在移动应用程序中使用 Laravel Passport [英] Using Laravel Passport with mobile application
问题描述
我正在使用 Laravel API 制作一个移动应用程序,我看到从 Laravel 5.3(?) 开始,他们添加了一个名为Passport"的东西,它可以处理应用程序的 OAuth2/验证,所以我想我会尝试一下.在使用 Laravel Passport 文档(
问题是,这让我感觉很不对劲.oauth_clients 上有一个 user_id 列,所以它真的让我相信,在尝试获取 oauth_client 令牌时,我应该能够执行一些发布请求,它将接收用户,然后获取关联的 oauth_client,对吗?
在我看来,我应该如何使用 Passport 对我的移动应用程序进行用户身份验证的意义如下:1.) 注册新用户
2.) 注册用户时,为该用户创建 oauth_client
3.) 登录时,一旦验证了用户电子邮件/密码,查找 oauth_client 然后检索 oath_client 令牌
4.) 将 oauth_client 令牌用于向经过验证的已验证用户发送的任何 API 请求.
这是正确的思考方式吗??我确定这是显而易见的,但这个过程让我感到困惑,因此我们将不胜感激任何指导.
好的,如果有人感兴趣或有任何未来的建议,这是我最后所做的工作.
我为移动注册创建了一个新路由,
Route::post('/mobile_register', 'Auth\RegisterController@mobileRegister');然后我基本上只是复制了实际的注册方法,但添加了一个新函数来根据成功的用户注册信息创建一个新的 oauth_client
/*** 通过移动应用程序注册新用户.发回将使用的 oauth_client ID* 检索 oauth 令牌** @param 请求 $request* @return \Illuminate\Http\JsonResponse*/公共功能 mobileRegister(Request $request){$this->validator($request->all())->validate();$password = $request->password;事件(新注册($user = $this->create($request->all())));$oAuthClient = $this->registerOAuthClient($user, $password);return response()->json(['message' => '用户创建成功', 'client_id' => $oAuthClient->id]);}/*** 为该用户创建关联的 oauth_client.** @param 用户 $user* @param $密码* @return \Illuminate\Http\JsonResponse|OAuthClient*/公共函数 registerOAuthClient(User $user, $password){$oAuthClient = new OAuthClient();$oAuthClient->user_id = $user->id;$oAuthClient->name = $user->name;$oAuthClient->secret = base64_encode(hash_hmac('sha256',{{无论你希望你的秘密基于什么}}, 'secret', true));$oAuthClient->password_client=1;$oAuthClient->重定向 = '';$oAuthClient->personal_access_client = 0;$oAuthClient->revoked = 0;if(!$oAuthClient->save())return response()->json(['error' => '无法创建 oAuthClient!用户需要创建一个才能访问网站']);返回 $oAuthClient;}所以现在新的 oAuthClient ID 将被发送回移动应用程序,然后在您的移动应用程序中,您可以创建需要发送出去以获取 oauth 令牌的client_secret",您可以使用发送的 client_id从 API 返回作为 oauth/token post 请求中的client_id".然后,您将发送第二个 post 请求以检索用户的实际 oauth 令牌.
我觉得这是最好的,因为这样我就不需要在应用程序上存储任何敏感的用户信息,即使我发回了客户端 ID,除非某个邪恶的一方知道你将要使用什么来 'client_secret' 也是如此,他们无法访问您的 oauth 客户端以检索令牌..而且他们也不知道您的用户,因此他们无法从您的用户确定您的 oauth 客户端.我也喜欢这个解决方案,因为我仍在验证用户是否存在,&在对oauth_client信息进行第二次验证之前,pw是正确的.
免责声明::这是我第一次尝试使用 Passport 或真正进行任何类型的身份验证,因此这当然可能存在问题.如果你看到任何,请评论或留言告诉我!我想确保它尽可能好,所以我将不胜感激!
