通过SecureSocial对移动应用程序进行保护的Expose Play Framework剩余电话 [英] Expose Play Framework rest calls secured via securesocial to mobile app

问题描述

我想将Play Framework REST调用公开给我的Play应用程序以外的其他客户端.

I would like to expose my Play Framework REST calls to clients other than my play app.

我希望移动应用程序拨打这些安全的休息电话.

I would like a mobile app to call those secured rest calls.

我今年早些时候在 SO 上问了一个问题，并得到了答案，但这仅适用于OAuth2，我仅使用OAuth1

I asked a question on SO earlier in the year and got an answer but this only works for OAuth2 and I am only using OAuth1

我的问题是:

1. 将我在PlayFramework应用上由Securesocial保护的REST调用暴露给非Web客户端(例如移动应用)是一个好主意吗?
2. 是否可以使用Securesocial for OAuth1来做到这一点?
3. 除了我上一个问题的链接中的例子以外，还有其他例子吗?

推荐答案

master-SNAPSHOT中的最新更改包括LoginApi控制器，该控制器使您可以使用API​​对用户进行身份验证.它支持UsernamePasswordProvider和所有OAuth2Providers.

Latest changes in master-SNAPSHOT include a LoginApi controller that lets you authenticate a user using an API. It supports the UsernamePasswordProvider and all the OAuth2Providers.

对于UsernamePasswordProvider，您可以发布用户凭据，如果可以的话，您将获得一个带有令牌的json，可以在X-Auth-Token标头中使用该令牌来调用SecuredActions.例如:

In the case of the UsernamePasswordProvider you can post the user credentials and if they’re ok you will get a json with a token that can be used in an X-Auth-Token header to invoke SecuredActions. For example:

curl --data "username=some@email.com&password=some_password" http://localhost:9000/auth/api/authenticate/userpass  

对于基于OAuth2的提供程序，您必须发布一个由外部服务(在客户端获得者)生成的accessToken的JSON以及用户电子邮件.该模块将使用accessToken验证其是否有效，并将外部服务返回的电子邮件与传入的电子邮件进行比较.如果它们匹配，则认为该用户已通过身份验证.这与FortyTwo的工作非常相似，我认为最好内置此功能(

For OAuth2 based providers you have to post a JSON with an accessToken generated by the external service (that was obtainer in the client side) along with the user email. The module will use the accessToken to verify if it works and will compare the email returned by the external service to the one passed in. If they match then the user is considered to be authenticated. This is very similar to what the guys at FortyTwo were doing and I thought it would be good to have the functionality built in (http://eng.42go.com/mobile-auth-with-play-and-securesocial/).

例如，在客户端通过Facebook进行身份验证(例如:使用Javascript)后，返回一个文件test.json和accessToken和expiresIn值:

For example, having a file test.json with the accessToken and expiresIn values returned after authenticating with Facebook on the client side (e.g.: using Javascript):

{
"email": "some@email.com",
"info": {
    "accessToken": "an_access_token",
    "expiresIn": a_number_with_expiration_in_seconds
 }
} 

您可以调用:

curl -v --header "Content-Type: application/json" --request POST --data-binary "@test.json" http://localhost:9000/auth/api/authenticate/facebook

上述任何调用的json响应示例均为:

A sample json response for any of the calls above would be:

{"token":"98b9613dac60890b8e0abf5bc0f77591523df4e6de50b085c832116b8db2cc65511e0de6780f6a49f8755eddabbd46e6afada92160758fd6d4bbb25dc57e0f7b1e4b5b59fbbe543cf80ad1b6d91de7764e3ac1aaa0afac0c312a47bf27258f455606c6c19b1a3d40f8631ce98e6b76e128dddcb29511eb81200ffe9de95cba7a","expiresOn":"2014-05-07T07:43:10.987-03:00"}

然后您可以通过以下方式调用安全操作:

You can then invoke a secured action as:

curl -v --header "Content-Type: application/json" -H "X-Auth-Token: 819a9cb9227d2c82af9c1ee2a62b9e7d35725e235e086ab95ecce0b509f3f7b389f430e217e341306ecaebfd1972ac083de73a32341a26f97150ae71fb0417f0031534d818356b2266ffc100e5ee6a50bd1f9ec76b0f68d2ff8ce4d196b4a86b61e002b29b00532ef166cb2eb8476d3ae008c112891628bc0f444c7512c01345" http://localhost:9000/my-protected-action 

这篇关于通过SecureSocial对移动应用程序进行保护的Expose Play Framework剩余电话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！