问题描述
我正在编写一个 nodejs 应用程序,我想将它用作 Web 应用程序和 API 提供程序.一旦用户通过身份验证,我想为该用户分配一个令牌以用于后续请求.这适用于 Web 应用程序的通行证,因为我只是在会话中使用令牌序列化和反序列化用户.但是,在响应 API 请求时,没有设置 cookie 来存储会话信息.理想情况下,passport 会在会话和请求正文中查找令牌.有没有办法配置通行证来实现这一点?
I am writing a nodejs application that I would like to use as both a web application, as well as an API provider. Once a user is authenticated, I want to assign that user a token to be used for subsequent requests. This works great with passport for the web application, as I just serialize and deserialize the user with the token in the session. However, when responding to API requests, there is no cookie to set to store the session information. Ideally, passport would look for the token both in session and the request body. Is there any way to configure passport to accomplish this?
推荐答案
只需在每个请求上使用访问令牌.不需要使用会话.以下是工作流程:
Simply use the access token on every request. Using a session is NOT needed. The following is the workflow:
POST /signin
- 用户名和密码发布在客户端请求中.
- 服务器使用通行证的本地策略对用户进行身份验证.请参阅passport-local.
- 如果凭据代表有效用户,则服务器返回由某个生成器生成的访问令牌.node-jwt-simple 是不错的选择.
- 如果凭据无效,则重定向到
/signin
.
- The username and password are posted in the client request.
- The server authenticates the user by using passport's Local Strategy. See passport-local.
- If the credentials represent a valid user, the server returns the access token generated by some generator. node-jwt-simple is a good choice.
- If the credentials are invalid, redirect to
/signin
.
当客户端从授权服务器收到访问令牌时,它可以向服务器上的受保护资源发出请求.例如:
When the client receives the access token from the authorization server, it can then make requests to protected resources on the server. For example:
GET/api/v1/somefunction?token='abcedf'
- 客户端使用令牌参数调用一些服务器 API.
- 服务器使用通行证的承载策略来验证令牌.请参阅passport-http-bearer.
参考资料
确保安全带有passport.js 和express.js (node.js) 的oauth API
这篇关于nodejs 护照身份验证令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!