OAuth2-无需用户交互即可进行授权 [英] OAuth2 - Authorize with no user interaction
问题描述
因此,我正在尝试通过外部应用程序的API访问自己的数据. 我只需要访问自己的数据.不尝试从我的用户的任何帐户接收数据,因此他们不需要授权任何东西.因此,显然我需要避免任何重定向(我研究OAuth越多,这似乎是标准过程……)
So I'm trying to access my own data from an external app via their API. I only need access to my own data. Not trying to receive data from any of my users' accounts, so they don't need to authorize anything. So obviously I need to avoid any redirects (which seems to be the standard process the more I research OAuth...)
该过程到达/authorize端点,该端点返回一个代码.然后在对accesstoken端点的请求中提供该代码.然后,我可以通过API访问我的帐户.我95%确信此过程对所有OAuth都是标准的,但我想我会提供详细信息,以防万一.
The process is hit the /authorize endpoint, which returns a code. Then provide that code in a request to the accesstoken endpoint. Which then allows me to access my account via the API. I'm 95% sure this process is standard for all OAuth, but figured I'd provide details in case it's not.
我如何在后端提供凭据以获取用于输入令牌请求的代码,以使所有用户交互都无效?我使用的API迫使我使用OAuth.
How do I provide credentials on the back end to get a code to enter into the request for a token, so that all user interaction is negated? The API I'm using forces me to use OAuth.
推荐答案
您描述的oauth2授权称为 Authorization Code Grant .设计了这种身份验证方式,以便希望访问用户资源的应用程序不具有访问用户凭据的权限.
The oauth2 grant you are describing is called Authorization Code Grant. This way of authentication has been designed so that applications which want to access resources of a user do not have access to the users credentials.
因此,如果您在此授权中找到了一种与用户凭据进行交互的方法,则将其视为黑客行为.
So if you found a way to interact with the user credentials in this grant it would be considered a hack.
如果您不希望单个用户输入用户名和密码,但希望使用一种系统帐户"访问api,则不应该使用oauth授予.
If you do not want the individual user to enter the username and password but you want to access the api with a kind of "system account" this is not the oauth grant you should use.
有多项补助金可以为您服务.问题是授权服务器支持哪些功能并对您可用.
There are multiple grants that would work for you. The question is which are supported by the authorization server and available to you.
此授予类型适用于能够获得资源所有者凭证的客户端.
This grant type is suitable for clients capable of obtaining the resource owner's credentials.
但是
资源所有者密码凭证授予类型适用于 资源拥有者与 客户端,例如设备操作系统或特权较高的应用程序.
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.
这种授予类型很可能不可用,因为它可能被滥用来窃取用户凭据.
It is very likely that this grant type is not avaiable as it could be misused to steal user credentials.
客户端只能使用其客户端凭据来请求访问令牌.
The client can request an access token using only its client credentials.
如何将资源绑定到客户端不是oauth规范的一部分,因此也不是特定于提供程序的.
How the resources are tied to a client is not part of the oauth specification and therefore provider specific.
如果您想阅读有关oauth2的更多信息,请在此处文章.
If you want to read more about oauth2 here is a good article.
这篇关于OAuth2-无需用户交互即可进行授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
