命令行实用程序的OAuth2客户端服务器身份验证 [英] OAuth2 client server authentication for a command line utility

问题描述

我正在使用一个命令行实用程序，该实用程序需要通过REST API访问后端服务器.

I'm working on an command line utility that requires access to a backend server over a REST API.

我试图避免实施自己的身份验证机制，而使用一种(或多种)公共身份验证服务(例如google，Facebook，亚马逊).

I'm trying to avoid implementing my own authentication mechanism and use one (or more) of the public auth services (like google, Facebook, amazon).

我正在尝试使客户端接受凭据并针对身份验证提供程序进行身份验证，而无需要求用户打开Web浏览器并提供令牌即可.客户端将是开源的，以避免信任问题(即，用户凭据不会发送到我的后端服务器).

I am trying to make the client accept credentials and authenticate against the authentication provider and do that without asking the user go open a web browser and provide back a token. The client will be open sourced in order to avoid trust issues (i.e. the user credentials are not sent to my backend server).

我对授权不感兴趣，我只关心对后端服务器进行身份验证，而无需让用户保留另一组凭据(也无需将用户凭据发送到后端服务器).

I am not interested in authorization, I only care of authenticating against my backend server without having the user keep yet another set of credentials (and without sending the user credentials to my backend server).

我如何让我的客户端向auth提供者进行身份验证，并获得令牌以与服务器进行回传，而无需让用户使用网络浏览器?

How can I have my client authenticate with the auth provider and get a token to communicate back with my server without having the user use a web browser?

推荐答案

我知道您说的是不打开网络浏览器"，但是如果该浏览器在另一台设备(例如其移动设备)上呢?

I realize you said "not open a web browser", but what about if that browser is on another device (e.g. their mobile?).

如果可以接受，则可以使用针对设备的OAuth 2.0 方法，您向用户提供了一个简短的字母数字代码，他们在 http://google.com/device 上输入了该数字以验证身份.来自其他设备的请求.此OAuth流程旨在在没有浏览器(如命令行)的环境中工作.

If that is acceptable, you can use the OAuth 2.0 for Devices approach, whereby you present the user a short alphanumeric code, which they enter on http://google.com/device to authenticate the request from another device. This OAuth flow is designed to work in environments which don't have browsers (like a command line).

要查看此身份验证流程的演示，请访问 YouTube TV 网站，然后按←键您的键盘，然后选择登录.

To see a demo of this authentication flow in action, visit the YouTube TV site, press the ← key on your keyboard, and select Sign In.

尝试也很容易-在开发人员控制台(类型为已安装的应用程序"->其他")，并遵循docs中的curl示例(确保将令牌请求中的演示code替换为从初始请求到代码端点的device_code) .使用任何一个示例JWT解码器对生成的id_token进行解码，例如这一个.

It's also easy to try out yourself – create a OAuth client in the developers console (of type "installed application" -> "other"), and follow the curl examples in the docs (be sure to replace the demo code in the token request with the device_code received from the initial request to the code endpoint). Decode the resulting id_token using any of the example JWT decoders, like this one.

根据您的情况，您应该请求profile范围，该范围将在对令牌终结点调用的响应中返回id_token，从中可以提取用户的Google个人资料ID(ID令牌的sub字段).

In your case, you should request the profile scope, which will return an id_token in the response to your token endpoint call, from which you can extract the user's Google profile id (the id token's sub field).

这篇关于命令行实用程序的OAuth2客户端服务器身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！