OAuth 2.0用户 - 代理代表用户的 [英] oAuth 2.0 - Acting on behalf of the user

问题描述

我是新来的OAuth2，我试图让几件事直。

I'm new to oAUth2 and I'm trying to get a few things straight.

据我了解涉及的OAuth2的基本原则，但我不知道如何实现它在我的处境。

I understand the basic principles involved with oAuth2 but I am not sure how to implement it in my situation.

我写行为代表用户自动执行手动过程，执行某些任务（更新/请求状态...等）的应用程序。我们要连接到的API使用的OAuth2授予​​我们的应用程序的权限。我们计划让用户授予我们的应用程序的权限时，他们创建了我们一个新的帐户。

I am writing an app that acts on behalf of the user to automate a manual process and perform some tasks(update/request status...etc). The API we are connecting to uses oAuth2 to grant our application permission. We plan on having the user grant our application permission when they create a new account with us.

据我了解，用户会要求提供给我们的应用程序认证code。然后，我们的应用程序将使用的身份验证code生成一个访问令牌。

I understand that the user will request an authentication code that is provided to our application. Then our application will use the authentication code to generate an access token.

我们想做到这一点只有一次。随后作为用户无需必须登录到他们的凭据该服务的用户发送和接收通知。

We would like to do this only once. Then act as the user to send and receive notifications without having to have the user to log into the service with their credentials.

我不知道如何实现它而无需存储用户凭据来获得一个auth code，因为AUTH code和身份验证令牌过期。我猜，这是一个常见的​​场景。

I am not sure how to implement this without having to store the user credentials to get an auth code since the auth code and auth tokens expire. I'm guessing that this is a common scenario.

我需要做的就是我想要做到的呢？

What would I need to do to get what I want accomplished?

推荐答案

您可以得到一个新的的accessToken 的使用的 RefreshToken 的，如果这是由提供的授权服务器的。

You can get a new AccessToken using a RefreshToken, if this is provided by the Authorization Server.

如果它没有提供我会联系该API提供者，你应该永远不会存储用户的凭据。事实上，如果OAuth协议作为客户很好的实施，你应该永远无法连得客户端凭据。当用户登录，你应该将用户重定向到授权服务器，但用户应登录，然后授权令牌应该被重定向到被授权服务器应用程序。

If it's not provided I would contact the Api provider, you should never store a users credentials. In fact if the OAuth protocol is well implemented as a client you should never be able to even get the client credentials. When the user has to login you should redirect the user to the Authorization Server, there the user should login and then the authorization token should be redirected to your application by the Authorization Server.

另见刷新令牌这一解释从OAuth的2.0规范：

See also this explanation on Refresh Tokens from the OAuth 2.0 spec:

刷新令牌来获得访问令牌的凭据。刷新
     令牌由授权服务器向客户机发出，并且
     用于获得新的访问令牌时当前接入令牌
     失效或过期，或获得其他访问令牌
     具有相同或更窄的范围（接入令牌可以具有更短的
     寿命比授权的资源较少的权限
     所有者）。发出刷新令牌是的自由裁量权可选
     授权服务器。如果授权服务器发出刷新
     令牌，它发出的访问令牌时包括

Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token

注意

如果您要求使用RefreshToken一个新的accessToken和响应包括一个新的RefreshToken你应该覆盖您当前保存RefreshToken。随着换句话说，你应该总是使用您收到的最新RefresthToken。

If you request a new AccessToken using your RefreshToken and the response includes a new RefreshToken you should overwrite your currently saved RefreshToken. With other words, you should always use the latest RefresthToken you received.

这篇关于OAuth 2.0用户 - 代理代表用户的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！