为PHP Web应用程序选择正确的OAuth2授权类型
[英]Choosing the right OAuth2 grant type for PHP web app
问题描述
I'm building a very typical web app product. 
我正在构建一个非常典型的Web应用程序产品。 It will likely have corresponding mobile apps in the future. 它将来可能会有相应的移动应用程序。 I'm building it from the ground up with a REST API, which is secured using OAuth2. 我正在使用REST API从头开始构建它,使用OAuth2保护它。 I've got OAuth2 working, and I'm able to connect successfully using various grant types. 我有OAuth2工作,我能够使用各种授权类型成功连接。
What I'm a little confused about is what grant types to use for the actual web app. 我有点困惑的是用于实际Web应用程序的授权类型。 Here's what I had in mind: 这就是我的想法:
Public API access 公共API访问
Before a user logs into the web app, some API access is required for things like user registration and password resets. 在用户登录Web应用程序之前,需要对用户注册和密码重置等内容进行一些API访问。 I was thinking of using the client_credientials grant type. 我在考虑使用client_credientials授权类型。 A simple client id and secret validation in return for an access token. 一个简单的客户端ID和秘密验证,以换取访问令牌。
However, it seems totally unnecessary to request an access to token for every single public request or even for each session. 但是,似乎完全没有必要为每个公共请求或甚至每个会话请求访问令牌。 It seems to make more sense to just generate ONE access token that my web app will always use. 仅仅生成我的Web应用程序将始终使用的一个访问令牌似乎更有意义。
Yet, this seems to go against how OAuth is designed to work. 然而,这似乎违背了OAuth的设计方式。 For example, access tokens expire. 例如,访问令牌到期。 What is the right way of doing this? 这样做的正确方法是什么?
Private user API access 私有用户API访问
Next, for a user to login to the web app I was planning on using the password grant type (resource owner password credentials). 接下来,对于用户登录Web应用程序,我计划使用password授予类型(资源所有者密码凭据)。 This approach allows me to save the user_id with the access token—so I know which user is logged in. Further, by using scopes I can restrict access within the API. 这种方法允许我使用访问令牌保存user_id ,因此我知道哪个用户已登录。此外,通过使用范围,我可以限制API中的访问。
I plan to save the access token within the PHP session. 我打算在PHP会话中保存访问令牌。 As long as the PHP session is active they will remain logged into the web app. 只要PHP会话处于活动状态,它们就会保持登录到Web应用程序。
Is this an appropriate design for user login? 这是用户登录的合适设计吗?
1 个解决方案
解决方案1
4 已采纳 2013-09-04 17:07:49
For Public API Access: 对于公共API访问:
One method is to skip tokens all together and just use Basic HTTP Authentication for API access. 一种方法是一起跳过令牌,只使用基本HTTP身份验证进行API访问。 You could accept Client Credentials for this, and limit what clients can do using client-specific scopes. 您可以为此接受客户端凭据,并使用特定于客户端的范围限制客户端可以执行的操作。 Github offers HTTP Basic authentication using user credentials for all their API calls. Github使用用户凭据为其所有API调用提供HTTP基本身份验证 。
For Private user API Access: 对于私人用户API访问:
This is an interesting question because it begins to breech the line between Authentication and Authorization . 这是一个有趣的问题,因为它开始在Authentication和Authorization之间Authorization 。 OAuth is used for Authorization , so logging in users becomes dicy. OAuth用于Authorization ,因此登录用户变得过多。 Session management, for example, is something not covered by the OAuth2.0 spec. 例如,会话管理是OAuth2.0规范未涵盖的内容。
However, this is a common use of OAuth2.0 anyway. 但是,无论如何,这是OAuth2.0的常见用法。 You can use the password grant type, or any other grant type for that matter, to obtain an access token. 您可以使用password授予类型或任何其他授权类型来获取访问令牌。 A major downside is they have to trust your application with their password (Not a big deal for your own app, but for 3rd parties not so much). 一个主要的缺点是他们必须用你的密码来信任你的应用程序(对你自己的应用程序来说不是什么大不了的事,但对于第三方来说不是那么多)。 Also, being logged in one place does not necessarily mean being logged in somewhere else (rather than SSO, you have "linked accounts", so the sessions are managed separately). 此外,在一个地方登录并不一定意味着在其他地方登录(而不是SSO,您有“链接帐户”,因此会话是单独管理的)。 One way around this is to ALWAYS send users to the oauth authorize endpoint, and if their session is active on the OAuth2.0 Provider side, reroute them back to the client app with an access token or authorization code. 解决此问题的一种方法是始终将用户发送到oauth授权端点,如果他们的会话在OAuth2.0提供者端处于活动状态,则使用访问令牌或授权代码将其重新路由回客户端应用程序。 This way, if the session is active with the OAuth2.0 provider, the client can immediately log them in. 这样,如果会话对OAuth2.0提供程序处于活动状态,则客户端可以立即将其登录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.