堆栈内存溢出
  简体   繁体   English

如何为从移动和javascript Web应用程序访问的rest API实现OAuth 2.0,如基于令牌的身份验证

[英]How to implement OAuth 2.0 like token based authentication for rest API which is accessed from mobile and javascript web applications

 原文  2014-07-03 18:09:57       javascript/ android/ rest/ authentication/ oauth-2.0

问题描述

I need to implement authentication and authorization mechanism for my REST API. 我需要为我的REST API实现身份验证和授权机制。 This is rest api is accessed from a mobile application and web application. 这是从移动应用程序和Web应用程序访问的rest api。

Mechanism I would like to implement: 机制我想实现:
So as per my understanding, I am using password based authentication. 所以根据我的理解,我使用的是基于密码的身份验证。 Mobile application or javascript web application sends username and password over HTTPS post request to obtain access token for limited time. 移动应用程序或javascript Web应用程序通过HTTPS post请求发送用户名和密码,以获取有限时间的访问令牌。

Problem 问题

  1. As access token expires every 1hr or so. 因为访问令牌每1小时左右到期。 End user is again requested to enter username and password. 再次请求最终用户输入用户名和密码。 This is not acceptable. 这是不可接受的。
  2. If we increase the time of the token for longer period, then if someone gets handle on token they can have access to Rest API for more time. 如果我们将令牌的时间延长一段时间,那么如果有人处理令牌,他们可以访问Rest API更长时间。 As the web application is javascript application, its easily available in plan text. 由于Web应用程序是javascript应用程序,因此可以在计划文本中轻松使用。

So I am trying to understand how are applications like facebook and twitter implement authorization for their native mobile applications. 所以我试图理解像facebook和twitter这样的应用程序如何为其原生移动应用程序实现授权。 Do they remember access token for ever by storing in local storage. 他们是否通过存储在本地存储中永远记住访问令牌。 So that if some malicious application have root access to android phone can access the tokens. 这样如果一些恶意应用程序有root权限,那么android手机就可以访问令牌。

What are the improvements to above mechanism to make it work for both for both standalone web application which is developed in javascript and android application? 对于在javascript和android应用程序中开发的独立Web应用程序,它对上述机制有什么改进?

1 个解决方案

解决方案1
 1  2014-07-04 05:33:03

Access tokens are indeed meant to be short lived. 访问令牌确实意味着短暂的生命。 To maintain authorization for a long period of time, OAuth2 has something called "refresh tokens". 为了保持很长一段时间的授权,OAuth2有一个叫做“刷新令牌”的东西。

If the provider supports it (and both Google and Facebook do), the OAuth2 consumer can request a refresh token in addition to the access token during the initial flow (Google calls that "offline access" I believe). 如果提供商支持它(以及Google和Facebook都支持),OAuth2消费者可以在初始流程期间除了访问令牌之外还请求刷新令牌(Google称之为“离线访问”,我相信)。 The access token is used normally but when it expires, the consumer can request a new access token using its credentials and the refresh token. 访问令牌通常被使用,但是当它到期时,消费者可以使用其凭证和刷新令牌请求新的访问令牌。

See Google's doc for more info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline . 有关详细信息,请参阅Google的文档: https//developers.google.com/accounts/docs/OAuth2WebServer#offline

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在oauth2.0进程中实现基于令牌的身份验证 - How to implement token based authentication in oauth2.0 process 如何使用基于令牌的身份验证从ExtJS调用Web API - How to call Web API from ExtJS with token based authentication 安全消费方式 REST Oauth 2.0 API 来自 javascript - Safe way to consume REST Oauth 2.0 API from javascript 如何将OAuth 2.0用于Web服务器应用程序 - How to use OAuth 2.0 for Web Server Applications 如何OAuth令牌刷新angularjs或javascript应用程序 - How to OAuth token refresh angularjs or javascript applications 如何使用OAuth 2.0实现Web小部件 - How to implement a web widget with OAuth 2.0 如何在AngularJS中实现基于令牌的身份验证 - How to implement token based authentication in AngularJS 您如何从JavaScript API获取OAuth令牌? - How do you get the OAuth token from the JavaScript API? 从基于会话的令牌机制过渡到OAuth 2.0机制 - Moving from Session-based token mechanism to OAuth 2.0 mechanism 如何从具有基本身份验证的rest api获取数据? - How to get data from rest api which has basic authentication?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM