验证客户端应用使用具有本地策略CORS REST API [英] Authenticate client-side app to REST API using CORS with local strategy

问题描述

服务安全API只使用本地认证策略的客户端应用程序。结果的红色箭头是知识差距的部分。的

Serving a secure API to a client side app using only a local authentication strategy.
The red arrows are part of the knowledge gap.

这就是--- client.example.com 正在一个上传以 api.example.com/登录，其中成功 client.example.com 可以访问一个获取如服务api.example.com/secret 。

That is --- client.example.com is making a POST to api.example.com/login where on success client.example.com can gain access to a GET service like api.example.com/secret.

与混合交付式坐在API前的OAuth 2.0的执行力度。

Implimentation of OAuth 2.0 with hybrid grant type sitting in front of API.

为什么混合动力？的

Why hybrid?

• 这不会是一个隐格兰特流量又名客户端Web应用程序流量，因为有没有重定向API服务器太授予访问令牌。 （即）的它是确定的某某所以要访问您的数据？的

• It wouldn't be an Implicit Grant Flow aka Client-Side Web Applications Flow because there is no redirection to API server too grant access token. (i.e.) "Is it ok for so-and-so to access your data?"

这不会是一个资源所有者口令流，因为客户端ID和客户端密钥的与请求一起传递这样它假定客户端应用程序的服务器端。

It wouldn't be a Resource Owner Password Flow because a Client ID and Client Secret are passed along with the request so it's assumed the client app is server-side.

的 OK ......那么怎么样都一点点？的

如果我们使用的客户端应用程序的页面加载一个CRSF令牌，并张贴使用用户凭据太OAuth 2.0验证端点来换取访问令牌？登录成功后，您会认证与访问令牌和令牌CRSF每个后续请求。

What if we used a CRSF token on page load of client-side app, and POST it with user credentials too OAuth 2.0 authentication endpoint to exchange for access token? You would authenticate each subsequent request with the access token and CRSF token after a successful login.

良好的Node.js的OAuth 2.0库，我发现：

<一个href=\"https://github.com/ammmir/node-oauth2-provider\">https://github.com/ammmir/node-oauth2-provider

我无法找到解决这个问题的认证措施的工作的例子！点我在正确的方向？

I can not find a working example of an authentication measure that solves this problem! Point me in the right direction?

最后，这里的目标是验证过一个客户端应用程序使用CORS与当地战略REST API ---即用户名和放大器;密码---即使上述约定是不可能的。

Ultimately, the goal here is too authenticate a client side app to a REST api using CORS with a local strategy --- i.e. username & password --- even if the convention above isn't possible.

的这是一个客户端应用程序，让我们留新潮。的

我在上面使用的API / auth服务器，例如 Angular.js 或前端框架的 Node.js的的OAuth 2.0种子找工作示例 Backbone.js的提出要求。

I'm looking for a working example using the Node.js OAuth 2.0 seed above for the API/Auth server and a front end framework like Angular.js or Backbone.js to make requests.

的的例子应符合上述范围内。的

推荐答案

我就用pretty类似的架构的应用程序的工作虽然服务是.NET的Web API，而不是节点，我们使用<一个HREF =htt​​p://dotnetopenauth.net/相对=nofollow> DotNetOpenAuth ，在OAuth的提供商。而不是混合方法你所建议的，我们正在做的以下内容：

I'm working on an app with a pretty similar architecture though the services are .NET Web API rather than Node and we're using DotNetOpenAuth for the OAuth provider. Rather than the hybrid approach you're suggesting we're doing the following:

1. x.com提供了一个登录页面


2. 登录页回凭据x.com

在x.com
3. 服务器端逻辑相结合的CLIENT_ID和凭据client_secret提交令牌请求（的资源所有者密码凭据授予，你已经
   上面提到的）接收正反两面的临时访问令牌和一个
   刷新令牌


4. 刷新令牌被加密成x.com发出一个cookie


5. 双方的cookie（带有加密刷新令牌）和临时访问令牌，然后发送到浏览器


6. 的客户端应用程序（角在我的情况）现在可以使用访问令牌击中api.x.com的服务（看来你也知道CORS的限制......我们破解版本角的的< A HREF =htt​​p://docs.angularjs.org/api/ngResource.%24resource相对=nofollow> $资源以方便这一点，但它不是因为我们想用pretty所有HTTP动词和支持IE9）


7. 当访问令牌到期后，客户端应用程序可以从x.com请求新的访问令牌


8. 服务器端，x.com解密cookie来获得在刷新令牌和问题，另一个的OAuth呼吁新的访问令牌

1. x.com serves up a login page
2. login page POSTs back credentials to x.com
3. server side logic at x.com combines client_id and client_secret with the credentials to submit a token request (resource owner password credentials grant that you've mentioned above) receiving back both a temporary access token and a refresh token
4. the refresh token is encrypted into a cookie issued by x.com
5. both the cookie (with encrypted refresh token) and the temporary access token are then sent to the browser
6. the client app (angular in my case) can now use the access token to hit api.x.com for services (It appears you're well aware of the limitations of CORS... we hacked a version of angular's $resource to facilitate this but it wasn't pretty since we wanted to use all HTTP verbs and support IE9)
7. when the access token expires, the client side app can request a new access token from x.com
8. server-side, x.com decrypts the cookie to get at the refresh token and issues another oauth call for a new access token

这是相当级别的高，但希望给你如何应对你的情况感。就我而言，它出现在你的，我们不希望使用会话状态或数据库来存储刷新令牌，但显然是暴露在浏览器引入了安全问题因此刷新令牌的加密是很重要的（以及其他安全考虑）以及使用的cookie消除了对上x.com会话状态或其他持久性存储器的需要。

This is fairly high-level but hopefully gives you a sense for how to tackle your situation. In my case, and it appears in yours, we didn't want to use session state or a database to store the refresh token but obviously exposing that to the browser introduces security concerns so the encryption of the refresh token is important (among other security considerations) and the use of the cookie eliminates the need for session state or other persistent storage on x.com.

这篇关于验证客户端应用使用具有本地策略CORS REST API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！