OAuth2 服务器的范围值是什么? [英] What are scope values for an OAuth2 server?

问题描述

我很难理解范围的工作原理.

I'm facing a difficulty to understand how scopes work.

我在这里找到了一段描述stackexchange api 但我需要更多关于它们如何工作的信息(不是特别是这个......).有人能给我一个概念吗?

I found here a small text that describes the scopes of stackexchange api but i need more information on how they work (not specifically this one...). Can someone provide me a concept?

提前致谢

推荐答案

要授权应用程序，您需要调用 OAuth2 授权过程的 URL.此 URL 在 API 的提供程序文档中有效".例如谷歌有这个网址:

To authorize an app you need to call a URL for the OAuth2 authorization process. This URL is "living" in the API's provider documentation. For example Google has this url:

https://accounts.google.com/o/auth2/auth

此外，您还需要通过此链接指定一些查询参数:

Also you will need to specify a few query parameters with this link:

• cliend_id
• redirect_uri
• scope:您的应用程序请求访问的数据.这通常被指定为空格分隔的字符串列表，尽管 Facebook 使用逗号分隔的字符串.scope 的有效值应包含在 API 提供程序文档中.对于 Gougle Tasks，scope 是 https://www.googleapis.com/auth/tasks.如果应用程序还需要访问 Google 文档，它将指定 scope 值 https://www.googleapis.com/auth/tasks https://docs.google.com/feeds
• response_type:code，用于服务器端的web应用流程，表明用户访问后会返回一个授权code给应用批准授权请求.
• state:您的应用程序使用的唯一值，用于防止对您的实现进行跨站点请求伪造 (CSRF) 攻击.该值应该是此特定请求的随机唯一字符串，不可猜测并在客户端保密(可能在服务器端会话中)

• cliend_id
• redirect_uri
• scope: The data your application is requesting access to. This is typically specified as a list of space-delimited string, though Facebook uses comma-delimited strings. Valid values for the scope should be included in the API provider documentation. For Gougle Tasks, the scope is https://www.googleapis.com/auth/tasks. If an application also needed access to Google Docs, it would specify a scope value of https://www.googleapis.com/auth/tasks https://docs.google.com/feeds
• response_type: code for the server-side web application flow, indivating that an authorization code will be returned to the application after the user approves the authorization request.
• state: A unique value used by your application in order to prevent cross-site request forgery (CSRF) attacks on your implementation. The value should be a random unique string for this particular request, unguessable and kept secret in the client (perhaps in a server-side session)

// Generate random value for use as the 'state'.  Mitigates
// risk of CSRF attacks when this value is verified against the
// value returned from the OAuth provider with the authorization
// code.
$_SESSION['state'] = rand(0,999999999);

$authorizationUrlBase = 'https://accounts.google.com/o/oauth2/auth';
$redirectUriPath = '/oauth2callback.php';

// For example only.  A valid value for client_id needs to be obtained 
// for your environment from the Google APIs Console at 
// http://code.google.com/apis/console.
$queryParams = array(
  'client_id' => '240195362.apps.googleusercontent.com',
  'redirect_uri' => (isset($_SERVER['HTTPS'])?'https://':'http://') .
                   $_SERVER['HTTP_HOST'] . $redirectUriPath,
  'scope' => 'https://www.googleapis.com/auth/tasks',
  'response_type' => 'code',
  'state' => $_SESSION['state'],
  'approval_prompt' => 'force', // always request user consent
  'access_type' => 'offline' // obtain a refresh token
);

$goToUrl = $authorizationUrlBase . '?' . http_build_query($queryParams);

// Output a webpage directing users to the $goToUrl after 
// they click a "Let's Go" button
include 'access_request_template.php';

Google 授权服务器支持的 Web 服务器应用程序查询字符串参数集如下:

The set of query string parameters supported by the Google Authorization Server for web server applications are here:

https://developers.google.com/accounts/docs/OAuth2WebServer?hl=el#formingtheurl

这篇关于OAuth2 服务器的范围值是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！