在移动应用程序中使用Laravel Passport [英] Using Laravel Passport with mobile application
问题描述
我正在使用laravel API制作移动应用程序,我看到从Laravel 5.3(?)开始,他们添加了一个称为"Passport"的东西来处理应用程序的OAuth2/验证,所以我想尝试一下.在使用Laravel Passport文档完成安装后,我按照几种不同的说明进行操作(
问题是,这对我来说真的很不对劲.oauth_clients上有一个user_id列,因此它确实使我相信,当尝试获取oauth_client令牌时,我应该能够进行一些后期请求,将请求带到用户那里,然后获取关联的oauth_client,对吗?
在我看来,对于应该如何使用Passport进行移动应用程序的用户身份验证的意义如下:1.)注册新用户
2.)注册用户时,为该用户创建oauth_client
3.)登录后,验证用户电子邮件/密码后,查找oauth_client,然后获取oath_client令牌
4.)在对经过验证的已验证用户的任何API请求上都使用oauth_client令牌.
这是正确的思考方式吗?我敢肯定它是显而易见的,但是这个过程让我感到困惑,因此任何指导将不胜感激.
好的,以防万一有人感兴趣或有任何未来建议,这是我为使这项工作最终所做的工作.
我为移动注册创建了一条新路线
Route :: post('/mobile_register','Auth \ RegisterController @ mobileRegister'); 然后我基本上只是复制了实际的注册方法,但是添加了一个新功能,可以基于成功的用户注册信息来创建新的oauth_client
/***通过移动应用程序注册新用户.发回将要使用的oauth_client ID*检索oauth令牌** @param请求$ request* @return \ Illuminate \ Http \ JsonResponse*/公共功能mobileRegister(Request $ request){$ this-> validator($ request-> all())-> validate();$ password = $ request->密码;event(new Registered($ user = $ this-> create($ request-> all())));$ oAuthClient = $ this-> registerOAuthClient($ user,$ password);返回response()-> json(['message'=>'用户创建成功','client_id'=> $ oAuthClient-> id]);}/***为此用户创建关联的oauth_client.** @param用户$ user* @param $密码* @return \ Illuminate \ Http \ JsonResponse | OAuthClient*/公共函数registerOAuthClient(User $ user,$ password){$ oAuthClient =新的OAuthClient();$ oAuthClient-> user_id = $ user-> id;$ oAuthClient->名称= $ user->名称;$ oAuthClient-> secret = base64_encode(hash_hmac('sha256',{{无论您希望以什么为基础的秘密}},'secret',true)));$ oAuthClient-> password_client = 1;$ oAuthClient-> redirect ='';$ oAuthClient-> personal_access_client = 0;$ oAuthClient->已撤销= 0;if(!$ oAuthClient-> save())返回response()-> json(['error'=>'无法创建oAuthClient!用户需要创建一个才能访问网站']);返回$ oAuthClient;} 因此,现在将新的oAuthClient ID发送回移动应用程序,然后在您的移动应用程序中创建"client_secret",需要将其发送以获取oauth令牌,然后您就可以使用已发送的client_id也可以在oauth/token发布请求中以"client_id"的形式从API返回.然后,您将发送第二个发布请求,以检索用户的实际oauth令牌.
我认为这是最好的选择,因为这样一来,即使我发回了客户端ID,也不需要在应用程序上存储任何敏感的用户信息,除非某些邪恶的人知道您将使用以及"client_secret",他们也无法访问您的oauth客户端以检索令牌..他们也不会认识您的用户,因此也无法从您的用户中确定您的oauth客户端.我也喜欢这个解决方案,因为我仍在验证用户是否存在,&在对oauth_client信息进行第二次验证之前,pw是正确的.
免责声明::这是我第一次尝试使用Passport或进行任何形式的身份验证,因此这肯定有问题.如果您看到任何内容,请发表评论或让我知道!我想确保它尽可能的好,所以我将不胜感激!
