堆栈内存溢出
  简体   繁体   English

如何使用Oauth2和javascript客户端实现长期登录会话(Spring Oauth2 + Angularjs)

[英]How to achieve long lived login session with Oauth2 and javascript client(Spring Oauth2 + Angularjs)

 原文  2014-07-23 03:21:30       spring/ angularjs/ oauth/ spring-security/ spring-security-oauth2

问题描述

I've a spring backend with Spring OAuth2 and Angular client. 我有Spring OAuth2Angular客户端的弹簧后端。

What is the proper way to achieve long lived logins which is still arguably secure . 实现长寿登录的正确方法是什么,这仍然可以说是安全的

I guess I can use password flow and refresh tokens , but this doesn't seem any safer than using long lived access tokens with implicit flow for browser clients. 我想我可以使用密码流刷新令牌 ,但这似乎比使用具有隐式流的浏览器客户端的长期访问令更安全。 I think I can use: 我想我可以用:

  • Redirects - which will interfere with whatever user was doing 重定向 - 这将干扰用户正在做的任何事情
  • Popups - which will get blocked without user interaction 弹出窗口 - 在没有用户交互的情况下会被阻止

on the client level. 在客户端级别。 But is there any better approach? 但有没有更好的方法?

PS: Cloudfoundry's new UI seems to have achieved exactly what I want. PS:Cloudfoundry的新UI似乎已经达到了我想要的效果。

2 个解决方案

解决方案1
 2  2014-07-23 14:48:45

The auth code flow is always superior (more secure and less chance of leaking user cerdentials). 身份验证代码流始终优越(更安全,泄漏用户信息的可能性更小)。 If you are writing a browser-hosted client contacting the OAuth2 service directly then unfortunately you won't be able to get hold of the access token from the auth code flow. 如果您正在编写直接联系OAuth2服务的浏览器托管客户端,那么很遗憾您将无法从授权代码流中获取访问令牌。 For that reason I think I would prefer to use access tokens between machine (non-browser) clients, and standard cookie-based authentication between the browser and the front end server. 出于这个原因,我认为我更愿意在机器(非浏览器)客户端之间使用访问令牌,并在浏览器和前端服务器之间使用标准的基于cookie的身份验证。 You can still use OAuth2 on the front end server to do the authentication (I'm pretty sure that's what the CloudFoundry server is doing) if you expose a /me or /user_info type endpoint. 如果您公开/ me或/ user_info类型端点,您仍然可以在前端服务器上使用OAuth2来进行身份验证(我很确定这是CloudFoundry服务器正在做的事情)。

Or if you really need to get the access token in your client (I guess there are libraries for dealing with it), you can use password or implicit grant. 或者,如果您确实需要在客户端获取访问令牌(我想有处理它的库),您可以使用密码或隐式授权。 Implicit is strongly preferred on security grounds (since the user only types his password into the auth server authentication UI), but in both cases you need to take care to segregate your client data so the (unauthenticated) clients don't get access to anything they shouldn't. 出于安全原因,Implicit是强烈首选的(因为用户只在auth服务器身份验证UI中键入了他的密码),但在这两种情况下,您都需要注意隔离客户端数据,以便(未经身份验证的)客户端无法访问任何内容他们不应该。

解决方案2
 1 已采纳  2014-09-24 02:18:52

我的解决方案是使用带隐式授权的隐藏iframe。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Oauth2 Angularjs登录不是Woking - Spring Oauth2 Angularjs Login Not Woking Spring安全中的Oauth2客户端 - Oauth2 Client in Spring security OAuth2客户端身份验证Spring - OAuth2 Client Authentication Spring Spring Boot中的oauth2客户端 - oauth2 client in Spring Boot 没有这样的客户端例外Spring Oauth2 - No Such Client Exception Spring Oauth2 如何更改默认的Spring Boot oauth URL(/ login / oauth2 / code和/ oauth2 / authorization)? - How change the default Spring Boot oauth urls (/login/oauth2/code and /oauth2/authorization)? 春季启动安全性,Oauth2用来自Facebook的长期令牌替换访问令牌 - Spring boot Security, Oauth2 replace access token with long-lived token from facebook Spring Security OAuth2服务器的客户端登录表单 - Client login form for a Spring Security OAuth2 server Spring OAuth2在表单登录时不会重定向回客户端 - Spring OAuth2 not redirecting back to client on form login 使用Spring Boot OAuth2 Client登录后访问用户数据 - Access user data after login with Spring Boot OAuth2 Client
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM