OAuth 2.0.没有会话?(无国籍) [英] OAuth 2.0. No session? (stateless)
问题描述
我将用它实现 OAuth 2.0 和 REST API
为每个用户授予不同的权限并进行良好的扩展.
to grant different permissions per users and also to scale well.
为了很好地扩展,无状态更容易,因为有
To scale well, stateless is easier because there is
没有文件、数据库、基于内存的会话.
NO file, database, in-memory based session with it.
以下是我对 OAuth 2 的理解.
Below is how I understand OAuth 2.
- OAuth 服务器向用户提供访问令牌.
- 用户的访问令牌存储在 cookie 中.
- 当用户访问 REST API 时,用户发送访问令牌.
- 服务器接收带有访问令牌的请求.
- 服务器查明访问令牌是否有效以及用户是否有权进行请求.
- 根据用户的权限执行或拒绝.
<小时>
所以我不必担心会话存储.对吗?
So I do not have to worry about session storage. Right?
推荐答案
你在这里描述的是 OAuth 2 隐式授权流程.OAuth 2 还包括其他三个流程,但您的资源所有者(用户)似乎正在使用浏览器端 Javascript 发起请求(您说的是 cookie),这是您应该采用的流程.
What you are describing here, is the OAuth 2 Implicit Grant flow. OAuth 2 also includes three other flows, but as it seems that your ressource owner (the user) is initiating requests using browser side Javascript (you were talking about cookies), this is the flow you should go for.
在客户端,OAuth 只要求您存储用于访问受保护资源的 access_token(以及 refresh_token 如果您要使用过期的 access_token.
On client side, OAuth only requires you to store the access_token for accessing protected ressources (and a refresh_token if you're going for an expiring access_token).
这篇关于OAuth 2.0.没有会话?(无国籍)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
