使用Oauth2,React,Node.js和Passport.js使用Google登录按钮对用户进行身份验证的最佳做法是什么? [英] What is the best practice to use Oauth2, React, Node.js and Passport.js to authenticate user with Google sign on button?
问题描述
我希望在我的网站上有一个登录按钮,以便当用户单击它时,该用户可以使用其Google凭据.我想理想地使用Express.js和Passport.js执行身份验证服务器端.
I want to have a login button in my website so when a user clicks on it, the user can use their Google credentials. I'd like to ideally perform the authentication server side using Express.js and Passport.js.
我在服务器端实现了身份验证,但问题是我无法从网站向服务器发出AJAX请求以开始身份验证,因为
I implemented authentication server-side but the problem is that I can't make an AJAX request from the website to the server to start authentication because Google or Oauth don't support CORS. So I need to use a href
element in my website which would call the server authentication endpoint. However, I can't catch server response in this way.
如果我执行身份验证客户端(我正在使用React),则可以将登录状态存储在Redux中,并允许用户访问网站的资源.但是,当用户注销时,我需要确保服务器端点停止为同一用户提供服务,这就像在两次实施身份验证:客户端和服务器端.
If I perform the authentication client-side (I'm using React) I could store login state in Redux and allow the user to access the website's resources. However, when the user logs out I need to make sure that server endpoints stop serving the same user which feels like implementing authentication twice: client-side and server-side.
此外,在对客户端进行身份验证时,Google会打开一个弹出窗口供用户进行身份验证,我认为这会带来更糟糕的用户体验,然后在对服务器端进行身份验证时会重定向.
In addition when authenticating client-side, Google opens a popup for the user to authenticate which I think is worse user experience then just a redirect when authenticating server-side.
我想知道使用Oauth2/Google进行身份验证的最佳做法是什么.例如,stackoverflow.com也具有Google按钮,但仅进行重定向,没有任何弹出窗口,因此我想他们想出了一种执行服务器端身份验证并绕过CORS问题的方法.
I'm wondering what the best practice in terms of authenticating using Oauth2/Google. For example, stackoverflow.com also has Google button but just makes a redirect, without any popup, so I guess they figured out a way to perform server-side authentication and to bypass CORS issue.
推荐答案
您的身份验证应在服务器端进行.这是它的工作原理.
Your authentication should be done server side. Here is how it works.
- 您对身份验证路由进行了
fetch
或axios
调用. - 您的身份验证路由会将请求发送到Google的身份验证服务器.在后端具有这一点很重要,因为您将需要提供您的
clientSecret
.如果您将其存储在前端,那么真的很容易让人发现该价值并损害您的网站. - Google对用户进行身份验证,然后将一组令牌发送给您的回调URL,以供该用户使用(刷新,身份验证等).然后,您可以将auth令牌用于其他任何授权,直到其过期为止.
- 一旦过期,您将使用刷新令牌为该客户端获取新的授权令牌.不过,这是一个完整的过程.
- You make a
fetch
oraxios
call to your authentication route. - Your authentication route sends a request to Google's Authentication servers. This is important to have on the backend because you will need to provide your
clientSecret
. If you were to store this on the frontend, it would make it really easy for someone to find that value and compromise your website. - Google authenticates the user and then sends you a set of tokens to your callback url to use for that user (refresh, auth, etc...). Then you would use the auth token for any additional authorization until it expires.
- Once that expires, you would use the refresh token to get a new authorization token for that client. That is a whole other process though.
以下是Passport.js的示例: https://github.com/jaredhanson/passport-google-oauth2
Here is an example of what that looks like with Passport.js: https://github.com/jaredhanson/passport-google-oauth2
编辑#1:
下面是一个示例,其中说明了与Facebook一起使用的流程,该流程与OAuth代码库相同: https://github.com/passport/express-4.x-facebook-example/blob/master/server.js
Here is an example with comments of the process in use with Facebook, which is the same OAuth codebase: https://github.com/passport/express-4.x-facebook-example/blob/master/server.js
这篇关于使用Oauth2,React,Node.js和Passport.js使用Google登录按钮对用户进行身份验证的最佳做法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!