iOS应用和用户身份验证。 OAuth的?
[英]iOS app & user authentication. oAuth?
问题描述
I'm creating my first iOS app, which will essentially make calls to a RESTful API that I'm building in PHP / MySQL (Laravel), and display the returned data to the user. 
我正在创建我的第一个iOS应用程序,它基本上会调用我在PHP / MySQL(Laravel)中构建的RESTful API,并将返回的数据显示给用户。
Firstly, I need to create a system for Users to register / login, from the iOS app. 首先,我需要为iOS用户创建一个注册/登录系统。
I've been reading about oAuth and oAuth2, but am a little confused as I'm not sure it's applicable to my situation. 我一直在阅读有关oAuth和oAuth2的内容,但我有点困惑,因为我不确定它是否适用于我的情况。
What I want is: 我想要的是:
1) A user to open the App on their iOS device 1)用户在其iOS设备上打开应用程序
2) and be required to login by the app making a call to my API, which in turn, checks the user's credentials against a MySQL database on the server 2)并且需要通过应用程序登录我的API,然后根据服务器上的MySQL数据库检查用户的凭据
What I DONT want is: 我不想要的是:
1) The user to be logging in via 3rd party application (google, facebook, twitter, etc) 1)通过第三方应用程序登录的用户(谷歌,脸书,推特等)
2) The user to be directed away from the app to a web page where they have to provide credentials, and then be re-directed back to the app. 2)用户被引导离开应用程序到他们必须提供凭据的网页,然后被重新定向回应用程序。
Is oAuth appropriate in this situation? oAuth在这种情况下是否合适? My impression was that it's used to verify a user via a 3rd party service only. 我的印象是,它仅用于通过第三方服务验证用户。
EDIT: An example might be the ebay app on ios. 编辑:一个例子可能是ios上的ebay应用程序。 It has it's own database of users, and allows login and registration from the app, not using any 3rd party API to do so 它拥有自己的用户数据库,允许从应用程序登录和注册,而不是使用任何第三方API
2 个解决方案
解决方案1
5 已采纳 2014-12-28 00:08:35
OAuth(2) is a protocol for authorization. OAuth(2)是授权协议。 It was meant to grant access to your API to other apps. 它旨在授予您对其他应用的API访问权限。 In other words, I'm a developer of Eugenio's Super App and I want to call your API on behalf of a (common) user. 换句话说,我是Eugenio的超级应用程序的开发人员,我想代表(普通)用户调用您的API。
In your example, your iOS app is the sole consumer of your API. 在您的示例中,您的iOS应用是您API的唯一消费者。 Perhaps in the future you plan to expand this. 也许将来你打算扩大这个范围。 Perhaps not. 也许不是。
In any case, I would recommend separating authentication of the user from the API itself. 无论如何,我建议将用户的身份验证与API本身分开。 You never know how your user base will evolve. 您永远不会知道您的用户群将如何发展。 Perhaps you plan to sell your app to consumers. 也许您计划将您的应用程序出售给消费者。 Even though you don't want to login with FB, Twitter, etc. users might prefer to do so. 即使您不想使用FB,Twitter等登录,用户也可能更愿意这样做。 (unless you are as big as eBay). (除非你和eBay一样大)。
BTW, logging in with FB/Twitter does not require navigating outside to their sites anymore.
Or perhaps you are planning on selling this app to enterprise users. 或者您可能计划将此应用程序销售给企业用户。 In that case, they will definitely not want to login with your credentials as they already have their own (eg AD, LDAP, etc) 在这种情况下,他们肯定不想使用您的凭据登录,因为他们已经拥有自己的凭据(例如AD,LDAP等)
Keeping that process separate allows your API to evolve over time. 将该流程分开可让您的API随着时间的推移而发展。 Who knows, maybe your app can authenticate users with TouchID . 谁知道,也许您的应用可以使用TouchID对用户进行身份验证。 Another example here . 另一个例子 。
I would recommend using a token based approach in any case. 我建议在任何情况下使用基于令牌的方法。 Your APIs would expect a Token. 您的API需要令牌。 JWT are lightweight and simple to create/validate and parse. JWT轻量级,易于创建/验证和解析。
This is a good summary of how to structure JWTs for API: https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/ 这是如何为API构建JWT的一个很好的总结: https ://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/
解决方案2
0 2014-12-27 19:58:11
I'm planning to do the same and struggle with the same problem: using OAuth or just login with credentials. 我打算做同样的事情,并努力解决同样的问题:使用OAuth或只使用凭据登录。 But I think I can give you some advice. 但我想我可以给你一些建议。
As far as I understood, you think that OAuth2 is a provider to log in with Facebook, Twitter etc. That is wrong. 据我所知,您认为OAuth2是一个使用Facebook,Twitter等登录的提供商。这是错误的。 But Facebook and Twitter also use OAuth2. 但Facebook和Twitter也使用OAuth2。
What is OAuth2 used for (very, very basic!): 什么是OAuth2用于(非常,非常基本!):
If you have a (Web)Service like Facebook and want users to log in from a third party app (like 9gag, soundcloud) you can use OAuth2 to grant them access (without letting them store your credentials). 如果您有像Facebook这样的(Web)服务并希望用户从第三方应用程序(如9gag,soundcloud)登录,您可以使用OAuth2授予他们访问权限(不让他们存储您的凭据)。 How does it work? 它是如何工作的? The User is redirected to Facebook's API. 用户被重定向到Facebook的API。 When he enters his credentials he is redirected back with a access token. 当他输入他的凭证时,他会被重定向回来并带有访问令牌。 The third party app is then able to log in to facebook with this token to access the users data (for example friends or post something). 然后,第三方应用程序可以使用此令牌登录到Facebook以访问用户数据(例如,朋友或发布内容)。
But as you already explained, your iOS App is a first party app (it is from the same developer: you!). 但正如您已经解释过的,您的iOS应用程序是第一方应用程序(它来自同一个开发人员:您!)。 So I think you don't need to build a OAuth2 API. 所以我认为您不需要构建OAuth2 API。 Just login with the users credentials. 只需使用用户凭据登录即可。
It is not a pro explanation it is just what I understood so far based on ym research. 这不是一个专业的解释,它是我迄今为止基于ym研究所理解的。 But I hope it helps you ^^ 但我希望它可以帮助你^^
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.