如何通过 oauth 但连接到我的服务而不是第 3 方向第三方授权移动应用程序 [英] How to authorize mobile apps with a third party by oauth BUT connect to my service, not the 3rd party
问题描述
我的应用程序的架构如下:我有一个网络服务(在 GAE 上运行,与此问题不太相关)并且该服务包含的数据可通过网站以及移动和桌面应用程序获得.
My app is architected as follows: I have a web service (running on GAE, not very relevant to this question) and the data that this service contains is made available through a website and through mobile and desktop apps.
目前,用户通过 Google ClientLogin 对网站进行身份验证,应用程序通过 GAE 的内置 oauth 提供程序进行身份验证/获得授权.(这里主要使用 OAuth 进行身份验证,除了用户的唯一 ID 和电子邮件地址之外,我的应用实际上并没有通过 OAuth 使用任何外部数据.)
Currently, the user authenticates to the website via Google ClientLogin and the apps authenticate/get authorized via GAE's built-in oauth provider. (OAuth is being used here mostly for authentication, my app doesn't actually use any external data via OAuth other than the user's unique ID and email address.)
我想做的是扩大用户可用于登录的服务数量.由于应用程序的复杂因素,我似乎需要 OAuth.但我不能真正正确地概念化这个流程应该如何进行.
What I'd like to do is expand the number of services that users can use to login. Because of the complicating factor of the apps, it seems I need OAuth. But I can't really properly conceptualize how this flow should go.
让我们以 Facebook 为例.当移动应用程序通过 Facebook oauth 流程并获取访问令牌时,这还不够 - 因为它是我的服务,而不是应用程序,实际上需要与 facebook 交谈以检索联系信息和唯一的用户 ID.这让我认为 OAuth 过程需要在我的服务上下文中发生,而不是在移动应用程序中发生.然后,我的服务成为消费者,Facebook 成为 oauth 提供者,并且该服务持有 oauth 访问令牌,这发生在用户第一次设置他们的帐户时.
Lets take Facebook as an example. When a mobile app goes through the Facebook oauth flow and acquires an access token, this isn't enough - because its my service, not the app, that actually needs to talk to facebook to retrieve contact info and a unique user ID. This leads me to think that the OAuth process needs to happen in the context of my service, and not the mobile app. My service then becomes the consumer and Facebook the oauth providor, and the service holds on to the oauth access token, this happens when a user sets up their account for the first time.
如果这是正确的方法,那么应用程序的身份验证在哪里?当用户已有帐户并安装移动应用程序的新实例时会发生什么?我想象还要经历 oauth 过程,将凭据与我的服务已经存储的数据相匹配,然后从服务向应用程序发出我自己的访问令牌",以授权应用程序的该实例.这似乎令人费解和骇人听闻.
If this is the correct approach, where does that leave authentication for the apps? What happens when the user already has an account and installs a fresh instance of a mobile app? I imagine also going through the oauth process, matching up credentials with the data already stored by my service, and then issuing my own "access token" to the app from the service, to authorize that instance of the app. This seems convoluted and hackish.
我敢肯定我不会是唯一一个实际上借用"第三方帐户系统用于具有后端的移动应用程序的人,但我真的不知道该怎么做这是.
I'm sure I can't be the only person who is in effect "borrowing" the account system of a third party for a mobile app with a backend, but I really don't see what the proper way to do this is.
我没有看到和/或在概念上有什么错误?
What am I not seeing and/or getting conceptually wrong?
推荐答案
我和几个同事曾经做过一个性质非常相似的项目,回到大学.我们通过 Facebook 或 Foursquare 使用各自的 OAuth API 对我们的用户进行了身份验证.
A few colleagues and I once did a project quite similar in nature, back in university. We authenticated our users through either Facebook or Foursquare, using their respective OAuth APIs.
应用程序的原生 Android 版本打开了一个带有 OAuth 提供程序的起始页的 WebView,它在身份验证后重定向回我们的服务.然后我们的服务向 OAuth 提供者请求 OAuth 令牌(Foursquare 有一些非常简单的说明).当我们获得该令牌时,我们使用 cookie 建立了一个会话,我们可以从应用程序访问它.
The native Android version of the app opened up a WebView with the OAuth provider's start page, which redirected back to our service after authentication. Then our service did a request for the OAuth token from the OAuth provider (Foursquare has some pretty simple instructions). When we got that token, we set up a session using cookies, which we could access from the app.
为了验证会话,我们只是检查了访问令牌对于提供者是否仍然有效.我们还使用了各自提供商的唯一用户 ID 来区分用户.
To validate sessions, we just checked whether the access token was still valid with the provider. We also used the respective providers' unique user IDs to distinguish users.
所以,是的,对我们有用的是:使应用程序进行身份验证 &授权您的服务,而不是应用程序本身.
So yes, what worked for us is: Make the app authenticate & authorise your service, not the app itself.
这篇关于如何通过 oauth 但连接到我的服务而不是第 3 方向第三方授权移动应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
