使用OAuth的移动应用REST风格的Web服务 [英] RESTfull web service using oAuth for mobile application
问题描述
我建立的应用程序,包括两个主要部分:
I am building application that consists of two main parts:
-
与REST API
- 在Web应用程序。
- 在移动应用(Android设备,iPhone)。
- Web application with rest API.
- Mobile application(android, iPhone).
Web应用程序具有数据库存储用户数据(如职位,事件和类似)。
移动应用程序使用Web应用程序的REST API访问数据,但要做到这一点,我需要某种形式的身份验证(用户必须为了验证自己访问/修改他的数据)。
Web application has database that stores data about users (like posts, events and similar).
Mobile application uses web application's rest api to access that data, but to do that I need some kind of authentication (user must authenticate itself in order to access/modify his data).
我知道,能在这样的方式很容易地做到这一点的移动应用程序对网络API每个请求提供用户名和密码,Web应用程序进行身份验证的用户名和密码,防止数据库服务请求之前。
不过,我想使用OAuth(使用户可以使用谷歌,Facebook,......登陆),而这正是事情变得复杂,我不知道什么是做到这一点的最好办法。
I know that could be easily done in such way that mobile application provides username and password in each request towards web api, and web application authenticates that username and password against database before serving request.
However, I would like to use oAuth (so user can login using Google, Facebook, ...) and this is where things get complicated, and I am not sure what is the best way to do this.
我的第一个想法:手机应用程序发送的OAuth提供商(例如Facebook的)凭据(用户名和密码)的Web应用程序,然后对OAuth的认证供应商他们。我很快意识到,也不行,因为这意味着用户必须信任你的网站不要乱给定的凭据,所以这不是它做的方式。 不好
My first idea: mobile app sends oAuth provider (for example Facebook) credentials (username and password) to web app, which then authenticates them against oAuth provider. I soon realized that is not ok because that means user has to trust your site not to abuse given credentials, so this is not the way it is done. Not Good
我的第二个想法:移动应用程序使用的Web应用程序的API告诉web应用程序,它要进行身份验证的OAuth提供者P. Web应用程序重定向到用户输入自己的凭证提供者P.之后,提供者P重定向回哪里登录和JSON用户有关登录成功发送到移动应用程序的Web应用程序。这将是巨大的,如果不是部分,其中用户手动必须输入自己的凭据。我实现了这个解决方案,问题是,移动应用程序访问网络应用程序的API后,JSON没有立即返回,但第一个重定向完成并弄乱一切。我想使用的内部移动应用程序web视图,但我不知道如何从web视图返回时,JSON被发送。我不知道我是否应该进一步追求这个想法还是,这是做了错误的方式? 也许好,如果被解决了一些问题
My second idea: mobile app uses web application api to tell web app that it wants to authenticate against oAuth provider P. Web application redirects to provider P where user inputs his credentials. After that provider P redirects back to web application where user is logged in and JSON about successful login is sent to mobile app. This would be great if not for part where user has to input his credentials manually. I implemented this solution and problem is that, after mobile app accesses web app api JSON is not returned immediately but first redirects are done and that messes everything up. I was thinking about using webView inside mobile app, but I don't know how to return from webView when JSON is to be sent. I am not sure if I should pursue this idea further or this is wrong way of doing it? Maybe good if some problems were solved
我的第三个想法:移动应用程序直接进行身份验证对OAuth的提供商P.如果成功,那么手机应用程序发送包含用户信息(如用户ID或用户密码),所以Web应用程序的请求的Web应用程序知道它是哪个用户。然而,这意味着Web应用程序必须信任的移动应用程序,给用户真正的身份验证。这意味着web应用程序需要确保API从移动应用程序访问。我能做到这一点的硬编码一个特殊的密码(秘密)的移动应用程序,它发送与每个请求证明请求被发送的移动应用程序。
这种方法的不好的一面是,我要实现对OAuth的提供商的每一种组合的移动应用程序认证(移动操作系统,OAuth的提供商)。另外,我不知道如何安全是它。你认为这是一个很好的路要走,我有什么可以改进/变化?我有一种感觉,我失去了一些东西。 也许不错,但有很多工作要做
My third idea: Mobile app authenticates directly against oAuth provider P. If that was successful then mobile app sends requests to web app containing user information (for example userId, or user password) so web app knows which user it is. However this means that web app has to trust mobile app that given user is really authenticated. That means web app needs to be sure that api is accessed from mobile app. I could do that by hardcoding a special password(secret) in mobile app which is sent with each request to prove that request was sent by mobile app.
Bad side of this approach is that I have to implement mobile app authentication against oAuth provider for each combination of (mobile OS, oAuth provider). Also I am not sure how secure is it. Do you think this is a good way to go, what could I improve/change? I have a feeling I am missing something. Maybe good, but has many work to do
请告诉我什么想法是最好的,如果有什么办法可以改善他们,谢谢
Please tell me what idea is best and if there is any way to improve them, thanks
推荐答案
在一些进一步的研究,并与我的一些同事交谈,我决定,去最好的选择是第二个想法。我决定使用的WebView(这在iPhone和Android都存在)来处理重定向。的WebView我会以这样的方式,当用户被重定向到基于Web的应用程序,返回JSON特定URL,它会自动退出配置。
我决定这是因为这样,我只需要实现对移动应用程序/配置的WebView而所有的OAuth的逻辑是基于Web的应用程序做了最好的想法,这意味着有移动应用(Android设备,iPhone)和中少code重复更延伸(我要修改一个Web应用程序,而不是2或3的移动应用程序)。
After some further research and talking with some of my colleagues I decided that the best option to go for is Second idea. I decided to handle redirects using WebView (which exists both on iPhone and Android). WebView I will configure in such way that it automatically exits when user is redirected back to specific URL on web app that returns JSON.
I decided this to be the best idea because this way I only have to implement/configure WebView on mobile app while all oAuth logic is done on web app which means there is less code repetition among mobile apps (android, iPhone) and it is more extendible (I have to modify one web app, not 2 or 3 mobile apps).
这篇关于使用OAuth的移动应用REST风格的Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
