从基于会话的令牌机制移动到OAuth 2.0机制 [英] Moving from Session-based token mechanism to OAuth 2.0 mechanism
问题描述
我自己的表演作为后端服务器提供一组REST API的游戏框架应用程序。结果
在客户端,我自己一个AngularJS应用程序,通过AJAX调用后台从服务器的API。
I own a Play Framework application acting acting as a backend server providing a set of REST APIs.
At client side, I own an AngularJS application that calls APIs from backend-server through AJAX.
目前,我使用基于会话令牌机制的解决方案。结果
这意味着每个成功用户登录,一个cookie是在客户端检索时包含身份验证令牌。结果
在接着的每个请求,则cookie值(验证令牌)由客户机请求提供被提取的服务器上,并且如果有效,则请求。
Currently, I make use of a solution based on Session-token mechanism.
Meaning that each time a user logs in successfully, a cookie is retrieved at client side containing an authentication token.
At each request then, the cookie value (the auth token) providing by the client request is extracted on the server and if valid, the request is made.
现在我想使用OAuth 2.0。原因是?
Now I want to use OAuth 2.0. Reasons are? :
- 这是确保API一个伟大的标准方法,避免了使用的数据存储(Memcached的)来保持身份验证令牌在服务器端,因为我目前提供。
- 我想提供一个比一个唯一的cookie更好地保护,通过提供一些client_secret和随机数,以避免一些重放攻击等...
- 我想限制能够调用甚至是公共REST API,我为客户提供的数量,这意味着API,允许匿名电话,例如列出的项目,例如列表。
问题的关键是,我不涉及第三方,因为所有受保护的资源是我自己的。结果
我碰到这个文章来解释如何保护内部REST API使用OAuth 2.0实现2条腿,而不是3条腿如常。
The point is that I don't involve a third party, since all protected resources are on my own.
I came across this article explaining how to secure internal REST API with OAuth 2.0 implementing a 2-legged instead of a 3-legged as usual.
不过,我想不通,要求一个REST API,需要有一个用户身份验证时,在客户端证书流量如何验证一个特定的用户。
However, I can't figure out how the Client Credentials flow could authenticate a specific user, when calling for a REST API that needs to have a user authenticated.
事实上,客户端凭证流似乎是基于在全球的client_id , client_secret 键(全局的应用,所以在我的情况给我的JavaScript应用程序),因此不够具体,针对特定的用户和控制器的具体权利。
Indeed, Client Credentials flow seems to be based on a global client_id, client_secret keys (global to the app, so in my case to my Javascript app), and therefore not enough specific to target a specific user and controller its specific rights.
任何帮助将是巨大的。
推荐答案
好像你应该使用资源所有者密码凭据格兰特(的 http://tools.ietf.org/html/rfc6749#section-4.3 )。它是死的简单 - 在授权头把客户端ID /秘密和查询变量把用户名/密码。下面是从RFC一个例子:
Seems like you should use "Resource Owner Password Credentials Grant" (http://tools.ietf.org/html/rfc6749#section-4.3). It is dead simple - put client ID/secret in Authorization header and put user name/password in query variables. Here is an example from the RFC:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
服务器端,您可以检查客户端的两个有效性(你的JavaScript应用程序)以及用户。请记住,这是不可能的,以保护客户端凭据,因为它会嵌入在(可下载)的JavaScript code。用户名/密码由最终用户直接输入。
Server side you can check for both validity of the client (your javascript app) as well as the user. Just remember that it is impossible to protect the client credentials as it will be embedded in your (downloadable) JavaScript code. The user name/password is entered directly by the end user.
这篇关于从基于会话的令牌机制移动到OAuth 2.0机制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
