本文介绍了将 OAuth 用于使用我自己的 API 的移动设备和网站的正确方法是什么?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个与 OAuth 2 的工作方式更相关的问题,但由于使用 IdentityServer 来实现 OAuth,我认为这是相关的.我在任何地方都找不到答案.

I have a question more related to the way OAuth 2 is working but since using IdentityServer to implement OAuth I think it's relevant. I could not find an answer anywhere.

我正在构建一个网站和一个使用我自己的 API 的移动应用程序.我的应用程序的每个用户都有一个用户名和密码,这将使他能够访问应用程序/网站,并通过 API 访问他的信息.

I'm building a website and a mobile app that consumes my own API. Each user of my app will have a username and password, that will give him access to the app/website and though the API to his information.

我不确定处理用户登录流程的正确方法:

I'm not sure about the right way to handle the flow for user login:

  1. 在网站上,我有自己设计的登录表单.我不想将用户移动到我的身份验证服务器进行登录,然后让他批准他提供的信息 - 他是我系统上的用户 - 我可以访问所有信息 - 像 facebook 这样的 Kida 可以登录并访问信息——他们不会问你愿意给他们什么.那么隐式真的是这样吗?
  2. 在移动应用程序上,我还有一个登录表单,现在我在这里阅读(https://datatracker.ietf.org/doc/html/draft-ietf-oauth-native-apps-10) OAuth 方法是在 WebView 中登录??facebook 登录看起来不像是在他们移动应用上的 WebView 中.
  3. 我首先考虑的方法是资源所有者.用户将登录,获取令牌和刷新令牌,并可以开始使用我的 API.但是将我的 client_id 和 secret 存储在移动应用程序上?在网站上的 javascript 文件?感觉不对.我当然可以调用一个 API 来屏蔽这些 API 并成为登录过程的代理……但是……(阅读 #4).
  4. 将来我希望允许第三方开发者访问.为了让他们允许我的系统用户登录,我将使用隐式流程.此外,我计划让那些开发者帐户具有受限的 API 访问权限(例如,对 API 的调用次数将受到计划的限制).是什么阻止这些开发人员在他们的网站上要求我系统上的帐户的用户名和密码,使用访问令牌和刷新令牌从我的服务器获取响应,并以他们想要的方式使用我的 API,不受限制,并有权访问整个用户资料?
  5. 假设我坚持资源所有者流程,从服务器接收一个令牌和一个刷新令牌.我应该在移动设备上存储什么以及如何存储?应该在浏览器中存储什么以及如何存储?刷新令牌?每次他打开应用程序时都会获得一个带有刷新令牌的新的更新令牌?
  1. On the website I have my own designed login form. I don't want to move the user to my auth server to login, and then have him approve the information he gives - he is the user on my system - I have access to all information - kida like facebook has a login and access to the informatio - they don't ask what you're willing to give them. So is implicit really the way for this?
  2. On the mobile app I also have a login form and now I read here (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-native-apps-10) that the OAuth approach is to have the login in a WebView?? Doesn't look like facebook login is in a WebView on their mobile app.
  3. The approach I was first lookin at is the Resource Owner. Users will login, get the token and the refresh token and can start working against my APIs. But storing my client_id and secret on the mobile app? on the website javascript files? doesn't feel right. I can of course make a call to an API that will mask those and be a proxy to the login process... but... (read #4).
  4. In the future I would like to allow access for third-party developers. For them to allow login for users of my system I will use the implicit flow. Also, I plan for those developer accounts to have restricted API access (for example, the number of calls to the API will be limited by plan). What prevents those developers from asking for the username and password of their account on my system on their website, getting the response from my servers with the access token and refresh token, and using my API however they want, without restrictions, and having access to the entire user profile?
  5. Lets say I'm sticking to the resource owner flow, receiving back from the server a token and a refresh token. What should I store on the mobile device and how? What should be stored in the browser and how? the refresh token? and each time he opens the app get a new updated token with that refresh token?

编辑

澄清一下,因为我发现很多讲座和文章从 API 消费者(即第三方开发者)的角度解释了这个过程:我是 API 所有者和身份验证服务器所有者,我'm 用户帐户的所有者(他们是我的服务的用户),我也是我自己的消费者(尽管是网站和移动应用程序),并且将来我希望让第三方开发者能够允许我的用户使用他们的帐户登录我的服务(有点像 Facebook 或 Google)

Just to clarify, because I find a lot of lectures and articles that explain the process from an API consumer point of view (ie. the third-party developer): I am the API owner and the auth server owner, I'm the owner of the user accounts (they are my users of my services), I'm also my own consumer (though the website and the mobile app), and in the future I want to enable third-party developers to allow my users to login with their accounts of my service (kinda like Facebook or Google)

推荐答案

您不应该将 client_secret 存储在您的应用程序中是正确的,但我怀疑您是否会绕过存储 client_id.您也可以禁用应用程序的同意屏幕,并构建本机登录视图.如果您不希望用户每次使用您的应用程序时都登录,您需要将 access_tokenrefresh_token 存储在设备上(可能在数据库中加密).

You're correct that you shouldn't store the client_secret in your app, but I doubt you will get around storing the client_id. You could disable the consent screen for your app as well, and build a native login view. You need to store the access_token and the refresh_token on the device (maybe encrypted in a database) if you don't want the user to login everytime they use your app.

对于问题 4,您可以执行以下操作:

As for problem 4, you could do the following:

  1. 在您的(网络)应用中嵌入 client_secret
  2. 在 IdentityServer 上设置哪些主机可以访问您的 API
  3. IdentityServer 生成盐并发送给客户端
  4. 客户端使用hash(ip_address + session_salt)
  5. 计算一个session_secret
  6. 客户端使用 session_secretclient_secret 进行 API 调用
  7. 服务器验证hashclient_secret
  1. Embed the client_secret in your (web) app
  2. Set up which hosts have access to your api on the IdentityServer
  3. The IdentityServer generates a salt and sends it to the client
  4. The client calculates a session_secret using hash(ip_address + session_salt)
  5. The client uses the session_secret and the client_secret for the API call
  6. Server validates the hash and client_secret

完全阻止某人使用您的 API 几乎是不可能的.但是你应该添加各种限速方法,比如限制IP地址、API调用等.但是没有什么能阻止有人反编译你的应用并访问你的client_id.

It's nearly impossible to completely prevent someone from using your API. But you should add various rate limiting methods, such as limiting IP addresses, API calls etc. But nothing will stop someone decompiling your app and accessing your client_id.

这篇关于将 OAuth 用于使用我自己的 API 的移动设备和网站的正确方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-03 11:03