简体繁体 English

oauth2重定向url如何用于桌面应用程序？

[英]How does oauth2 redirect url work for desktop applications?

原文 2016-06-01 06:37:38 6 1 javascript/ oauth/ electron/ oauth2

For people who work with desktop applications, how do they handle oauth2 flows for third party services that need a redirect url? 对于使用桌面应用程序的人，他们如何处理需要重定向URL的第三方服务的oauth2流？

I'd like to authenticate users through Discord's oauth2 login. 我想通过Discord的oauth2登录名对用户进行身份验证。 But I'm working on a desktop app, with no webservice behind it. 但是我正在开发一个桌面应用程序，其背后没有任何网络服务。

I've read about the redirect scheme that looks like, 我已经阅读了有关重定向方案的内容，

urn:ietf:wg:oauth:2.0:oob

But discord says it's a non matching redirect url after logging in through oauth2 . 但是Discord表示，这是通过oauth2登录后的不匹配重定向网址 。

1 个解决方案

If you use a desktop application you have a couple of choices: 如果您使用桌面应用程序，则有两种选择：

You can start a webserver locally and use localhost as redirectUri. 您可以在本地启动Web服务器，并将localhost用作redirectUri。 The downside is that you will usually need to also supply the port number in the list of allowed redirect Uris and you won't necessrily know if a certain port is available on the client. 缺点是您通常还需要在允许的重定向Uris列表中提供端口号，并且您不必知道客户端上是否有特定端口可用。
The urn:ietf:wg:oauth:2.0:oob instructs the server not redirect the user at all but output the code in the browser windows title. urn:ietf:wg:oauth:2.0:oob指示服务器根本不要重定向用户，而是在浏览器窗口标题中输出代码。 If you have the appropriate permission to read other windows title then you can autodetect changes there. 如果您具有阅读其他Windows标题的适当权限，则可以在那里自动检测更改。 Also the code is usually displayed to the user so that as a fallback he can copy&paste the code into your application. 此外，通常还会向用户显示代码，以便作为后备用户，他可以将代码复制并粘贴到您的应用程序中。 However your service may not support this. 但是，您的服务可能不支持此功能。
Setup a webservice that forwards the token for you. 设置一个为您转发令牌的Web服务。 Basically you setup a webservice against which your application authenticates and that webservice returns an URL to the authentication service including an appropriate state to you to which you send the user. 基本上，您设置了一个Web服务，您的应用程序将通过该Web服务进行身份验证，并且该Web服务将URL返回到身份验证服务，其中包括向您发送用户的适当state 。 Then the authentication service will send your user back to your webservice which again reports the code to your application eg by means of long polling, web sockets, or a real TCP connection which is kept open during the whole process. 然后，身份验证服务会将您的用户送回到您的Web服务，该服务再次通过长轮询，Web套接字或在整个过程中保持打开状态的真实TCP连接的方式将代码报告给您的应用程序。 Note that the webservice will need careful design so that the service is not abused by third-parties. 请注意，该Web服务将需要仔细设计，以便该服务不会被第三方滥用。 Since you cannot technically authenticate your desktop application against the webservice, you cannot stop other applications from calling your webservice, but you can present some information to the user on the consent screen that helps users identify whether the request was legitimate or not. 由于您不能从技术上针对Web服务对桌面应用程序进行身份验证，因此您无法阻止其他应用程序调用您的Web服务，但是您可以在同意屏幕上向用户显示一些信息，以帮助用户识别请求是否合法。