如何使用OAuth 2.0将身份验证从桌面应用程序共享到Web应用程序 [英] How should I share authentication from a desktop application to a web application using OAuth 2.0

问题描述

我有一个用ASP.Net编写的RESTful API，该API实现了OAuth 2进行身份验证，目前可通过Web应用程序进行访问.我还有一个旧式桌面客户端，可以直接访问相同的资源(不是通过RESTful API且没有OAuth，而是使用相同的登录凭据并访问相同的数据库).我现在要满足的要求是允许用户单击桌面应用程序中的链接，以将Web应用程序打开到特定屏幕，并在他们这样做时使Web应用程序自动进行身份验证，以便他们不必手动登录(因为他们已经登录了桌面应用程序).

I have a RESTful API written in ASP.Net that implements OAuth 2 for authentication, and it's currently accessed through a web application. I've also got a legacy desktop client that accesses the same resources directly (not through the RESTful API and without OAuth, but using the same login credentials and hitting the same database). The requirement I'm trying to meet right now is to allow a user to click a link in the desktop application in order to open the web app to a specific screen, and when they do, to have the web app authenticate automatically so that they don't have to manually log into it (since they've already logged into the desktop app).

我正在尝试弄清如何在框架的约束范围内进行处理.一般而言，我不太熟悉OAuth 2，但据我了解，我不应该在客户端之间共享令牌，并且没有专门用于此类交接的流程(除非我遗漏了一些内容).最坏的情况是，我可以在OAuth之外生成一个临时令牌，供Web客户端使用该令牌来进行身份验证，而不是使用用户名和密码，但是我希望避免超出框架中已有的范围来执行我需要做的事情

I'm trying to work out how I can handle this within the constraints of the framework. I'm not too familiar with OAuth 2 in general, but from what I understand I shouldn't share tokens between clients and there are no flows specifically for this kind of hand-off (unless I'm missing something). Worst case scenario, I could generate a temporary token outside of OAuth that's used by the web client to authenticate rather than a username and password, but I'm hoping to avoid stepping outside of what's already in the framework to do what I need to do.

所以问题是这样的:OAuth 2.0框架中是否内置了某种不错的方式来处理两个应用程序之间的这种握手"，还是我应该构建自己的方法来处理它?<​​/p>

So the question is this: is there some decent way built into the OAuth 2.0 framework to handle this sort of "handshake" between two applications, or should I just build my own method of dealing with it?

推荐答案

使用临时一次性令牌实际上是OAuth规范(authorization_code授予类型)的一部分.在这种情况下，可以将这段短暂的代码交换为access_token(和refresh_token).您将必须实现此authorization_code的生成和验证.

Using temporary one-time tokens is actually part of OAuth spec (authorization_code grant type). In this case this short-lived code can be exchanged for access_token (and refresh_token). You will have to implemenent generating and validating of this authorization_code.

如果您使用的是OWIN OAuth中间件:

If you are using OWIN OAuth middleware:

1. 您可以在桌面客户端应用访问的单独的API端点上生成代码.
2. 接收令牌后，将其传递到浏览器，并通过安全连接使用 grant_type = authorization_code 将其定向到auth端点.示例:调用Process.Start(" https://example.com/ExternalLogin/authorization_code_goes_here ").在网页上，用户使用 grant_type = authorization_code 将用户重定向到您的OAuth令牌端点.
3. AuthenticationTokenProvider.Receive将被调用，您将在其中验证令牌.(此处的示例代码).
4. 成功验证后，将调用OAuthAuthorizationServerProvider.GrantAuthorizationCode，在该方法中，您将以与通过 grant_type = password 处理身份验证的用户相同的方式处理经过身份验证的用户.

1. You can generate the code at separate API endpoint accessed by your desktop client app.
2. After receiving token, pass it to your browser and direct it to auth endpoint with grant_type=authorization_code over secure connection. Example: call Process.Start("https://example.com/ExternalLogin/authorization_code_goes_here"). At the webpage redirect user to your OAuth Token endpoint with grant_type=authorization_code.
3. AuthenticationTokenProvider.Receive will be called, in which you will validate your token. (Example code here).
4. After successful validation OAuthAuthorizationServerProvider.GrantAuthorizationCode will be called, in which you will process the authenticated user in the same way you process it with grant_type=password.

请记住，您的令牌验证逻辑应确保您的令牌是短暂的，只能使用一次并通过安全连接进行传输.

Remember that your token validation logic should ensure that your tokens are short-lived, usable only once and transmitted over secure connection.

如果您想进一步研究此主题，有时称为单点登录".

This is sometimes called "single sign-on" if you want to research this topic further.

这篇关于如何使用OAuth 2.0将身份验证从桌面应用程序共享到Web应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！