如何在网守(oauth2)中执行仅应用程序身份验证 [英] How to do Application-only authentication in doorkeeper (oauth2)
问题描述
Twitter的api具有仅应用程序身份验证: https://dev. twitter.com/docs/auth/application-only-auth
Twitter has application-only authentication for their api: https://dev.twitter.com/docs/auth/application-only-auth
Twitter为应用程序提供了代表应用程序本身(而不是代表特定用户)发出经过身份验证的请求的功能
Twitter offers applications the ability to issue authenticated requests on behalf of the application itself (as opposed to on behalf of a specific user)
我想在Rails中对门卫做同样的事情,但是我不确定该怎么做.似乎只能通过回调URL对用户进行身份验证,但是如何使用应用程序上下文(仅通过使用应用程序ID和应用程序密钥)访问我的API
I want to do the same with doorkeeper in Rails, but I'm not sure how to do that. It seems to be only possible to authenticate users via a callback url, but how can I access my API using the applications context (only by using the app ID and app secret)
我的第一个想法是使用应用程序的ID和密码进行密码凭证登录,以获得属于该应用程序的访问令牌.这是一个坏主意吗?从安全角度来看是否安全?我想知道,因为该应用程序的机密已以纯文本格式保存在数据库中,这对于用户身份验证是不可行的.
My first idea was to do a password credentials login with the app's ID and secret to obtain an access token that belongs to the application. Is this a bad idea? Is it safe from a security point of view? I am wondering because the app's secret is saved as plain text in the db, which is a no go for user authentication.
推荐答案
It is something you can definitely do : you can see on the example here where it generate a token with client_credentials, but no username / password :
curl -i http://localhost:5100/oauth/token \
-F grant_type="client_credentials" \
-F client_id="your_application_id" \
-F client_secret="your_secret"
由您自己决定是否有与doorkeeper_token
关联的resource_owner
.
Up to you after to check if you have a resource_owner
associated to your doorkeeper_token
.
这篇关于如何在网守(oauth2)中执行仅应用程序身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!