使用 OAuth2 保护 nodejs/sailsjs API [英] Securing a nodejs / sailsjs API with OAuth2
问题描述
我已经使用sailsjs 开发了一个REST API,我想添加OAuth2 授权来保护这个API.我是 OAuth 的新手,不知道从哪里开始.
I have developed a REST API with sailsjs and I'd like to add OAuth2 authorization to secure this API. I'm quite new to OAuth and I'm not sure where to start.
我发现了几个可用于此目的的模块,例如 oauth2orize 及其用法示例 https://github.com/aaron524/sails-oauth2-provider-example 但我不完全了解这是如何在内部工作的.
I found several modules that could be used for this purposes, for instance oauth2orize and an example of its usage https://github.com/aaron524/sails-oauth2-provider-example but I do not fully understand how this is working internally.
基本上,我将有几个客户端使用我正在开发的 API:- 我信任并希望与资源所有者凭据授权"一起使用的客户端- 我不信任并且将使用授权码流程连接的客户端
Basically, I'll have several clients consuming the API I'm developing: - clients that I trust and that I'd like to use with the "Resource Owner Credential Authorization" - clients that I do not trust and that will connect using the Authorization Code flow
我想在sails应用程序中的客户端模型中添加一个受信任的属性,然后当用户登录到一个应用程序时:- 他将可以直接访问其资源(受信任应用程序的情况)- 他将被要求批准或拒绝应用程序访问他的资源(不受信任的应用程序的情况)
I was thinking of adding a trusted property to the Client model within the sails application and then when a user will log onto an application: - he will have a direct access to its resources (case of the trusted application) - he will be requested to approve or deny the application from accessing his resources (case of the untrusted application)
这是一个好方法吗?关于如何根据客户端信任级别选择相应策略的任何提示?
Is this a good approach ? Any pointers on how to select the corresponding strategy based on the client trusted level ?
更新
我已经在 GitHub 上设置了以下项目,使用了我找到的几个教程和项目.
I've setup the following project on GitHub, using several tutorial and projects I found.
https://github.com/lucj/sails-oauth2-api
此项目尚未运行.
当用户通过应用程序使用 API 时,我仍然不清楚如何选择正确的授权类型(授权代码与资源所有者的密码).如何将此检查集成到政策中?
I'm still not clear on how to select the correct grant type (authorization code vs resource owner's password) when the user consume the API through an application. How to integrate this check in the policies ?
我无法在 OAuth 端点(/oauth/authorize、/oauth/token)和对 oauth2orize 的调用之间创建链接.有什么想法吗?
I do not manage to create the link between the OAuth endPoint (/oauth/authorize, /oauth/token) and the call to oauth2orize. Any idea ?
推荐答案
我终于在 Oauth2orize、sails 和passport 上苦苦挣扎,并设法在项目中集成了我的API 的OAuth2 安全性:https://github.com/lucj/sails-oauth2-api
I finally struggled with Oauth2orize, sails and passport and managed to integrate OAuth2 security of my API in the project: https://github.com/lucj/sails-oauth2-api
这篇关于使用 OAuth2 保护 nodejs/sailsjs API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
