移动应用程序的OAuth2流程 [英] OAuth2 flow for mobile app

问题描述

我们有一个预先存在的移动应用程序.用户将注册他的用户名和密码.当前，我们有一个基于自定义令牌的身份验证.我们希望切换到OAuth2，而不会影响用户体验.看起来资源所有者密码凭证对我们来说是最接近的流程，但是有很多建议反对使用它们.其他建议...我们计划使用IdentityServer4

We have a pre-existing mobile application. The user will register will his user name and password. Currently we have a custom token based authentication. We would like to switch to OAuth2 with out affecting the user experience. Looks like Resource Owner Password Credentials is most nearest flow for us , but there is a lot of recommendations against using them... Any other recommendataion... We are planning to use IdentityServer4

推荐答案

tldr;使用授权代码流+ PKCE

对于无法转换(迁移)为完全OAuth客户端的客户端，有资源所有者密码凭据授予.另外，请注意，规范严格提到了与客户端和最终用户的信任关系.

Resource owner password credential grant is there for clients which cannot convert(migrate) to fully OAuth client. Also, be aware that specification strictly mention about trust relationship with client and end user.

来自规范

资源所有者密码凭证授予类型适用于 资源所有者与以下对象具有信任关系的情况: 客户端，例如设备操作系统或特权较高的 应用.授权服务器在以下情况下应格外小心 启用此授予类型，并且仅在没有其他流的情况下才允许它 可行.

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

所以您听到的是正确的.仅在无法使用时，才可以使用此选项.请注意，通过使用此流程，您失去了OAuth 2.0的本质. 您将向用户公开最终用户凭据.！

So what you heard is correct. You must only use this if you are out of options. And mind you, by using this flow you loose the essence of OAuth 2.0. You will expose end user credentials to client.!

移至OAuth 2.0

移动客户端是公共客户端.为移动客户端推荐的授权是授权代码授权类型.另外，由于它是公共客户端，因此您必须使用 PKCE (OAuth Public用于代码交换的证明密钥客户). PKCE在授权码授予类型中添加了额外的保护层.

Mobile clients are public clients. Recommended grant for mobile client is authorization code grant type. Also, since its a public client you must use PKCE (Proof Key for Code Exchange by OAuth Public Clients). PKCE adds additional protection layer to authorization code grant type.

移动到OAuth 2.0将需要在您的移动应用程序中进行更改.您将不得不重新设计应用程序的登录功能.但是请不要担心，有很多不错的库可用于具有PKCE支持的OAuth 2.0. IdentityServer4也将支持这些协议.

Moving to OAuth 2.0 will need changes in your mobile application. You will have to redesign app's login functionality. But don't be afraid, there are lots of good libraries available for OAuth 2.0 with PKCE support. IdentityServer4 too will have support for these protocols.

如果您采用OAuth 2.0，则可以无缝更改授权服务器(使用某些配置).这意味着同一应用程序可以使用来自不同授权服务器的用户. 使用授权代码流+ PKCE

If you adopt OAuth 2.0, you get the ability to change your authorization server seamlessly (with some configurations). That mean same application can consume users from different authorization servers. So go with Authorization code flow + PKCE

这篇关于移动应用程序的OAuth2流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！