Laravel Passport 密码授予令牌:自己的移动应用程序 [英] Laravel Passport Password Grant Tokens: own mobile app

查看:23
本文介绍了Laravel Passport 密码授予令牌:自己的移动应用程序的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

所以我的移动应用程序将成为客户端,我为它生成了一个 client_id 和一个 client_secret.

so my mobile app would be the client, i generated a client_id and a client_secret for it.

使用移动应用程序的用户必须使用他们的用户名/密码登录.

users who uses the mobile app have to login using their username/password.

我应该在哪里存储 client_id 和 client_secret?可以公开它们并简单地将它们硬编码到应用程序中吗?

Where should i store the client_id and client_secret? is it ok to expose them and simply place them hardcoded in the app?

推荐答案

将它们硬编码并仅将它们放在应用程序中绝对不是安全的方法.

It is definitely not the secure way of hardcoding them and just placing them in an app.

实际上并不是那么简单.我假设您是从 artisan 或从预先构建的 Vue 组件创建的客户端.无论哪种情况,您都需要做更多的工作才能安全地使用 oauth2 api,而不会暴露您的应用程序中的任何潜在安全漏洞.

Actually its not that straight forward. I assume you created the client from artisan or from the pre-built Vue components. In either case there is more that you have to do in order so safely consume the oauth2 api without exposing any potential security vulnerabilities in your app.

假设您的移动用户将通过移动设备注册,您需要从您的移动 API 创建用户和 oAuth2 客户端,您将向您的客户端(移动应用程序)公开这些客户端以供使用.为此,您必须执行以下操作:

Assuming your mobile users would register from the mobile, you would need to create user and oAuth2 client from your mobile API that you will expose for your clients( mobile apps ) to consume. For this you have to do the following:

  1. 安装 Laravel 护照后,执行以下工匠命令

  1. After installing laravel passport perform the following artisan command

php artisan migrate

这将创建必要的表来在数据库级别存储 oauth 客户端、他们的令牌和其他相关的重要信息.在此之后,您需要将 client_id 数据类型更改为 VARCHAR(255),以便将用户名存储为 client_id 而不是存储数字 client_id.

This will create the necessary tables to store oauth clients, their tokens and other related important information at db level. After this you would need to change client_id data type to VARCHAR(255) so as to store username as client_id instead of storing numeric client_ids.

  1. 现在转到您的模型并为 oauth_clients 表创建一个模型,以便您可以在创建用户的同时从代码中创建客户端.

  1. Now go to your models and create a model for oauth_clients table so that you can create client pragmatically from the code while creating users.

<?php
namespace App;


use Illuminate\Database\Eloquent\Model;

class oAuthClient extends Model
{

protected $table = 'oauth_clients';

}

这将为您创建一个模型类,您可以通过该类将 oauth 客户端存储在数据库中,同时在您的应用中注册它们.

This will create a model class for you through which you can store oauth clients in the db while registering them in your app.

Route::post('/register-user', function () {

$email= \Illuminate\Support\Facades\Input::get('email');
$password=\Illuminate\Support\Facades\Input::get('password');

$user = new \App\User(array(
'name' =>\Illuminate\Support\Facades\Input::get('name'),
'email' => \Illuminate\Support\Facades\Input::get('email'),
'password' => bcrypt(\Illuminate\Support\Facades\Input::get('password')),
));
$user->save();

$oauth_client=new \App\oAuthClient();
$oauth_client->user_id=$user->id;
$oauth_client->id=$email;
$oauth_client->name=$user->name;
$oauth_client->secret=base64_encode(hash_hmac('sha256',$password, 'secret', true));
$oauth_client->password_client=1;
$oauth_client->personal_access_client=0;
$oauth_client->redirect='';
$oauth_client->revoked=0;
$oauth_client->save();

return [
'message' => 'user successfully created.'
];
});

这将在 user 表和 oauth_clients 表中生成一个条目,laravel 护照将使用该条目为用户生成相应的 access_tokens.在上面的代码片段中,您必须注意要生成 oauth_client 秘密,您必须使用一些强您在应用程序中使用它时感觉舒适的加密公式.还可以使用相同的技术在您的移动应用上为相应的客户端/用户生成密钥.

This will generate an entry in user table and oauth_clients table which will be used by laravel passport to generate respective access_tokens for the user.In the above code snippet you have to note that to generate the oauth_client secret you have to use some strong formula of encryption that you feel comfortable using it with your application. Also use the same technique to generate the secret key on your mobile app for the respective client/user.