I am making a mobile application with a laravel API, and I saw that since Laravel 5.3(?) they added something called "Passport" which handles OAuth2/verification for an application, so I thought I would give that a try. I followed several different explanations for how to get it working after I completed the setup using the Laravel Passport documentation (https://laravel.com/docs/5.4/passport). Right now this is the code for what I've come up with based off other tutorials/ SO articles
1.) Controller for creating the user/oAuth2 client
class OAuthController extends Controller
{
public function registerUser(Request $request){
$email = $request->email;
$password = $request->password;
$name = $request->name;
$user = User::create([
'name' => $name,
'email' => $email,
'password' => bcrypt($password)
]);
$oAuthClient = new OAuthClient();
$oAuthClient->user_id = $user->id;
$oAuthClient->id = $user->email;
$oAuthClient->name = $user->name;
$oAuthClient->secret = base64_encode(hash_hmac('sha256',$password, 'secret', true));
$oAuthClient->password_client=1;
$oAuthClient->redirect = '';
$oAuthClient->personal_access_client = 0;
$oAuthClient->revoked = 0;
$oAuthClient->save();
return response()->json(['message', 'User successfully created']);
}
}
2.) The model I made to reference the oauth_clients table
use Illuminate\Database\Eloquent\Model;
class OAuthClient extends Model
{
protected $table = 'oauth_clients';
}
3.) I changed the oauth_clients table primarykey from incrementing integer to the users email. I was basically just following this SO article Laravel Passport Password Grant Tokens: own mobile app
4.) Once I have created the user/oauth_client, retrieve the token through POSTMAN w/ post request to oauth/token with parameters
The thing is, this feels really wrong to me. the oauth_clients has a user_id column on it, so it really leads me to believe when attempting to get the oauth_client token that I should be able to do some post request where it will take the user and then get the associated oauth_client, right?
In my mind what makes sense for how I should be able to use Passport for user authentication for my mobile app is as follows: 1.) Register new user
2.) When registering user, create oauth_client for that user
3.) On login, once user email/pw is verified, look for oauth_client and then retrieve the oath_client token
4.) Use oauth_client token on any requests to API going forward to verified authenticated user.
Is this the right way to think of it?? I'm sure it's apparent, but this process has me confused so any guidance will be greatly appreciated.
ok so, incase anyone is interested or has any future suggestions, Here is what I did in the end to get this working.
I created a new route for mobile register,
Route::post('/mobile_register', 'Auth\RegisterController@mobileRegister');
Then I basically just copied the actual register method but added a new function to create a new oauth_client based off of the successful user register information
/**
* Register a new user through the mobile application. Send back the oauth_client ID which will be used
* to retrieve the oauth token
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function mobileRegister(Request $request){
$this->validator($request->all())->validate();
$password = $request->password;
event(new Registered($user = $this->create($request->all())));
$oAuthClient = $this->registerOAuthClient($user, $password);
return response()->json(['message' => 'user created successfully', 'client_id' => $oAuthClient->id]);
}
/**
* Create the associated oauth_client for this user.
*
* @param User $user
* @param $password
* @return \Illuminate\Http\JsonResponse|OAuthClient
*/
public function registerOAuthClient(User $user, $password){
$oAuthClient = new OAuthClient();
$oAuthClient->user_id = $user->id;
$oAuthClient->name = $user->name;
$oAuthClient->secret = base64_encode(hash_hmac('sha256',{{whatever you want your secret to be based off of}}, 'secret', true));
$oAuthClient->password_client=1;
$oAuthClient->redirect = '';
$oAuthClient->personal_access_client = 0;
$oAuthClient->revoked = 0;
if(!$oAuthClient->save())
return response()->json(['error' => 'Unable to create oAuthClient! User will need one made to access website']);
return $oAuthClient;
}
So now the new oAuthClient ID will be sent back to the mobile app, and then INSIDE your mobile application you can create the 'client_secret' which needs to be sent off to get the oauth token, and you can use the client_id sent back from the API as the 'client_id' in your oauth/token post request as well. Then you will send off your second post request to retrieve the actual oauth token for the user.
I felt this was best because then I am not required to store any sensitive user information on the application, and even though I am sending back the client id, unless some nefarious party knows what you are going to be using for the 'client_secret' as well, they can't gain access to your oauth client to retrieve a token.. and they won't know your user either so they can't determine your oauth client from your user. I also liked this solution because I am still verifying the user exists, & the pw is correct before doing the second verification of the oauth_client information.
Disclaimer::this is my first attempt at using Passport or really doing any sort of authentication, so it's certainly possible there's issues with this. If you see any, please comment or post to let me know! I want to make sure this is as good as possible so I will greatly appreciate it!
这篇关于在移动应用程序中使用Laravel Passport的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
