使用oAuth2orize传递可信客户端信息以获取“资源所有者密码流”
[英]Passing Trusted Client Information with oAuth2orize for the “Resource Owner Password Flow”
问题描述
I am having some issues understanding how to implement the Resource Owners Password Flow with oAuth2rize and passport.js specifically with the transmission of the client_id and the client_secret so that i can do some checks on the client to ensure anything coming into this end point (/token) using the specific "password" grant type is specifically an official application and no others based on the id and secret. 
我有一些问题,了解如何使用oAuth2rize和passport.js实现资源所有者密码流,特别是传输client_id和client_secret,以便我可以对客户端进行一些检查,以确保任何进入此终点的任何内容(/令牌)使用特定的“密码”授权类型具体是官方应用程序,没有其他基于id和秘密。
When building out the solution i can get a token back, but that is before i have tried to do any validation on the client. 在构建解决方案时,我可以获得令牌,但这是在我尝试在客户端上进行任何验证之前。 When i try and access the client variable (posted to the end point) passed into the password exchange strategy i receive the user credentials (username, password) which based on documentation is expected but not what i need to achieve here. 当我尝试访问传递给密码交换策略的客户端变量(发布到终点)时,我会收到基于文档的用户凭据(用户名,密码),但不是我需要在这里实现的。
I am at a loss to understand how i get the actual client credentials, i can see in the password function source code you can provide additional options to override the default assignment to req['user'] but does that mean i have to provide some sort of code to add to the req object? 我无法理解我如何获得实际的客户端凭据,我可以在密码函数源代码中看到,您可以提供其他选项来覆盖req ['user']的默认赋值,但这是否意味着我必须提供一些要添加到req对象的一些代码?
I have setup some integration tests and here is how i am calling my endpoint (using SuperTest): 我已经设置了一些集成测试,这是我如何调用我的端点(使用SuperTest):
request('http://localhost:43862')
.post('/oauth/token')
.type('form')
.send({ grant_type: 'password' })
.send({ client_id: 'goodClient' })
.send({ client_secret: 'asecret' })
.send({ username: 'good@user.com' })
.send({ password: 'goodpassword' })
.expect(200, done);
For some reason i seem to be completely over thinking this but for some reason am completely stumped.... 出于某种原因,我似乎完全在想这个,但由于某种原因,我完全被困......
1 个解决方案
解决方案1
4 已采纳 2013-05-21 14:35:25
As expected it was an understanding issue where we were using a local strategy instead of the ClientPasswordStrategy with the user validation happening within the password exchange before issuing a token. 正如预期的那样,在发布令牌之前,我们使用本地策略而不是ClientPasswordStrategy,并在密码交换中进行用户验证,这是一个理解问题。
We are now using the ClientPasswordStrategy and within the exchange.password function we are calling and internal call to our user api to validate the user credentials and if ok then issuing the token. 我们现在正在使用ClientPasswordStrategy并在我们调用的exchange.password函数内部调用我们的用户api以验证用户凭据,如果可以,则发出令牌。
passport.use(new ClientPasswordStrategy(
function(clientId, clientSecret, next){
Client.verify(clientId, clientSecret, function(err, verified){
if(!verified){
return next(null, false);
}
next(null, clientId);
});
}
));
passport.use(new BearerStrategy(
function(token, next) {
Token.getByToken(token, function(err, tokenObj){
if(err)
return next(err);
if(!tokenObj)
return next(null, false);
User.getByUsername(tokenObj.username, function(err, user){
return next(null, user, { scope: 'all' });
});
});
}
));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.