用于REST Web服务的OAuth 2.0
[英]OAuth 2.0 for REST Web services
问题描述
i'm implementing a REST layer for an existing application. 
我正在为现有应用程序实现REST层。 I have my userid and passwords stored in database and i would like to authenticate these credentials while calling my REST services. 我将我的用户ID和密码存储在数据库中,我想在调用我的REST服务时验证这些凭据。 Note that this is a standalone application. 请注意,这是一个独立的应用程序。
After investigation, I figured out 2 ways. 经过调查,我想出了两种方法。
- Basic implementation with HTTPS - this approach makes sure that userid and password passed is not tampered by Man in middle attack. 使用HTTPS的基本实现 - 这种方法可确保传递的用户标识和密码不会被Man在中间攻击中篡改。
- Using Authentication Token(JWT) - user initially passes his userid and password and server gives back an Authentication token.Once user have an authentication token that could be used for subsequent request. 使用身份验证令牌(JWT) - 用户最初传递其用户ID和密码,服务器返回一个身份验证令牌。一旦用户拥有可用于后续请求的身份验证令牌。
- Using OAuth 2.0 - I'm very confused in this approach. 使用OAuth 2.0 - 我对此方法感到非常困惑。 After reading the docs and specification, I found that since my application is standalone, I need to implement Authorization Server, Resource Server etc. 在阅读了文档和规范之后,我发现由于我的应用程序是独立的,我需要实现Authorization Server,Resource Server等。
I'm asked to implement OAuth here, but i'm not convinced that OAuth is required in this scenario. 我被要求在这里实施OAuth,但我不相信在这种情况下需要OAuth。 I'm more inclined towards just implementing JWT(tokens) 我更倾向于实施JWT(令牌)
Is OAuth really mandated in this scenario. 在这种情况下,OAuth是否真的受到强制要求。 What i understand about OAuth is it is used when you already have a service like Facebook/ Google. 我对OAuth的理解是,当您已拥有Facebook / Google等服务时,会使用它。
Could someone pls confirm if my train of thoughts are correct and if OAuth 2.0 is required in this case? 有人请确认我的思路是否正确以及在这种情况下是否需要OAuth 2.0?
1 个解决方案
解决方案1
0 2017-03-15 11:14:08
The primary goal of OAuth 2.0 is to allow users to authenticate to use a client application via a third-party authentication provider (eg Google, Facebook, etc.), without exposing their credentials (typically a username/password) to the client. OAuth 2.0的主要目标是允许用户通过第三方身份验证提供程序(例如Google,Facebook等)进行身份验证以使用客户端应用程序,而无需向客户端公开其凭据(通常是用户名/密码)。
In your case, if users are only ever going to authenticate to your system using their credentials in your database, then implementing OAuth 2.0 doesn't add any substantial value for you. 在您的情况下,如果用户只是使用他们在数据库中的凭据进行系统身份验证,那么实施OAuth 2.0不会为您增加任何重要价值。
The OAuth 2.0 specification does define a "Resource Owner Password Credentials grant" , intended for legacy use cases, that would apply to your situation: a user sends credentials, and you return an access token (that could be a JWT, if you like). OAuth 2.0规范确实定义了适用于您的情况的“资源所有者密码凭据授权” ,用于遗留用例:用户发送凭据,并返回访问令牌(如果您愿意,可以是JWT) 。 If it's desirable from a management or marketing perspective, you could implement the Resource Owner Password Credentials grant and legitimately state that your application "conforms to a subset of OAuth2, as defined by RFC6749". 如果从管理或营销角度来看,您可以实现资源所有者密码凭据授权,并合法地声明您的应用程序“符合RFC6749定义的OAuth2子集”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.