使用Oauth保护API通信
[英]Securing API communication with Oauth
问题描述
I have a REST API that needs to allow CORS for multiple apps, and a single page webapp that should use this API. 
我有一个REST API,它需要允许多个应用程序使用CORS,还有一个应使用此API的单页Web应用程序。 The API should not be completely open though. 该API不应完全打开。
Now, I have looked at different schemes for authentication, and Oauth2 seems like what the "big guys" are using. 现在,我研究了不同的身份验证方案,Oauth2似乎就像“大佬”正在使用的一样。
The solution I am thinking about implementing is something like this: 我正在考虑实现的解决方案是这样的:
The JS webapp makes a request to a local, server side, proxy, which holds the Oauth credentials and obtains a token for the JS webapp to use to communicate directly with the REST API from that point out. JS Webapp向本地服务器端代理发出请求,该代理拥有Oauth凭据,并从该点获取供JS Webapp用于直接与REST API通信的令牌。
Does this sound viable? 听起来可行吗? I am thinking I just moved the problem, since I now need to validate the webapps token request to the local proxy instead? 我想我只是解决了这个问题,因为我现在需要验证对本地代理的webapps令牌请求? :) :)
I am also thinking that this problem must have been solved many times before already :) 我还认为这个问题必须已经解决了很多次:)
1 个解决方案
解决方案1
1 已采纳 2013-09-06 16:53:33
The OAuth 2.0 Implicit Grant is meant for authenticating browser applications as you've described. 如上所述, OAuth 2.0隐式授权用于验证浏览器应用程序。 Checkout Google's Implementation for as an example. 以Google的实施为例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.