简体繁体 English

如何使用Doorkeeper限制OAuth2凭证授予类型流

[英]How to restrict OAuth2 Credentials Grant Type flow using Doorkeeper

原文 2015-08-06 08:29:46 3 1 ruby-on-rails/ doorkeeper

I'm using Doorkeeper to handle OAuth2 authorization in my web application. 我正在使用Doorkeeper在Web应用程序中处理OAuth2授权。

Since I am the owner of the web application I should be able to use the Password Credentials grant type using only a client_id and the user credentials. 由于我是Web应用程序的所有者，因此我应该能够仅使用client_id和用户凭据来使用“密码凭据”授予类型。

I am wondering if there is a way to white list the applications that are allowed to use this flow? 我想知道是否有一种方法可以将允许使用此流程的应用程序列入白名单？

My concern is that if there is no way do whitelist them, what could stop a evil user to gather my users credentials? 我担心的是，如果没有办法将其列入白名单，那么什么能够阻止恶意用户收集我的用户凭据？ He could take my client_id token and use it to build its own authentication interface. 他可以使用我的client_id令牌并使用它来构建自己的身份验证接口。 He would basically just ask for user credentials and send a token request to my OAuth2 provider on my behalf, using my client_id token. 他基本上只会要求用户提供凭据，并使用我的client_id令牌代表我向OAuth2提供者发送令牌请求。

Am I missing something here? 我在这里想念什么吗？

1 个解决方案

Your concern is legit and you are absolutely right. 您的关注是合法的，并且您绝对正确。 Doorkeeper does not require client credentials on password grant, see why here . Doorkeeper在授予密码时不需要客户端凭据，请在此处查看原因。

As I was doing some research on the subject, I stumble upon these anwser : 在我对该主题进行一些研究时，我偶然发现了这些答案：

One solution suggested in the first link is : don't use password grant. 第一个链接建议的一种解决方案是：不要使用密码授予。

Another one is : you can implement a custom client authentication on top of doorkeeper's resource owner password credentials grant. 另一个是：您可以在看门人的资源所有者密码凭据授予的基础上实现自定义客户端身份验证。

I know I didn't offer my own help and copy paste some refs, but as I was also searching for an answer, I see no reason to let you without one. 我知道我没有提供自己的帮助，也没有复制粘贴一些参考，但是由于我也在寻找答案，因此我认为没有理由让您没有参考。 I know this question is old, but it's still unanswered. 我知道这个问题很旧，但是仍然没有答案。 Hope that still helps some people. 希望仍然可以帮助一些人。