I am making a mobile application with a laravel API, and I saw that since Laravel 5.3(?) they added something called "Passport" which handles OAuth2/verification for an application, so I thought I would give that a try. I followed several different explanations for how to get it working after I completed the setup using the Laravel Passport documentation (https://laravel.com/docs/5.4/passport). Right now this is the code for what I've come up with based off other tutorials/ SO articles
1.) Controller for creating the user/oAuth2 client
class OAuthController extends Controller
{
public function registerUser(Request $request){
$email = $request->email;
$password = $request->password;
$name = $request->name;
$user = User::create([
'name' => $name,
'email' => $email,
'password' => bcrypt($password)
]);
$oAuthClient = new OAuthClient();
$oAuthClient->user_id = $user->id;
$oAuthClient->id = $user->email;
$oAuthClient->name = $user->name;
$oAuthClient->secret = base64_encode(hash_hmac('sha256',$password, 'secret', true));
$oAuthClient->password_client=1;
$oAuthClient->redirect = '';
$oAuthClient->personal_access_client = 0;
$oAuthClient->revoked = 0;
$oAuthClient->save();
return response()->json(['message', 'User successfully created']);
}
}
2.) The model I made to reference the oauth_clients table
use Illuminate\Database\Eloquent\Model;
class OAuthClient extends Model
{
protected $table = 'oauth_clients';
}
3.) I changed the oauth_clients table primarykey from incrementing integer to the users email. I was basically just following this SO article Laravel Passport Password Grant Tokens: own mobile app
4.) Once I have created the user/oauth_client, retrieve the token through POSTMAN w/ post request to oauth/token with parameters
The thing is, this feels really wrong to me. the oauth_clients has a user_id column on it, so it really leads me to believe when attempting to get the oauth_client token that I should be able to do some post request where it will take the user and then get the associated oauth_client, right?
In my mind what makes sense for how I should be able to use Passport for user authentication for my mobile app is as follows: 1.) Register new user
2.) When registering user, create oauth_client for that user
3.) On login, once user email/pw is verified, look for oauth_client and then retrieve the oath_client token
4.) Use oauth_client token on any requests to API going forward to verified authenticated user.
Is this the right way to think of it?? I'm sure it's apparent, but this process has me confused so any guidance will be greatly appreciated.
ok so, incase anyone is interested or has any future suggestions, Here is what I did in the end to get this working.
I created a new route for mobile register,
Route::post('/mobile_register', 'Auth\RegisterController@mobileRegister');
Then I basically just copied the actual register method but added a new function to create a new oauth_client based off of the successful user register information
/**
* Register a new user through the mobile application. Send back the oauth_client ID which will be used
* to retrieve the oauth token
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function mobileRegister(Request $request){
$this->validator($request->all())->validate();
$password = $request->password;
event(new Registered($user = $this->create($request->all())));
$oAuthClient = $this->registerOAuthClient($user, $password);
return response()->json(['message' => 'user created successfully', 'client_id' => $oAuthClient->id]);
}
/**
* Create the associated oauth_client for this user.
*
* @param User $user
* @param $password
* @return \Illuminate\Http\JsonResponse|OAuthClient
*/
public function registerOAuthClient(User $user, $password){
$oAuthClient = new OAuthClient();
$oAuthClient->user_id = $user->id;
$oAuthClient->name = $user->name;
$oAuthClient->secret = base64_encode(hash_hmac('sha256',{{whatever you want your secret to be based off of}}, 'secret', true));
$oAuthClient->password_client=1;
$oAuthClient->redirect = '';
$oAuthClient->personal_access_client = 0;
$oAuthClient->revoked = 0;
if(!$oAuthClient->save())
return response()->json(['error' => 'Unable to create oAuthClient! User will need one made to access website']);
return $oAuthClient;
}
So now the new oAuthClient ID will be sent back to the mobile app, and then INSIDE your mobile application you can create the 'client_secret' which needs to be sent off to get the oauth token, and you can use the client_id sent back from the API as the 'client_id' in your oauth/token post request as well. Then you will send off your second post request to retrieve the actual oauth token for the user.
I felt this was best because then I am not required to store any sensitive user information on the application, and even though I am sending back the client id, unless some nefarious party knows what you are going to be using for the 'client_secret' as well, they can't gain access to your oauth client to retrieve a token.. and they won't know your user either so they can't determine your oauth client from your user. I also liked this solution because I am still verifying the user exists, & the pw is correct before doing the second verification of the oauth_client information.
Disclaimer::this is my first attempt at using Passport or really doing any sort of authentication, so it's certainly possible there's issues with this. If you see any, please comment or post to let me know! I want to make sure this is as good as possible so I will greatly appreciate it!
这篇关于在移动应用程序中使用 Laravel Passport的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
