使用自定义标头重定向到外部站点-AngularJS / OAuth
[英]Redirect to an external site with custom headers - AngularJS/OAuth
问题描述
Is it makes sense to do a redirection to an external site (OAuth sever) with custom headers in order to authenticate the user? 
使用自定义标头重定向到外部站点(OAuth服务器)以验证用户是否有意义?
For example, after providing your credentials to http//this_is_my_site/login you click login, and redirects you to the external address http://OAuth_Server/oauth/autorize to authorize your client. 例如,在将凭据提供给http//this_is_my_site/login您单击登录,然后将您重定向到外部地址http://OAuth_Server/oauth/autorize以授权您的客户端。
The problem is that http://OAuth_Server/oauth/autorize requires the same credentials you just entered in the http//this_is_my_site/login . 问题是http://OAuth_Server/oauth/autorize需要与您刚在http//this_is_my_site/login输入的凭据相同的凭据。
How can I do a redirection to the OAuth Server with custom headers or is this a bad approach? 如何使用自定义标头重定向到OAuth服务器,或者这是一种不好的方法?
headers: {
Authorization: "Basic " + btoa('user' + ":" + 'password')
}
I'm using AngularJS for the frontend and Spring for the backed. 我将AngularJS用于前端,将Spring用于后端。
1 个解决方案
解决方案1
2 已采纳 2015-07-30 00:27:23
There are two aspects in your question. 您的问题有两个方面。
First is implementing OAuth. 首先是实现OAuth。 Basically, you redirect client to another side but redirection has backlink to your site. 基本上,您将客户端重定向到另一端,但是重定向具有反向链接到您的站点。 When client authenticates (logs in) on another site, the server redirects client back to your site (using the url your site provided in first redirect) and gives your site TOKEN (in GET parameters). 当客户端在另一个站点上进行身份验证(登录)时,服务器会将客户端重定向回您的站点(使用第一次重定向中提供的站点的URL),并为您的站点分配TOKEN(在GET参数中)。 Using this token you can send request to the another site and check if the user os OK. 使用此令牌,您可以将请求发送到另一个站点,并检查用户是否正常。
I've shortcuted some steps but in overall, that's it. 我已经简化了一些步骤,但总的来说就是这样。
In your case even the user seems to have the same credentials, it is important that he still need to authenticate (authorise your site) on provider. 在您的情况下,即使用户似乎具有相同的凭据,也仍然需要在提供者上进行身份验证(授权您的网站),这一点很重要。 There is no way to workaround this as it was intentionally designed in such way that the client should not be able to enter the credentials of another site on your site and still have the access to other site's data. 没有办法解决此问题,因为它是经过有意设计的,因此客户端不应能够输入您站点上另一个站点的凭据,而仍然可以访问其他站点的数据。
Second, is sending custom headers to another site while redirecting. 其次,是在重定向时将自定义标头发送到另一个站点。 It is not possible mainly because it is a historical limitation. 不可能主要是因为它是历史限制。 Originally the redirection happens by sending Location header to client with new URL and the client requests new resource via GET. 最初,重定向是通过使用新的URL向客户端发送Location标头来实现的,并且客户端通过GET请求新资源。 As simple as that. 就如此容易。 Later the JavaScript redirection was added by AFAIK, nobody really care about the headers as it was not possible anyway so why bother? 后来JavaScript重定向是由AFAIK添加的,没有人真正在乎标头,因为无论如何还是不可能的,那么为什么要打扰呢?
However, there is one important exception for this rule - authentication. 但是,此规则有一个重要的例外-身份验证。 You can add user and password in the URL as http://user:password@host/... and they will be send in Authenticate header. 您可以在URL中将用户和密码添加为http://user:password@host/... ,它们将在Authenticate标头中发送。 However, it has nothing in common with OAuth and is called HTT Basic Authentication. 但是,它与OAuth没有任何共同之处,称为HTT基本身份验证。 If the server supports it, you can specify them during redirection, but it is orthogonal to OAuth. 如果服务器支持,则可以在重定向期间指定它们,但它与OAuth正交。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.