如何在 2 个不同的 API 之间共享 auth0 身份验证信息? [英] How to share auth0 authentication information between 2 different APIs?
问题描述
关于 API 和微服务领域的全新内容.
Pretty much new on APIs and microservice world.
我使用 auth0 进行身份验证.
我有一个 convert express API POST 端点,它只有在用户通过身份验证时才有效,但是对于前端 ->(主页,登录按钮,从 auth0 回调登录,重定向)我使用不同的 api Homepage express api.
I have a convert express API POST endpoint which will only work if the user is authenticated, however for frontend -> ( home page, login button, login from auth0 callback, redirection) I using different api Homepage express api.
用户从主页 api 登录后,从他的个人资料仪表板用户尝试发送 post 请求以转换 API 端点,这不起作用并引发错误 check.state 参数丢失.
After user logs in from homepage api, from his profile dashboard user tries to send a post request to convert API endpoint this doesn't work and throws an error check.state argument is missing.
我如何确定一个 API 是否经过身份验证,该身份验证信息应该与另一个需要身份验证的 API 端点共享?
app.use(‘/authUrls’,requiresAuth(),authUrlsRouter) //convert api post request
推荐答案
这可能是一个假设,但看起来您正在使用 Node.js 创建一个常规的 Web 应用程序,并且您想要的是每个会话的身份验证,而不是每个会话API 端点.来自 Auth0 的这个快速入门很好地介绍了它.它使用 Passport.js 和 express-session 来提供中间件.
This may be an assumption, but it appears that you are creating a regular web application with Node.js, and what you want is authentication per session, not per API endpoint. This quickstart from Auth0 walks through it nicely. It uses Passport.js and express-session to provide middleware.
根据 教程:
在典型的 Web 应用程序中,用于对用户进行身份验证的凭据仅在登录请求期间传输.如果身份验证成功,将通过用户浏览器中设置的 cookie 建立和维护会话.每个后续请求不包含凭据,而是包含标识会话的唯一 cookie.
In a typical web application, the credentials used to authenticate a user are only transmitted during the login request. If authentication succeeds, a session is established and maintained via a cookie set in the user's browser. Each subsequent request does not contain credentials, but rather the unique cookie that identifies the session.
工作原理:当login api 被调用并成功完成时,用户的身份验证存储在该会话中.每当调用其他需要经过身份验证的用户的 API 时,您只需包含 中间件(在快速入门中称为安全"):它将查询相应会话的数据并根据用户的身份验证状态允许/禁止.
How it works: when the login api is called and completed successfully, the user's authentication is stored in that session. Whenever other API's are called that require an authenticated user, you can just include the middleware (in the quickstart it is called 'secured'): it will query that respective session's data and allow / disallow based on the user's authentication status.
例如,convert 端点:router.post('/convert',secured(), this.convertfunction);
还有一个非认证端点:router.get('/other', this.otherfunction);
完整教程提供了更多信息.但这说明了中间件将如何解决您的问题.
The full tutorial has much more information available. But this illustrates how middleware will solve your problem.
这篇关于如何在 2 个不同的 API 之间共享 auth0 身份验证信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
