什么是使用与雷索urce所有者密码凭据的OAuth当正确的流量格兰特 [英] What is the correct flow when using oAuth with the Reso​urce Owners Password​s Credentials Grant​

问题描述

我期待建立一个客户到我的RESTful超媒体基于API和审查许多选项后，正在学习对OAuth的*成为授权访问API的实际方法。

i am looking to build a client to my RESTful hypermedia based API and after reviewing many options am learning towards oAuth* to become the de facto method for authorizing access to the API.

我觉得我是理解整个OAuth的概念，即根据客户机（受信任与否）的规范提供了以若干流从资源所有者（用户）的角度看信任客户端（应用程序）授予访问客户端

I think i am understanding the overall oauth concepts, i.e. depending on the client (trusted or not) the spec provides several flows in order to "trust" the client (application) from the perspective of the resource owner (user) granting access to the client.

监守我建立的应用程序是直接将落在可信的客户机部分，所以我已经决定实施资源所有者密码凭据授予的保护伞下的服务生态系统的一部分，但这里是我的知识获取搅浑的条款和的确切作用OAuth是那里提供我的大脑关闭：）

Becuase the application i am building is directly part of the ecosystem of the service it will fall under the umbrella of the trusted clients section so i have decided to implement the Resource Owners Password​s Credentials Grant but here is where my knowledge gets muddied with the terms and the exact role oAuth is there to provide and my brain shuts off :)

我想这是流量（多带些技术的想法）：

I am thinking this is the flow (with some more technical thoughts):

1. 通过登录形成资源所有者提供他们的凭据


2. 细节都构成一个服务器（在这种情况下，一个前press.js应用）


3. 通过一些当地的机制，对应用程序商店
验证用户凭据

4. ，如果用户不存在或验证失败则它们返回到登录


5. 如果用户确实存在，并且不通过验证机制交换他们的凭据令牌开始（接触的OAuth服务器和交换的细节）的某处存储加密/散列的Infor（Redis的可能？）


6. 一旦返回的标记它存储在也许对于持久化到客户端的会话（我认为trello.com做类似的事情，因为他们有一个令牌Cookie，但我可能是非常错误的在这里）

1. Via a login form the resource owner supplies their credentials
2. the details are posed to a server (in this case an express.js app)
3. the app via some local mechanisms authenticates the user credentials against a store
4. if the user doesn't exist or fails validation then they are returned to the login
5. if the user does exists and does pass validation the mechanisms to swap their credentials for a token is started (contacting a oAuth server and swapping the details) which stores the encrypted/hashed infor somewhere (redis maybe?)
6. Once the token is returned it is stored in maybe a session for persistence to the client (i think trello.com do something similar as they have a token cookie but i could be very wrong here)

这是一个可以接受的流量？我似乎无法找到任何的例子可作为一个唯一的开发商目前将是很好的得到一些反馈。

Is this an acceptable flow? i can't seem to find any examples available and as a sole developer currently would be good to get some feedback.

推荐答案

没有必要到底定义自己的流量，这简直是我们交换的用户的OAuth凭证的凭证信任的资源所有者密码格兰特客户端。

No need in the end to define my own flow, this is simply the Resource Owner Password Grant where we exchanged the credentials of the user for a oAuth Token for trusted clients.

这篇关于什么是使用与雷索urce所有者密码凭据的OAuth当正确的流量格兰特的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！