使用Devise,Doorkeeper和OAuth2令牌进行API和应用程序认证 [英] API and Application authentication using Devise, Doorkeeper and OAuth2 token
问题描述
我使用Devise进行身份验证(电子邮件+密码)。
我在桌面应用程序上实现了Doorkeeper,以便为我的移动应用程序生成一个Oauth2令牌。
这是我的问题:
我的桌面应用程序控制器中有before_filters集,以确保他们的安全。
- 我不确定移动应用程序应该如何与Devise共享OAuth2令牌,以便进行身份验证并访问我的受保护的控制器?
其实现在Doorkeeper应该使用 doorkeeper_for:all 代码检查控制器中的移动令牌。但是要做到这一点,我不得不设法保护 before_filter:authenticate_user! ...
我应该保存oauth token in devise too?
我误解了移动应用程序应该使用devise和OAuth2 protocole进行身份验证吗?
Thx
这是旧的,但没有答案。
Essentials Devise和Doorkeeper正在做同样的事情,Devise使用会话进行身份验证(或者如果您启用了此功能),而Doorkeeper会在每个请求中发送的OAuth令牌进行身份验证。
$ b $您可能想要做的是将应用程序分成两个访问点,使用Devise进行常规桌面访问,并使用Doorkeeper进行API访问。启用仅限普通桌面控制器的设计路线,并启用只有api控制器的门卫路由。
在您的API应用程序控制器中,可以将current_user替换为 User.find(doorkeeper_token.resource_owner_id)如果doorkeeper_token 。这将与Devise认证的方式相符。
或者,如果您的API不必使用OAuth,您可以使用Devise的token_authenticable配置,它提供类似的功能OAuth的承载令牌。
I have both a Desktop application and a mobile application. I want to use the same rails application for both "devices". In another word, I want the mobile application to request contents on the Desktop application.
I use Devise for authentications (email + password). I have implemented Doorkeeper on the Desktop app in order to generate an Oauth2 token for my mobile application.
Here are my questions:
I have before_filters sets in my desktop application controllers in order to secure them.
- I am not sure how the mobile application should share the OAuth2 token with Devise in order to be authenticated and access my protected controllers ?
In fact, right now, it is Doorkeeper who should check the mobile token in my controllers with the doorkeeper_for :all code. But to do that I have to unable the devise protection before_filter :authenticate_user!...
Should I save the oauth token in devise too ?
I am misunderstanding how mobile applications should authenticate with devise and OAuth2 protocole ?
Thx
This is old, but doesn't have an answer yet.
Essentially Devise and Doorkeeper are doing the same thing, Devise authenticates using sessions (or token auth if you have enabled that) while Doorkeeper authenticates with OAuth tokens sent in every request.
What you probably want to do is split your application into two access points, have a regular desktop access using Devise and an API that uses Doorkeeper. Enable Devise routes for only the regular desktop controllers and enable doorkeeper routes for only the api controllers.
In your API Application Controller, you can override current_user to be something like User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token. This will match the way Devise authenticates as well.
Alternatively, if your API doesn't have to use OAuth, you could use Devise's token_authenticable config, which provides similar features as OAuth's Bearer Tokens.
这篇关于使用Devise,Doorkeeper和OAuth2令牌进行API和应用程序认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
