[英]OAuth 2.0 (Tokens) for Login Functionality
I am here with some general discussion very famous and interesting topic " Token Based Authentication ". 我在这里进行了一些非常著名且有趣的主题“ 基于令牌的身份验证 ”的一般性讨论。
I need my registered users to login with API. 我需要我的注册用户才能使用API登录。 Scenario is quite simple, We want to pass our login details to Server. 场景非常简单,我们希望将登录详细信息传递给Server。 Server will check the credentials with database. 服务器将使用数据库检查凭据。 If credentials are proper then Server will create "Session Id" and return back to user (client end). 如果凭据正确,则服务器将创建“会话ID”并返回给用户(客户端)。 In subsequent requests user just need to pass that "Session Id" to authenticate and access protected data. 在后续请求中,用户只需传递“会话ID”即可进行身份验证和访问受保护的数据。
Plenty of people suggest about OAuth 2.0 and also some people suggest about Custom Logic. 很多人建议使用OAuth 2.0,有些人建议使用Custom Logic。 In custom logic they asked to be very sure about security. 在自定义逻辑中,他们要求非常确定安全性。 I read documentation of OAuth and it's good and descriptive. 我阅读了OAuth的文档,它很好并且具有描述性。 I'm also liking it to use. 我也喜欢使用它。 But wherever I search for OAuth authentication, they are giving example of third party login. 但是无论我在哪里搜索OAuth身份验证,它们都提供了第三方登录的示例。
I had installed Php OAuth extension at my side for supporting this feature. 我已经在侧面安装了Php OAuth扩展程序以支持此功能。 In examples they asked to create Request Token first using " getRequestToken " function. 在示例中,他们要求首先使用“ getRequestToken ”函数创建请求令牌 。 Using that Request token they asked to call " getAccessToken " function to get " Access Token ". 他们要求使用该请求令牌来调用“ getAccessToken ”函数以获取“ 访问令牌 ”。 Using that Access Token just need to call " fetch " to get protected data. 使用该访问令牌只需调用“ fetch ”即可获取受保护的数据。
Now my questions are, 现在我的问题是
I read different Grant Types in OAuth but confused how to use to achieve my approach. 我在OAuth中阅读了不同的Grant Types,但困惑了如何使用它来实现我的方法。
Thanks in advance. 提前致谢。
From what I read, you do not need OAuth at all. 根据我的阅读,您根本不需要OAuth。 OAuth is need if there is a third party involved that needs access to your user resources. 如果涉及第三方需要访问您的用户资源,则需要OAuth。
https://myserver.com/signin?user=john.doe@gmail.com&password=12345
如您所述,您只需要一个登录API,例如https://myserver.com/signin?user=john.doe@gmail.com&password=12345
'{user:john.doe@gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}'
响应可能类似于'{user:john.doe@gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}'
'{user:john.doe@gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}'
Addtional considerations: 其他注意事项:
I think it standard stuff if not the logging in happening via REST. 我认为这是标准的东西,如果不是通过REST登录的话。
The requirement that I posted before to login with OAuth2.0. 我之前发布的使用OAuth2.0登录的要求。
Usually people assume that OAuth2.0 is only for fetching data by Third Party application from resource center behalf of Resource Owner. 通常,人们认为OAuth2.0仅用于第三方应用程序代表资源所有者从资源中心获取数据。 That approach is called Authorization Code. 该方法称为授权码。
OAuth2.0 has various " Authorization Grant ". OAuth2.0具有各种“ 授权授予 ”。 There are four types, 有四种类型
After research, I realize that "Resource Owner Credentials" is best suitable for me. 经过研究,我意识到“资源所有者凭证”最适合我。 I found one perfect library that helps you to understand background process internally. 我找到了一个完美的库,可以帮助您内部了解后台流程。 Here's the GitHub link to download . 这是要下载的GitHub链接。
Found two major issues here, 在这里发现了两个主要问题,
If anyone has idea then please share. 如果有人有想法,请分享。
Thanks, 谢谢,
Sanjay 桑杰
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.