授权代码流还是将oauth用户与内部用户匹配的隐式?
[英]Authorization Code Flow or Implicit to match a oauth user to an internal user?
问题描述
I am trying to make sense of Oauth2 for an API. 
我正在尝试为API设计Oauth2。 The first important thing to consider is that the client does not authenticate directly to the API with oauth2. 首先要考虑的重要事项是,客户端不会使用oauth2直接向API进行身份验证。 The client authenticates with a public/private key pair, but the client is a service to end users, that can then authenticate using oauth2. 客户端使用公钥/私钥对进行身份验证,但是客户端是针对最终用户的服务,然后可以使用oauth2进行身份验证。
I am using the authentication code flow, which calls my backend in the redirect uri, which then creates a temporary table containing the code, unique id and oauth2 provider. 我正在使用身份验证代码流,该流在重定向uri中调用我的后端,然后创建一个包含代码,唯一ID和oauth2提供程序的临时表。 All of which works fine. 所有这些都很好。
The idea is then to have to client making a request to the api to create a user from the oauth2 details, I need this to match the api key of the client to that particular user. 然后的想法是必须客户端向api请求以从oauth2详细信息创建用户,我需要这样做以将客户端的api密钥与该特定用户进行匹配。 The problem is that with the Authorisation code flow I do not have any knowledge of any token or unique id or code on the client itself. 问题在于,使用授权代码流,我对客户端本身上的任何令牌,唯一ID或代码一无所知。 Am I barking up the wrong tree here and using a wrong approach? 我在这里用错误的方法吠叫错误的树吗?
Should I instead require a token with an implicit flow, then pass said token to the API that makes a request with that token and retrieves whatever data it needs? 我是否应该改为要求一个带有隐式流的令牌,然后将所述令牌传递给使用该令牌发出请求并检索所需数据的API?
Thank you very much 非常感谢你
1 个解决方案
解决方案1
0 2016-04-01 06:42:19
授权服务器, client_id客户端client_id令牌的实体,可以在数据数据中包含client_id与令牌相关联,以便令牌验证后资源服务器可以使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.