型的想法是否正确?我注册资源服务器的步骤和要使用资源服务器的客户端应用程序的步骤是否正确?

Question 4 : Is my thought on using client credentials grant type correct and are the steps that I have done to register resources server's and the client app's which are going to use resource server's correct ?

感谢您的帮助

推荐答案

问题1.我计划使用django-oauth-tool kit，看来 我认为客户凭证授予类型适合于此 用例.我说的对吗?

question 1. I am planning to use django-oauth-tool kit , it seems to me that the client credentials grant type would be suitable for this use case . Am I right ?

是的，你是对的.

问题2:此过程是注册多个资源服务器的过程吗? 正确的 ?我是否正确设置了自省功能?

Question 2 : Is this process of registering multiple resource server's correct ? Have I set up the introspection correctly ?

是的，您的做法正确.

问题3:如何注册运行在其上的不同微服务 同一资源服务器?

Question 3 : How would I register different micro services running on the same resource server ?

您是说要在同一资源服务器上的不同端口上运行不同的微服务吗?如果是，则必须使用与R1和R2相同的方式配置资源服务器.

Do you mean running different micro-services ON DIFFERENT PORTS on the same resource server? If yes, then you have to configure your resource server in the same way as you did for your R1 and R2.

问题3:为什么我使用R1的客户端ID生成访问令牌 和客户机密，甚至适用于R2.我在这里做错什么了吗 ?基本上，我希望能够产生访问令牌 开发人员专用于资源.我知道范围和 权限，但我可以为特定资源生成访问令牌 只要 ?我需要怎么做才能做到这一点，我需要扩展还是添加 一些逻辑吗?

Question 3 : Why is the access token I generated using R1's client id and client secret working even for R2. Am I doing something wrong here ? Basically , I want to be able to produce access tokens for developer's specifically for a resource. I know there are scope and permissions but can I generate access token for a specific resource only ? what do I need to do to achieve this , do I need extend or add some logic ?

访问令牌是机密.如果与任何人共享，则任何一个资源都将能够访问它.例如:-如果我拥有您的FB身份验证令牌，则无论该令牌属于谁，您和我都可以使用它进行相同的操作.

Access tokens are confidential. If shared with anyone, either of resources will be able to access it. For eg:- If I've your FB auth token, you and I can do the same thing with it, irrespective to whom does this token belong.

问题4:我是否考虑过使用客户端凭据授予类型 正确，这是我完成的资源注册步骤 服务器和客户端应用程序将使用资源服务器的 是吗?

Question 4 : Is my thought on using client credentials grant type correct and are the steps that I have done to register resources server's and the client app's which are going to use resource server's correct ?

1. 是的，使用client_credentials是处理问题陈述的正确方法.
2. 是的，您正在正确设置它.但是，请考虑使用JWT作为替代方法和高级方法.使用JWT可以避免对OAuth Server进行自省调用，从而节省了网络调用.

1. Yes, using client_credentials is the right way to approach your problem statement.
2. Yes, you're setting it up the right way. However, do look into JWT for an alternative and advanced approach. Using JWT avoids the introspection call made to OAuth Server, thereby saving a network call.

这篇关于Django-OAuth-ToolKit:使用OAuth2.0的客户端凭据授予类型为多个资源/服务生成访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！