使用 oAuth2orize 为“资源所有者密码流"传递可信客户端信息 [英] Passing Trusted Client Information with oAuth2orize for the "Resource Owner Password Flow"

问题描述

我在理解如何使用 oAuth2rize 和 Passport.js 实现资源所有者密码流时遇到了一些问题，特别是通过 client_id 和 client_secret 的传输，以便我可以对客户端进行一些检查，以确保任何事情都达到此目的使用特定密码"授权类型的点 (/token) 特别是官方应用程序，没有其他基于 id 和 secret 的应用程序.

I am having some issues understanding how to implement the Resource Owners Password Flow with oAuth2rize and passport.js specifically with the transmission of the client_id and the client_secret so that i can do some checks on the client to ensure anything coming into this end point (/token) using the specific "password" grant type is specifically an official application and no others based on the id and secret.

在构建解决方案时，我可以取回令牌，但那是在我尝试对客户端进行任何验证之前.当我尝试访问传递给密码交换策略的客户端变量(发布到端点)时，我收到了基于文档的用户凭据(用户名、密码)，这是预期的，但不是我在这里需要实现的.

When building out the solution i can get a token back, but that is before i have tried to do any validation on the client. When i try and access the client variable (posted to the end point) passed into the password exchange strategy i receive the user credentials (username, password) which based on documentation is expected but not what i need to achieve here.

我不知道如何获得实际的客户端凭据，我可以在密码函数源代码中看到您可以提供其他选项来覆盖对 req['user'] 的默认分配，但这是否意味着我有提供某种代码以添加到 req 对象?

I am at a loss to understand how i get the actual client credentials, i can see in the password function source code you can provide additional options to override the default assignment to req['user'] but does that mean i have to provide some sort of code to add to the req object?

我已经设置了一些集成测试，以下是我调用端点的方式(使用 SuperTest):

I have setup some integration tests and here is how i am calling my endpoint (using SuperTest):

                request('http://localhost:43862')
                    .post('/oauth/token')
                    .type('form')
                    .send({ grant_type: 'password' })
                    .send({ client_id: 'goodClient' })
                    .send({ client_secret: 'asecret' })
                    .send({ username: 'good@user.com' })
                    .send({ password: 'goodpassword' })
                    .expect(200, done);

出于某种原因，我似乎完全过度考虑了这一点，但出于某种原因，我完全被难住了......

For some reason i seem to be completely over thinking this but for some reason am completely stumped....

推荐答案

正如预期的那样，这是一个理解问题，我们使用本地策略而不是 ClientPasswordStrategy，并在发出令牌之前在密码交换中进行用户验证.

As expected it was an understanding issue where we were using a local strategy instead of the ClientPasswordStrategy with the user validation happening within the password exchange before issuing a token.

我们现在正在使用 ClientPasswordStrategy，并且在我们正在调用的 exchange.password 函数和内部调用我们的用户 api 以验证用户凭据，如果没问题，则发出令牌.

We are now using the ClientPasswordStrategy and within the exchange.password function we are calling and internal call to our user api to validate the user credentials and if ok then issuing the token.

passport.use(new ClientPasswordStrategy(

function(clientId, clientSecret, next){

    Client.verify(clientId, clientSecret, function(err, verified){

        if(!verified){
            return next(null, false);
        }

        next(null, clientId);
    });

}
));

passport.use(new BearerStrategy(
function(token, next) {

    Token.getByToken(token, function(err, tokenObj){

        if(err)
            return next(err);

        if(!tokenObj)
            return next(null, false);

        User.getByUsername(tokenObj.username, function(err, user){

            return next(null, user, { scope: 'all' });
        });
    });
}
));

这篇关于使用 oAuth2orize 为“资源所有者密码流"传递可信客户端信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！