现在不推荐使用密码授予的替代方法是什么?OAUTH 2.0 [英] what's the alternative to password grant now that it is deprecated? OAUTH 2.0
问题描述
- 我在 spring boot 中内置了一个 rest api.
- 反应中的前端应用程序.
我的用户应该能够登录并访问他们的信息,例如命令.现在为了让用户登录和注册,我认为最好使用 OAUTH.我开始研究 ouath 并发现授予密码是完美的案例.因为用户能够输入他们的凭据(用户名和密码),这些凭据(用户名和密码)进入 api 服务(也是授权服务器)并且可以进行身份验证和令牌将被传递,但后来我意识到它已被弃用,所以我想知道什么是最好的授权类型用于传递用户的用户名和密码以进行身份验证和授权.或者我遗漏了你们可以指出的一些非常简单的东西.
I have users who should be able to log in and access their information e.g. orders. now in order for users to log in and register I thought it would be a best idea to use OAUTH. I started my research into ouath and found grant password be the perfect case. since the user be able to type in the their credentials (username and password) which goes to api service (also authorisation server) and that can authenticate and token will be passed but then I realised it is deprecated so I want to know whats the best grant type to use where user's username and password is passed for authentication and authorisation. or maybe i am missing something very simple that you guys can point towards.
推荐答案
总结一下您的情况:您有自己的后端(某种类型的服务器,例如实现 REST API 的 Web 应用程序),用户应该能够在其中登录使用用户名和密码获取访问令牌,允许他们访问服务器上自己的资源,他们应该能够通过您自己的前端(某种类型的客户端,例如智能手机应用程序、桌面应用程序、单页应用程序等).Resource Owner Password Grant 完美地解决了您的问题,但现在它已被弃用 :(
To summarize your situation: You have your own backend (server of some kind, such as a web application implementing a REST API) where users should be able to login using a username and password to obtain an access token giving their access to their own resources on the server, and they should be able to do this through your own frontend (client of some kind, such as smartphone app, desktop app, single-page application, etc.). The Resource Owner Password Grant solved your problem perfectly fine, but now it got deprecated :(
注意
它在 OAuth 2.0 规范中说,OAuth 2.0 授权框架使第三方应用程序能够获得有限的访问权限[...].在这种情况下,您的前端并不是真正的第三方应用程序,而是第一方应用程序,因此您不应该真正使用 OAuth 2.0,但最好使用有据可查的东西,而不是发明自己的解决方案来处理授权,所以和你一样,我仍然会使用 OAuth 2.0.Note
It says in the OAuth 2.0 spec that The OAuth 2.0 authorization framework enables a third-party application to obtain limited access [...]. Your frontend is not really a third-party application in this case, but a first-party application, so you shouldn't really use OAuth 2.0, but it's better to use something well-documented instead of inventing your own solution to handle authorization, so just as you, I would still use OAuth 2.0.简单的解决方案(已弃用)
继续使用资源所有者密码授予.它完全符合您的要求,并且是为您的特定情况创建的(前端和后端来自同一公司").Simple solution (deprecated)
Continue using Resource Owner Password Grant. It does precisely what you want, and it was created for your specific case (frontend and backend come from the same "company").现在他们似乎已经决定 OAuth 2.1 不应该支持这样的第一方应用程序,但我想说它仍然可以用于您的情况.如果 Google 或其他大型 OAuth 2.0 提供商支持这种授权类型,情况会更糟,因为这样开发人员可能会创建自己的前端应用程序,并让用户通过将他们的 Google 用户名和密码直接输入前端应用程序来登录他们的前端应用程序,即向前端开发人员透露他们的 Google 凭据.我想他们弃用这种资助类型的原因是为了避免这种情况.
Now they seem to have decided that OAuth 2.1 should not support first-party applications like this, but I would say it's still fine to use it for your case. It would be much worse if Google or someone else big OAuth 2.0 provider would support this Grant Type, because then developers might create their own frontend applications and let users login in on their frontend application by entering their Google username and password directly into the frontend application, i.e. revealing their Google credentials to the frontend developer. I imagine the reason they deprecate this Grant Type is to avoid such situations.
更好的解决方案(已弃用)
使用隐式授予.在前端,当用户想要登录时,将用户重定向到后端(即在后端打开一个带有登录表单的网页,用户可以在其中输入用户名和密码),并在用户成功登录后端后,使用访问令牌将客户端重定向回前端.这样做的好处是用户只向后端应用程序透露她的密码,而不会向任何客户端应用程序透露.缺点是后端必须包含用于登录表单的网页,与纯 REST API 相比,实现起来更加复杂.如果你想正确地做到这一点,服务器应该有一个预先注册的客户端列表,其中包含 id 和机密,但如果你只有自己的前端,你需要支持我会说你可以跳过那个或者干脆硬编码一个客户端 id在后端应用程序中.Better solution (deprecated)
Use Implicit Grant. In the frontend, when the user wants to login, redirect the user to the backend (i.e. open a webpage on the backend with a login form where the user can enter username and password), and after the user has successfully logged in on the backend, redirect the client back to the frontend with the access token. The benefit here is that the user only reveals her password to the backend application, and never to any client application. The drawback is that the backend must contain a webpage for the login form, making it a bit more complicated to implement compared to a pure REST API. And if you want to do this properly, the server should have a list of pre-registered clients with ids and secrets, but if you only have your own frontend you need to support I would say you can skip that or simply hardcode a client id in the backend application.不幸的是,这种资助类型也已被弃用...
Unfortunately, this grant type has been deprecated as well...
正确的解决方案
使用授权代码授予(带有代码交换的证明密钥).这种方式与上面描述的隐式授权非常相似,但不是使用访问令牌将用户重定向回前端,而是使用授权码将用户重定向回前端.然后前端可以将此授权码发送到后端并取回访问令牌.Proper solution
Use Authorization Code Grant (with Proof Key for Code Exchange). This way is really similar to the Implicit Grant described above, but instead of redirecting the user back to the frontend with the Access Token, you redirect the user back to the frontend with an Authorization Code. The frontend can then send this Authorization Code to the backend and get back the Access Token.以上描述的内容或多或少只是授权代码授予.带有用于代码交换的证明密钥"几乎相同,但您也使用密钥"证明您是将用户重定向到后端的同一客户端,并将授权代码交易为访问令牌(带有代码交换证明密钥"部分基本上使其更安全).
What was described above was more or less only Authorization Code Grant. "with Proof Key for Code Exchange" is pretty much the same, but you also use a "key" to prove that you are the same client that redirects that user to the backend as and that trades the Authorization Code for an Access Token (the "with Proof Key for Code Exchange" part basically makes it more secure).
这里我当然只描述了总体思路,您需要查看规范以了解您应该发送的请求和响应的详细信息(请求的正文应该是什么,使用的状态代码是什么)等).
Here I've of course only described the overall idea, you need to look into the specifications to learn the details about the requests and responses you should send (what the body of the request should be, what status codes that are used, etc.).
这篇关于现在不推荐使用密码授予的替代方法是什么?OAUTH 2.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
