将通过安全社交保护的 Play Framework 休息调用暴露给移动应用程序 [英] Expose Play Framework rest calls secured via securesocial to mobile app

问题描述

我想将我的 Play Framework REST 调用公开给我的 Play 应用程序以外的客户端.

I would like to expose my Play Framework REST calls to clients other than my play app.

我想要一个移动应用程序来呼叫那些安全的休息电话.

I would like a mobile app to call those secured rest calls.

我在今年早些时候问了一个关于 SO 的问题并得到了答案，但这仅适用于 OAuth2，我是仅使用 OAuth1

I asked a question on SO earlier in the year and got an answer but this only works for OAuth2 and I am only using OAuth1

我的问题是:

1. 将我的 PlayFramework 应用程序上由 Securesocial 保护的 REST 调用暴露给非网络客户端(如移动应用程序)是一个好主意吗?
2. 有没有办法使用 Securesocial for OAuth1 来做到这一点?
3. 除了我上一个问题的链接中的示例之外，还有其他示例吗?

推荐答案

master-SNAPSHOT 中的最新更改包括一个 LoginApi 控制器，它允许您使用 API 对用户进行身份验证.它支持 UsernamePasswordProvider 和所有 OAuth2Providers.

Latest changes in master-SNAPSHOT include a LoginApi controller that lets you authenticate a user using an API. It supports the UsernamePasswordProvider and all the OAuth2Providers.

在 UsernamePasswordProvider 的情况下，您可以发布用户凭据，如果没有问题，您将获得一个带有令牌的 json，该令牌可用于 X-Auth-Token 标头以调用 SecuredActions.例如:

In the case of the UsernamePasswordProvider you can post the user credentials and if they’re ok you will get a json with a token that can be used in an X-Auth-Token header to invoke SecuredActions. For example:

curl --data "username=some@email.com&password=some_password" http://localhost:9000/auth/api/authenticate/userpass  

对于基于 OAuth2 的提供者，您必须发布一个带有由外部服务(即客户端的获取者)生成的 accessToken 的 JSON 以及用户电子邮件.该模块将使用 accessToken 来验证它是否有效，并将外部服务返回的电子邮件与传入的电子邮件进行比较.如果它们匹配，则认为用户已通过身份验证.这与 FortyTwo 的人所做的非常相似，我认为内置功能会很好 (http://eng.42go.com/mobile-auth-with-play-and-securesocial/).

For OAuth2 based providers you have to post a JSON with an accessToken generated by the external service (that was obtainer in the client side) along with the user email. The module will use the accessToken to verify if it works and will compare the email returned by the external service to the one passed in. If they match then the user is considered to be authenticated. This is very similar to what the guys at FortyTwo were doing and I thought it would be good to have the functionality built in (http://eng.42go.com/mobile-auth-with-play-and-securesocial/).

例如，在客户端通过 Facebook 进行身份验证后(例如:使用 Javascript)返回一个带有 accessToken 和 expiresIn 值的文件 test.json:

For example, having a file test.json with the accessToken and expiresIn values returned after authenticating with Facebook on the client side (e.g.: using Javascript):

{
"email": "some@email.com",
"info": {
    "accessToken": "an_access_token",
    "expiresIn": a_number_with_expiration_in_seconds
 }
} 

您可以调用:

curl -v --header "Content-Type: application/json" --request POST --data-binary "@test.json" http://localhost:9000/auth/api/authenticate/facebook

上述任何调用的示例 json 响应为:

A sample json response for any of the calls above would be:

<代码> { 标记": 98b9613dac60890b8e0abf5bc0f77591523df4e6de50b085c832116b8db2cc65511e0de6780f6a49f8755eddabbd46e6afada92160758fd6d4bbb25dc57e0f7b1e4b5b59fbbe543cf80ad1b6d91de7764e3ac1aaa0afac0c312a47bf27258f455606c6c19b1a3d40f8631ce98e6b76e128dddcb29511eb81200ffe9de95cba7a"， expiresOn": 2014-05-07T07:43:10.987-03:00"}

然后您可以调用安全操作:

You can then invoke a secured action as:

<代码>卷曲-v --header 内容类型:应用/JSON" -H X-AUTH-令牌:819a9cb9227d2c82af9c1ee2a62b9e7d35725e235e086ab95ecce0b509f3f7b389f430e217e341306ecaebfd1972ac083de73a32341a26f97150ae71fb0417f0031534d818356b2266ffc100e5ee6a50bd1f9ec76b0f68d2ff8ce4d196b4a86b61e002b29b00532ef166cb2eb8476d3ae008c112891628bc0f444c7512c01345的" http://本地主机:9000/我的保护作用

这篇关于将通过安全社交保护的 Play Framework 休息调用暴露给移动应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！