使用oAuth进行移动应用的RESTful Web服务 [英] RESTful web service using oAuth for mobile application
问题描述
我正在构建一个包含两个主要部分的应用程序:
I am building an application that consists of two main parts:
- 具有rest API的Web应用程序.
- 移动应用程序(Android,iPhone).
该Web应用程序具有一个数据库,该数据库存储有关用户的数据(例如帖子,事件等).
移动应用程序使用Web应用程序的REST api来访问该数据,但是要做到这一点,我需要某种身份验证(用户必须对自身进行身份验证才能访问/修改其数据).
The Web application has a database that stores data about users (like posts, events and similar).
The Mobile application uses the web application's REST api to access that data, but to do that I need some kind of authentication (user must authenticate itself in order to access/modify his data).
我知道可以很容易地做到这一点,移动应用程序会在每个请求中向Web api提供用户名和密码,并且Web应用程序会在为请求提供服务之前针对数据库对用户名和密码进行身份验证.
但是,我想使用oAuth(以便用户可以使用Google,Facebook等登录),这会使事情变得复杂,而且我不确定执行此操作的最佳方法是什么.
I know that this could easily be done in such way that the mobile application provides a username and password in each request to the web api, and the web application authenticates that username and password against database before serving the request.
However, I would like to use oAuth (so user can login using Google, Facebook, ...) and this is where things get complicated, and I am not sure what is the best way to do this.
我的第一个想法:移动应用将oAuth提供者(例如Facebook)凭据(用户名和密码)发送到Web应用,然后针对oAuth提供者对其进行身份验证.我很快意识到这是不对的,因为这意味着用户必须信任您的网站不要滥用给定的凭据,所以这不是这样做的方法. 不好
My first idea: mobile app sends oAuth provider (for example Facebook) credentials (username and password) to web app, which then authenticates them against oAuth provider. I soon realized that is not ok because that means user has to trust your site not to abuse given credentials, so this is not the way it is done. Not Good
我的第二个想法:移动应用程序使用Web应用程序api告诉Web应用程序它要针对oAuth提供程序P进行身份验证.Web应用程序重定向到用户输入其凭据的提供程序P.然后,提供程序P重定向回Web应用程序,在该Web应用程序中,用户已登录,并将有关成功登录的JSON发送到移动应用程序.如果不是用户必须手动输入其凭据的部分,这将是很好的.我实现了此解决方案,问题是,在移动应用程序访问Web应用程序api之后,JSON不会立即返回,但首先重定向完成了,这一切都搞砸了.我当时正在考虑在移动应用程序中使用webView,但是我不知道在发送JSON时如何从webView返回.我不确定我是否应该进一步追求这个想法,否则这是错误的做法吗? 如果解决了一些问题可能会很好
My second idea: mobile app uses web application api to tell web app that it wants to authenticate against oAuth provider P. Web application redirects to provider P where user inputs his credentials. Then, provider P redirects back to web application where user is logged in and JSON about successful login is sent to mobile app. This would be great if not for the part where user has to input his credentials manually. I implemented this solution and problem is that, after mobile app accesses web app api JSON is not returned immediately but first redirects are done and that messes everything up. I was thinking about using webView inside mobile app, but I don't know how to return from webView when JSON is to be sent. I am not sure if I should pursue this idea further or this is wrong way of doing it? Maybe good if some problems were solved
我的第三个想法:移动应用直接针对oAuth提供者P进行身份验证.如果成功,则移动应用会将包含用户信息(例如userId或用户密码)的请求发送到Web应用,知道它是哪个用户.但是,这意味着Web应用程序必须信任给定用户已通过身份验证的移动应用程序.这意味着Web应用程序需要确保可以从移动应用程序访问api.我可以通过在移动应用程序中硬编码一个特殊的密码(秘密)来做到这一点,该密码随每个请求一起发送,以证明该请求是由移动应用程序发送的.
这种方法的缺点是,我必须针对(移动操作系统,oAuth提供程序)的每种组合,针对oAuth提供程序实施移动应用程序身份验证.我也不确定它的安全性.您是否认为这是一个好方法,我可以改进/更改什么?我有一种想念的感觉. 这可能很好,但是需要做很多工作
My third idea: Mobile app authenticates directly against oAuth provider P. If that was successful then mobile app sends requests to web app containing user information (for example userId, or user password) so web app knows which user it is. However this means that web app has to trust mobile app that given user is really authenticated. That means web app needs to be sure that api is accessed from mobile app. I could do that by hardcoding a special password(secret) in mobile app which is sent with each request to prove that request was sent by mobile app.
Bad side of this approach is that I have to implement mobile app authentication against oAuth provider for each combination of (mobile OS, oAuth provider). Also I am not sure how secure is it. Do you think this is a good way to go, what could I improve/change? I have a feeling I am missing something. This may be good, but it requires a lot of work to be done
请告诉我什么是最好的主意,如果有什么方法可以改善它们,谢谢
Please tell me what idea is best and if there is any way to improve them, thanks
推荐答案
经过进一步研究并与一些同事交谈后,我认为最好的选择是第二个想法.我决定使用WebView(在iPhone和Android上均存在)来处理重定向. WebView我将以这样的方式进行配置:当用户被重定向回返回JSON的Web应用程序上的特定URL时,它将自动退出.
我认为这是最好的主意,因为通过这种方式,我只需要在移动应用程序上实现/配置WebView,而所有oAuth逻辑都在网络应用程序上完成,这意味着移动应用程序(Android,iPhone)中的代码重复更少,而更多可扩展的(我必须修改一个Web应用程序,而不是2或3个移动应用程序.)
After some further research and talking with some of my colleagues I decided that the best option to go for is Second idea. I decided to handle redirects using WebView (which exists both on iPhone and Android). WebView I will configure in such way that it automatically exits when user is redirected back to specific URL on web app that returns JSON.
I decided this to be the best idea because this way I only have to implement/configure WebView on mobile app while all oAuth logic is done on web app which means there is less code repetition among mobile apps (android, iPhone) and it is more extendible (I have to modify one web app, not 2 or 3 mobile apps).
这篇关于使用oAuth进行移动应用的RESTful Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
