Laravel Passport密码授予令牌:自己的移动应用 [英] Laravel Passport Password Grant Tokens: own mobile app

问题描述

所以我的移动应用将是客户端，我为此生成了一个client_id和一个client_secret.

so my mobile app would be the client, i generated a client_id and a client_secret for it.

使用移动应用程序的用户必须使用其用户名/密码登录.

users who uses the mobile app have to login using their username/password.

我应该在哪里存储client_id和client_secret?可以公开它们并将它们简单地放置在应用程序中吗?

Where should i store the client_id and client_secret? is it ok to expose them and simply place them hardcoded in the app?

推荐答案

绝对不是对它们进行硬编码并将其放置在应用程序中的安全方法.

It is definitely not the secure way of hardcoding them and just placing them in an app.

实际上并不是那么简单.我假设您是通过手工艺人或预构建的Vue组件创建客户端的.无论哪种情况，您都需要做更多的工作，以便安全地使用oauth2 api而不暴露应用程序中的任何潜在安全漏洞.

Actually its not that straight forward. I assume you created the client from artisan or from the pre-built Vue components. In either case there is more that you have to do in order so safely consume the oauth2 api without exposing any potential security vulnerabilities in your app.

假设您的移动用户将在移动设备上注册，则需要从移动API创建用户和oAuth2客户端，以供客户端(移动应用)使用.为此，您必须执行以下操作:

Assuming your mobile users would register from the mobile, you would need to create user and oAuth2 client from your mobile API that you will expose for your clients( mobile apps ) to consume. For this you have to do the following:

1. 安装laravel护照后，请执行以下工匠命令

1. After installing laravel passport perform the following artisan command

php artisan migrate

这将创建必要的表，以在数据库级别存储oauth客户端，其令牌和其他相关的重要信息.之后，您需要将client_id数据类型更改为VARCHAR(255)，以便将用户名存储为client_id，而不是存储数字的client_id.

This will create the necessary tables to store oauth clients, their tokens and other related important information at db level. After this you would need to change client_id data type to VARCHAR(255) so as to store username as client_id instead of storing numeric client_ids.

1. 现在转到模型并为oauth_clients表创建一个模型，以便您可以在创建用户时从代码中实用地创建客户端.

1. Now go to your models and create a model for oauth_clients table so that you can create client pragmatically from the code while creating users.

<?php
namespace App;


use Illuminate\Database\Eloquent\Model;

class oAuthClient extends Model
{

protected $table = 'oauth_clients';

}

这将为您创建一个模型类，通过它可以在将oauth客户端注册到您的应用程序时将它们存储在数据库中.

This will create a model class for you through which you can store oauth clients in the db while registering them in your app.

Route::post('/register-user', function () {

$email= \Illuminate\Support\Facades\Input::get('email');
$password=\Illuminate\Support\Facades\Input::get('password');

$user = new \App\User(array(
'name' =>\Illuminate\Support\Facades\Input::get('name'),
'email' => \Illuminate\Support\Facades\Input::get('email'),
'password' => bcrypt(\Illuminate\Support\Facades\Input::get('password')),
));
$user->save();

$oauth_client=new \App\oAuthClient();
$oauth_client->user_id=$user->id;
$oauth_client->id=$email;
$oauth_client->name=$user->name;
$oauth_client->secret=base64_encode(hash_hmac('sha256',$password, 'secret', true));
$oauth_client->password_client=1;
$oauth_client->personal_access_client=0;
$oauth_client->redirect='';
$oauth_client->revoked=0;
$oauth_client->save();

return [
'message' => 'user successfully created.'
];
});

这将在用户表和oauth_clients表中生成一个条目，laravel Passport将使用该表为用户生成相应的access_tokens.在上面的代码片段中，您必须注意，要生成oauth_client机密，您必须使用一些强大的功能.您可以在应用程序中轻松使用它的加密公式.还可以使用相同的技术在您的移动应用程序上为相应的客户端/用户生成密钥.

This will generate an entry in user table and oauth_clients table which will be used by laravel passport to generate respective access_tokens for the user.In the above code snippet you have to note that to generate the oauth_client secret you have to use some strong formula of encryption that you feel comfortable using it with your application. Also use the same technique to generate the secret key on your mobile app for the respective client/user.