  1. 现在您可以使用 laravel 护照提供的标准 POST API 通过使用以下参数的oauth/token"密码授权请求访问令牌:

  1. Now you can use the standard POST API offered by laravel passport to request access token through password grant using "oauth/token" using the following parameters:

grant_type : 'password'
client_id  : '<email with which the user is registered>'
client_secret : '<generate the client secret from the mobile app>'
username : '<email with which the user is registered>'
password : '<password entered by the user>'
scope : '<leave empty as default>'

5.以上会给你回复,如果一切正常,类似:

5.The above will give you a response, if everything is correct, similar to :

    {
      "token_type": "Bearer",
      "expires_in": 3155673600,
      "access_token":                 "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjMwZmM0MDk1NWY5YjUwNDViOTUzNDlmZjc2M2ExNDUxOTAxZjc5YTA5YjE4OWM1MjEzOTJlZmNiMDgwOWQzMzQwM2ExZWI4ZmMyODQ1MTE3In0.eyJhdWQiOiJzaHVqYWhtQGdtYWlsLmNvbSIsImp0aSI6IjMwZmM0MDk1NWY5YjUwNDViOTUzNDlmZjc2M2ExNDUxOTAxZjc5YTA5YjE4OWM1MjEzOTJlZmNiMDgwOWQzMzQwM2ExZWI4ZmMyODQ1MTE3IiwiaWF0IjoxNDc4MTQ1NjMyLCJuYmYiOjE0NzgxNDU2MzIsImV4cCI6NDYzMzgxOTIzMiwic3ViIjoiMSIsInNjb3BlcyI6W119.dj3g9b2AdPCK-im5uab-01SP71S7AR96R0FQTKKoaZV7M5ID1pSXDlmZw96o5Bd_Xsy0nUqFsPNRQsLvYaOuHZsP8v9mOVirBXLIBvPcBc6lDRdNXvRidNqeh4JHhJu9a5VzNlJPm3joBYSco4wYzNHs2BPSxXuuD3o63nKRHhuUHB-HwjVxj2GDwzEYXdZmf2ZXOGRJ99DlWGDvWx8xQgMQtd1E9Xk_Rs6Iu8tycjBpKBaC24AKxMI6T8DpelnFmUbMcz-pRsgCWCF_hxv6FpXav3jr1CLhhT58_udBvXjQAXEbtHeB7W_oaMcaqezHdAeOWDcnqREZHsnXHtKt0JpymcTWBkS2cg7sJzy6P9mOGgQ8B4gb8wt44_kHTeWnokk4yPFRZojkHLVZb8YL6hZxLlzgV1jCHUxXoHNe1VKlHArdlV8LAts9pqARZkyBRfwQ8oiTL-2m16FQ_qGg-9vI0Suv7d6_W126afI3LxqDBi8AyqpQzZX1FWmuJLV0QiNM0nzTyokzz7w1ilJP2PxIeUzMRlVaJyA395zq2HjbFEenCkd7bAmTGrgEkyWM6XEq1P7qIC_Ne_pLNAV6DLXUpg9bUWEHhHPXIDYKHS-c3N9fPDt8UVvGI8n0rPMieTN92NsYZ_6OqLNpcm6TrhMNZ9eg5EC0IPySrrv62jE",
      "refresh_token": "BbwRuDnVfm7tRQk7qSYByFbQKK+shYPDinYA9+q5c/ovIE1xETyWitvq6PU8AHnI5FWb06Nl2BVoBwCHCUmFaeRXQQgYY/i5vIDEQ/TJYFLVPRHDc7CKILF0kMakWKDk7wJdl5J6k5mN38th4pAAZOubiRoZ+2npLC7OSZd5Mq8LCBayzqtyy/QA5MY9ywCgb1PErzrGQhzB3mNhKj7U51ZnYT3nS5nCH7iJkCjaKvd/Hwsx2M6pXnpY45xlDVeTOjZxxaOF/e0+VT2FP2+TZMDRfrSMLBEkpbyX0M/VxunriRJPXTUvl3PW0sVOEa3J7+fbce0XWAKz7PNs3+hcdzD2Av2VHYF7/bJwcDCO77ky0G4JlHjqC0HnnGP2UWI5qR+tCSBga7+M1P3ESjcTCV6G6H+7f8SOSv9FECcJ8J5WUrU+EHrZ95bDtPc9scE4P3OEQaYchlC9GHk2ZoGo5oMJI6YACuRfbGQJNBjdjxvLIrAMrB6DNGDMbH6UZodkpZgQjGVuoCWgFEfLqegHbp34CjwL5ZFJGohV+E87KxedXE6aEseywyjmGLGZwAekjsjNwuxqD2QMb05sg9VkiUPMsvn45K9iCLS5clEKOTwkd+JuWw2IU80pA24aXN64RvOJX5VKMN6CPluJVLdjHeFL55SB7nlDjp15WhoMU1A="
    }

您可以从您的客户端应用程序(移动应用程序)安全地使用这些令牌.希望能帮到你!

You can use these token safely from your client apps ( mobile apps ). Hope it helps!.

这篇关于Laravel Passport 密码授予令牌:自己的移动应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