box.com api OAuth身份验证 [英] box.com api OAuth authentication
问题描述
要么我很专心,要么文档认为我已经知道他们在说什么,但是我需要对box.com应用程序的身份验证进行一些说明。我真的不明白这是怎么回事。在我阅读该书时:
Either I'm dense, or the docs assume I already know what they're telling me, but I need some clarification on doing authentication for a box.com app. I really don't understand whate's going on. As I read it:
- 在用户计算机上运行的应用程序向Box发送了一个请求,其中包括所有小秘密(不是如果用户知道如何阅读代码,所有这些秘密都将消失。
- 将用户定向到Box登录页面,然后将用户发送到我的服务器(未指定页面) )附加验证码。
- 该应用程序以某种方式神奇地从我的服务器中获取了该代码,并向Box发送访问令牌的请求。
- Box将访问令牌发送至我的服务器?
- 应用再次神奇地从我的服务器获取访问令牌并发送其APT请求。
- the app running on the user's machine sends a request to Box, including all the little secrets (Which aren't all that secret any more if the user knows how to read the code).
- The user is directed to the Box login page, which then sends the user to my server (with no page specified) attaching an authentication code.
- The app somehow magically gets that code back from my server and sends a request to Box for the access token.
- Box sends the access token to my server?
- The app again magically gets the access token from my server and sends its APT requests.
显然我迷路了。
为什么我必须在该过程中使用服务器?有关制作JavaScript应用程序的文章是指直接请求令牌。
And, why do I have to have a server involved in the process? The article on making a JavaScript app refers to a direct request for a token. Is there documentation on that somewhere?
推荐答案
- 您在Box上注册应用程序
- 注册后,您将在Box网站上一次收到clientId和clientSecret
- 您在应用程序中的某个位置对凭据进行硬编码
- 第一次应用程序需要访问Box API,它应该将用户重定向到
https://www.box.com/api/oauth2/authorize,并指定您的clientId,clientSecret和redirectURI作为参数。关于redirectURI,请参见下文。 - box.com网站打开。用户在box.com上的Web表单中输入自己的凭据
- 用户允许您的应用通过box.com网站上的API通过API访问其文件
- Box使用之前指定的redirectURI将用户重定向回您的应用程序。该请求的参数之一是代码。这是一个非常短暂的访问代码(30秒),只能用于获取真实访问令牌。
- 在接下来的30秒内,您的应用程序应再次调用Box API到下一个URL :
https://www.box.com/api/oauth2/token,指定先前获得的代码。如果一切正确,则您的应用程序将收到一个access_token,refresh_token和过期值。 - 现在,您的应用程序可以向Box API发出请求,每次都指定access_token
- access_token以秒为单位到期,在 expires字段中指定。应该大约是3600秒或1小时。每次您的应用程序看到access_token过期时,它都应再次向Box发出带有refresh_token的请求,并再获取一个新的access_token 1小时。
- refresh_token自身将在14天后过期 >
- You register your application on Box
- After registration you receive clientId and clientSecret once on Box website
- You hardcode your credentials somewhere in your application
- First time your application needs to access Box API it should redirect user to
https://www.box.com/api/oauth2/authorize, specifying your clientId, clientSecret and redirectURI as parameters. About redirectURI see below. - The box.com website opens. User enters his own credentials in the web form on box.com
- User allows your application to access his files via API on the box.com website
- Box redirects user back to you application using redirectURI specified before. One of the parameters to this request is "code". This is a very short-lived (30 seconds) access code that is only aligable for obtaining real access token.
- During next 30 seconds your application should make another call to Box API to next URL:
https://www.box.com/api/oauth2/token, specifying the previously obtained code. If everything was correct, your application receives an access_token, a refresh_token and "expires" values. - Now your application can make requests to Box API, specifying access_token every time
- access_token expires in number of seconds, specified in "expires" field. It should be about 3600 seconds or 1 hour. Each time your application sees that access_token has expired, it should make another request to Box with the refresh_token and obtain a fresh access_token for another 1 hour.
- refresh_token itself expires in 14 days
注意:如果开发桌面应用程序,则应在步骤4中为用户打开浏览器,redirectURI应该类似于 http://127.0.0.1:8080/Callback ,您应该运行一个小型Web服务器,以使用步骤7中的代码捕获重定向。
Note: if you develop a desktop application, then you should open browser for user on the step 4, redirectURI should be something like http://127.0.0.1:8080/Callback and you should run a small webserver just to catch the redirect with the code as in step 7.
这篇关于box.com api OAuth身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