1. 现在，您可以使用laravel护照提供的标准POST API，通过使用以下参数的"oauth/令牌"通过密码授予来请求访问令牌:

1. Now you can use the standard POST API offered by laravel passport to request access token through password grant using "oauth/token" using the following parameters:

grant_type : 'password'
client_id  : '<email with which the user is registered>'
client_secret : '<generate the client secret from the mobile app>'
username : '<email with which the user is registered>'
password : '<password entered by the user>'
scope : '<leave empty as default>'

5.如果一切正确，以上内容将为您提供答复:

5.The above will give you a response, if everything is correct, similar to :

    {
      "token_type": "Bearer",
      "expires_in": 3155673600,
      "access_token":                 "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjMwZmM0MDk1NWY5YjUwNDViOTUzNDlmZjc2M2ExNDUxOTAxZjc5YTA5YjE4OWM1MjEzOTJlZmNiMDgwOWQzMzQwM2ExZWI4ZmMyODQ1MTE3In0.eyJhdWQiOiJzaHVqYWhtQGdtYWlsLmNvbSIsImp0aSI6IjMwZmM0MDk1NWY5YjUwNDViOTUzNDlmZjc2M2ExNDUxOTAxZjc5YTA5YjE4OWM1MjEzOTJlZmNiMDgwOWQzMzQwM2ExZWI4ZmMyODQ1MTE3IiwiaWF0IjoxNDc4MTQ1NjMyLCJuYmYiOjE0NzgxNDU2MzIsImV4cCI6NDYzMzgxOTIzMiwic3ViIjoiMSIsInNjb3BlcyI6W119.dj3g9b2AdPCK-im5uab-01SP71S7AR96R0FQTKKoaZV7M5ID1pSXDlmZw96o5Bd_Xsy0nUqFsPNRQsLvYaOuHZsP8v9mOVirBXLIBvPcBc6lDRdNXvRidNqeh4JHhJu9a5VzNlJPm3joBYSco4wYzNHs2BPSxXuuD3o63nKRHhuUHB-HwjVxj2GDwzEYXdZmf2ZXOGRJ99DlWGDvWx8xQgMQtd1E9Xk_Rs6Iu8tycjBpKBaC24AKxMI6T8DpelnFmUbMcz-pRsgCWCF_hxv6FpXav3jr1CLhhT58_udBvXjQAXEbtHeB7W_oaMcaqezHdAeOWDcnqREZHsnXHtKt0JpymcTWBkS2cg7sJzy6P9mOGgQ8B4gb8wt44_kHTeWnokk4yPFRZojkHLVZb8YL6hZxLlzgV1jCHUxXoHNe1VKlHArdlV8LAts9pqARZkyBRfwQ8oiTL-2m16FQ_qGg-9vI0Suv7d6_W126afI3LxqDBi8AyqpQzZX1FWmuJLV0QiNM0nzTyokzz7w1ilJP2PxIeUzMRlVaJyA395zq2HjbFEenCkd7bAmTGrgEkyWM6XEq1P7qIC_Ne_pLNAV6DLXUpg9bUWEHhHPXIDYKHS-c3N9fPDt8UVvGI8n0rPMieTN92NsYZ_6OqLNpcm6TrhMNZ9eg5EC0IPySrrv62jE",
      "refresh_token": "BbwRuDnVfm7tRQk7qSYByFbQKK+shYPDinYA9+q5c/ovIE1xETyWitvq6PU8AHnI5FWb06Nl2BVoBwCHCUmFaeRXQQgYY/i5vIDEQ/TJYFLVPRHDc7CKILF0kMakWKDk7wJdl5J6k5mN38th4pAAZOubiRoZ+2npLC7OSZd5Mq8LCBayzqtyy/QA5MY9ywCgb1PErzrGQhzB3mNhKj7U51ZnYT3nS5nCH7iJkCjaKvd/Hwsx2M6pXnpY45xlDVeTOjZxxaOF/e0+VT2FP2+TZMDRfrSMLBEkpbyX0M/VxunriRJPXTUvl3PW0sVOEa3J7+fbce0XWAKz7PNs3+hcdzD2Av2VHYF7/bJwcDCO77ky0G4JlHjqC0HnnGP2UWI5qR+tCSBga7+M1P3ESjcTCV6G6H+7f8SOSv9FECcJ8J5WUrU+EHrZ95bDtPc9scE4P3OEQaYchlC9GHk2ZoGo5oMJI6YACuRfbGQJNBjdjxvLIrAMrB6DNGDMbH6UZodkpZgQjGVuoCWgFEfLqegHbp34CjwL5ZFJGohV+E87KxedXE6aEseywyjmGLGZwAekjsjNwuxqD2QMb05sg9VkiUPMsvn45K9iCLS5clEKOTwkd+JuWw2IU80pA24aXN64RvOJX5VKMN6CPluJVLdjHeFL55SB7nlDjp15WhoMU1A="
    }

您可以从客户端应用程序(移动应用程序)安全地使用这些令牌. 希望对您有帮助！.

You can use these token safely from your client apps ( mobile apps ). Hope it helps!.

这篇关于Laravel Passport密码授予令牌:自己的移动应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！