用于具有最简单客户端-服务器架构的移动应用程序的 OAuth2? [英] OAuth2 for mobile apps with simplest client-server architecture?

问题描述

我们有一个经典的 C-S(客户端-服务器)架构，即一个移动应用程序和一个业务服务器.我们有我们自己的帐户系统(不使用 Google/Facebook 帐户等第 3 方帐户).我知道我应该使用 OAuth2 进行身份验证.问题是，我该如何实施?

We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?

有两件事我在网上没有找到:

There are two things that I did not found on the Internet:

1. 我们使用的是我们自己的帐户系统 - 没有 Google/Facebook 帐户.
2. 用户应该在原生应用界面中输入密码，而不是在应用中嵌入的浏览器网页中.

1. We are using our own account system - no Google/Facebook account.
2. The user should input his password in the native app UI, not in a browser webpage embedded in the app.

问题:

1. 我认为我们可以使用资源所有者密码授予"模式.用户在本机 UI 中输入密码，然后我们收集并向服务器发送 HTTPS 请求等.但我有 看到有人说它不安全...所以我应该使用它吗?
2. 如果我们应该使用授权码"模式，我该如何让用户在原生 UI 中输入他的密码?

1. I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
2. If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?

非常感谢！

_{ps.如果我们没有自己的账户系统，单纯依靠谷歌/Facebook的账户，那么一切都很简单.我们可以使用任何博客或文章或在互联网上回答.但是我们需要我们自己的帐户系统.}

_{p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.}

推荐答案

资源所有者流程在与 3rd 方身份验证一起使用时被认为是不安全的，例如您的移动应用正在尝试访问用户的 Dropbox 或 Gmail 的电子邮件中的文件.如果您拥有系统帐户系统、资源和应用程序的所有部分，那么您应该使用资源所有者密码流来确保安全.

The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.

这是一个简单得多的流程，但是它有一些缺点.就像您将无法与其他 3rd 方或企业系统联合，并且您无法从单点登录中受益.如果这些都不适合您，请继续使用资源所有者密码流程.

It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.

您可以在此处找到有关该主题的好方法:https://auth0.com/blog/oauth-2-best-practices-for-native-apps/

You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/

这篇关于用于具有最简单客户端-服务器架构的移动应用程序的 OAuth2?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！