适用于桌面和移动应用程序的 OAuth 2.0 [英] OAuth 2.0 for desktop and mobile applications

问题描述

我正在研究 OAuth 2.0 协议.

I'm doing research on OAuth 2.0 protocol.

我遇到了为不在网络服务器上运行的桌面/移动应用程序生成不记名令牌的问题.

I came stuck in the problem of generating bearer tokens for desktop/mobile applications that don't run on a web server.

我对 Web 应用程序的 OAuth 2.0 协议流程很清楚.假设 myapp.com 想代表用户 Alice 访问 protectedresource.com，然后 Alice 被重定向到 https://protectedresource.com/oauth?redirect_uri=https://myapp.com/oauth&[...] 所以资源管理器在获得同意后，将 Alice 的浏览器重定向到一个页面，该页面将收集授权码并使用它来获取不记名令牌.

The OAuth 2.0 protocol flow is clear to me for web applications. Suppose myapp.com wants to access protectedresource.com on behalf of user Alice, then Alice gets redirected to https://protectedresource.com/oauth?redirect_uri=https://myapp.com/oauth&[...] so the resource manager, after obtaining consent, redirects Alice's browser to a page that will collect the authorization code and use it to obtain the bearer token.

这工作正常且安全，因为 protectedresource.com 识别 myapp.com 域并仅向来自 myapp.com

This works fine and secure because protectedresource.com recognizes myapp.com domain and releases the bearer token only to requests coming from myapp.com

如果我正在运行桌面应用程序，即使支持浏览器(即在 Windows 窗体中嵌入 HTML 查看器或类似的东西)我应该在同意后将 Alice 重定向到哪里??

If I'm running a desktop application, even with support of a browser (ie embed an HTML viewer in a Windows Form or something like that) where am I supposed to redirect Alice after consent??

授权码由谁收集?控制流如何变化?

Who collects the authorization code? How does the control flow change?

有人有在桌面或 Android 上运行的 OAuth 2.0 实现示例吗?

Does anybody have examples of OAuth 2.0 implementations running on desktop or Android?

推荐答案

OAuth wiki 列出了许多您可以使用的选项，但所有选项都有缺点.最简单的方法是您运行一个可以向用户显示令牌的网络应用，然后用户将令牌(可能还有刷新令牌)复制到您的桌面应用中.

The OAuth wiki lists numerous options you can use, all of which have downsides. The simplest involves you running a web app that can display the token to the user, and then the user copies the token (and maybe the refresh token) into your desktop app.

如果您有足够的时间，那么您可以研究向桌面操作系统注册自定义 URI，然后将其用作 redirect_uri 以自动从浏览器传输回您的应用.这具有最佳的用户体验.

If you have plenty of time then you could investigate registering a custom URI with the desktop operating system, and then use that as the redirect_uri to automatically transfer back to your app from the browser. This has the best user experience.

在这些情况下，恶意应用很容易伪装成您的桌面应用，而安全取决于您的用户未安装恶意应用.

A malicious app can easily pretend to be your desktop app in these scenarios, and security relies on your users not installing malicious apps.

这篇关于适用于桌面和移动应用程序的 OAuth 2.0的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！