用于具有最简单客户端-服务器架构的移动应用程序的 OAuth2? [英] OAuth2 for mobile apps with simplest client-server architecture?
问题描述
我们有一个经典的 C-S(客户端-服务器)架构,即一个移动应用程序和一个业务服务器.我们有我们自己的帐户系统(不使用 Google/Facebook 帐户等第 3 方帐户).我知道我应该使用 OAuth2 进行身份验证.问题是,我该如何实施?
We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?
有两件事我在网上没有找到:
There are two things that I did not found on the Internet:
- 我们使用的是我们自己的帐户系统 - 没有 Google/Facebook 帐户.
- 用户应该在原生应用界面中输入密码,而不是在应用中嵌入的浏览器网页中.
- We are using our own account system - no Google/Facebook account.
- The user should input his password in the native app UI, not in a browser webpage embedded in the app.
问题:
- 我认为我们可以使用资源所有者密码授予"模式.用户在本机 UI 中输入密码,然后我们收集并向服务器发送 HTTPS 请求等.但我有 看到有人说它不安全...所以我应该使用它吗?
- 如果我们应该使用授权码"模式,我该如何让用户在原生 UI 中输入他的密码?
- I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
- If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?
非常感谢!
ps.如果我们没有自己的账户系统,单纯依靠谷歌/Facebook的账户,那么一切都很简单.我们可以使用任何博客或文章或在互联网上回答.但是我们需要我们自己的帐户系统.
p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.
推荐答案
资源所有者流程在与 3rd 方身份验证一起使用时被认为是不安全的,例如您的移动应用正在尝试访问用户的 Dropbox 或 Gmail 的电子邮件中的文件.如果您拥有系统帐户系统、资源和应用程序的所有部分,那么您应该使用资源所有者密码流来确保安全.
The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.
这是一个简单得多的流程,但是它有一些缺点.就像您将无法与其他 3rd 方或企业系统联合,并且您无法从单点登录中受益.如果这些都不适合您,请继续使用资源所有者密码流程.
It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.
您可以在此处找到有关该主题的好方法:https://auth0.com/blog/oauth-2-best-practices-for-native-apps/
You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/
这篇关于用于具有最简单客户端-服务器架构的移动应用程序的 OAuth2?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!