使用自己的 Web 应用程序 API - 使用 OAuth2 进行身份验证过程 [英] Consuming own API for web app - Authentication process with OAuth2
问题描述
概述
我目前正在为一个图像共享应用程序创建 API,该应用程序将在网络上运行,并在未来某个时间在移动设备上运行.我了解 API 构建的逻辑部分,但我仍在努力满足自己对身份验证部分的要求.
因此,我的 API 必须可供全世界访问:具有访客访问权限的人(例如,未登录的人可以上传)以及注册用户.因此,当注册用户上传时,我显然希望用户信息与请求一起发送,并通过数据库中的外键将该用户信息附加到上传的图像中.
通过 OAuth2 进行身份验证 - 实施
我知道 OAuth2 是 API 身份验证的最佳选择,因此我将实施此方法,但我真的很难弄清楚如何处理我的em> 情况.我想过使用 客户端凭据 授权并为我的 Web 应用程序生成仅一组凭据,然后让它使用其 客户端密码<向 API 发送请求/code> 获取访问令牌并让用户执行操作.用户注册过程本身将使用此授权进行处理.
但是当用户注册并登录时呢?我现在如何处理身份验证?这是否需要另一笔拨款来接管?我正在考虑在用户登录期间进行一些授权过程,以生成新的访问令牌.这种方法有错吗?
我需要什么帮助
我需要您提供有关如何正确处理我的案例的身份验证流程的意见.这种双向身份验证过程可能不是我需要的,但这是我理解的方式.非常感谢您的支持.
iandayman 的回答提供了很多很好的信息,但我认为更具体的回答可能会对您有所帮助.
因此,对于初学者来说,客户端凭据授权不适合您.如果我们查看 OAuth2 规范,客户端凭据授予是为了
<块引用>当授权范围为仅限于客户端控制下的受保护资源......当客户端代表自己行事时
这有两个原因不适合您.
首先,您的客户端控制下没有受保护的资源.您正在访问的所有资源要么不受保护(未登录人员上传),要么受最终用户控制.此外,您不能在浏览器中保留机密(例如客户端机密);您的应用程序的任何用户都可以使用浏览器的开发人员工具来查看和泄露机密.
其次,正如我所提到的,客户从不代表自己行事.它始终代表可能登录也可能未登录的用户.
您希望授予资源所有者密码凭据.
当用户未登录时(就像您在上传时提到的那样),您就没有授权.当用户登录时,您将他们的凭据发送到授权服务器.如果密码与用户名匹配,则授权服务器生成一个令牌并将该令牌到用户的映射持久化并返回该令牌.然后,每次您的客户端对登录用户发出另一个请求时,您都将该令牌放在 Authorization 标头中.在后端,您说如果授权标头中有令牌,请找出它对应的用户,并将它们与此上传相关联(或检查是否允许上传)".
用户注册如何运作?很简单,你发布一些像
这样的用户对象姓名:吉姆梁用户名:jimb密码:正确的马电池订书钉到您的用户创建端点(POST/users 或其他内容).您生成盐并散列密码,然后将用户信息与盐和散列一起存储在数据库中.此端点没有任何授权.
希望这更符合您的要求.
Overview
I am currently in the process of creating an API for an image sharing app that will run on the web and sometime in the future, on mobile. I understood the logical parts of API building, but I'm still struggling to meet my own requirements for the authentication part.
So, my API must be accessible to the world: those with guest access (non logged in people can upload, for example), and also to registered users. So when a registered user uploads, I obviously want the user information to be sent along with the request and to attach that user information to the uploaded image via foreign keys in my database.
Authentication via OAuth2 - Implementation
I have understood that OAuth2 is the way to go when it comes to API authentication, so I am going to implement this one, but I'm really struggling to wrap my head around on how to handle my situation. I thought of using the client credentials grant and generating only one set of credentials for my web app, and having it send requests to the API with its client secret to obtain the access token and let users do stuff. The user registration process itself would be handled with this grant.
But what about when the user is registered and logged in? How do I handle authentication now? Would this require another grant to take over? I was thinking of doing some authorization process during user signin, to generate a new access token. Is this approach wrong?
What I need help with
I need your input on how to handle the authentication flow correctly for my case. This two-way authentication process might not be what I need, but it is the way I've understood it. I would highly appreciate your support.
iandayman's answer has lots of good information, but I think a narrower more specific answer might help you.
So for starters, the client credentials grant is not for you. If we look at the OAuth2 spec, the client credentials grant is for
when the authorization scope is limited to the protected resources under the control of the client ... when the client is acting on its own behalf
This is not right for you for two reasons.
Firstly there are no protected resources under the control of your client. All resources you are accessing are either unprotected (non-logged in people uploading) or are under the control of an end user. Further, you cannot keep secrets (such as the client secret) in the browser; any user of your application could just use the developer tools of the browser to view and compromise the secret.
Secondly, as I mentioned, the client is never acting on it's own behalf. It's always acting on behalf of a user who may or may not be logged in.
You want the resource owner password credentials grant.
When a user is not logged in (like you mentioned for uploads) you just have no authorization. When a user logs in, you send their credentials to the authorization server. If the password matches the username, the authorization server makes a token and persists a mapping from that token to the user and returns the token. Then every time your client makes another request for a logged in user, you put that token in the Authorization header. On the back end you say "if there is a token in the authorization header, find out which user it corresponds to, and associate them with this upload (or check if they're allowed to upload at all)".
How does user registration work? Simple, you post some user object like
name: jim beam
username: jimb
password: correct horse battery staple
to your user creation endpoint (POST /users or something). You generate a salt and hash the password, and then store the user's information along with the salt and hash in the database. There is no authorization on this endpoint whatsoever.
Hopefully this is more what you are looking for.
这篇关于使用自己的 Web 应用程序 API - 使用 OAuth2 进行身份验证过程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
