[英]How to exchange OAuth2 authorization codes for access tokens received from a client (Ember) in Express?
I'm using ember-simple-auth
and torii
to handle client-side OAuth2 authentication against Facebook and Google in an Ember app I'm building. 我正在使用
ember-simple-auth
和torii
在我正在构建的Ember应用中针对Facebook和Google处理客户端OAuth2身份验证。 I receive an authorization code from that process. 我从该过程中收到授权码。
I want to send that code from the client to my REST API and exchange them for access tokens to get their user ID so I can figure out what information they should have access to. 我想将该代码从客户端发送到我的REST API,并将它们交换为访问令牌以获取其用户ID,以便确定他们应该访问哪些信息。
Then, I want to put the user ID into a JSON web token that the client can send me in subsequent requests for data from the BE app. 然后,我要将用户ID放入JSON网络令牌中,客户端可以在随后的BE应用程序数据请求中向我发送该用户令牌。
My Problem: All examples I've found of using Passport for OAuth2 authentication rely on redirecting the user on the server side and using callbacks rather than just exchanging an already-provided authorization code. 我的问题:我发现使用Passport进行OAuth2身份验证的所有示例都依赖于在服务器端重定向用户并使用回调,而不仅仅是交换已经提供的授权代码。
What am I missing? 我想念什么? This seems like something many apps would need to do.
这似乎是许多应用程序需要做的事情。
Assuming a compliant OAuth 2.0 implementation, exchanging an authorization code for an access token is accomplished by performing a POST
request to the token endpoint URL and providing the following parameters using the application/x-www-form-urlencoded
format: 假设符合OAuth 2.0规范,通过对令牌端点URL执行
POST
请求并使用application/x-www-form-urlencoded
格式提供以下参数,可以完成为访问令牌交换授权代码application/x-www-form-urlencoded
:
grant_type
- Must be set to authorization_code
. grant_type
必须设置为authorization_code
。 code
- Will contain the value of the code you have. code
-将包含您拥有的代码的值。 redirect_uri
- Must be included and the value match, if it was also included in the request to obtain the authorization code. redirect_uri
必须包含并且值匹配,如果它也包含在获取授权码的请求中。 Additionally, depending on the client you'll have to either provide the client_id
parameter if the client was not issued credentials or if the client has credentials you need to perform client authentication, which can be done by passing an HTTP Basic authentication header containing the identifier and the secret. 此外,根据客户端的不同,如果客户端未获得凭据,则必须提供
client_id
参数;或者如果客户端具有凭据,则需要执行客户端身份验证,这可以通过传递包含标识符的HTTP Basic身份验证标头来完成。和秘密。
An example, using unirest
, but easily adapted to other HTTP clients: 一个使用
unirest
的示例,但很容易适应其他HTTP客户端:
unirest.post(tokenEndpointUrl)
.headers({
'Accept': 'application/json',
'Content-type': 'application/x-www-form-urlencoded'
})
.auth({
user: clientId,
pass: clientSecret
})
.send(`redirect_uri=${redirectUrl}`)
.send(`code=${code}`)
.send('grant_type=authorization_code')
.end(function (response) {
// Handle response
});
Although the fundamentals will probably not change, check each provider documentation, because they may have extensions put in place or be more flexible in how you can provide the info. 尽管基本原理可能不会改变,但请检查每个提供程序的文档,因为它们可能已安装扩展名或在提供信息方面更加灵活。 For example Auth0 and I think Google is the same will also allow you pass the parameters in a JSON encoded body instead of just in
application/x-www-form-urlencoded
format. 例如,Auth0和我认为Google相同,还允许您以JSON编码的主体而不是仅以
application/x-www-form-urlencoded
格式传递参数。
Update : 更新 :
Specific authentication providers may implement additional libraries that simplify things for developers integrating with them. 特定的身份验证提供程序可能会实现其他库,这些库可以简化开发人员与其集成的过程。 For example, Auth0 provides you with passport-auth0 that abstracts and simplifies the way you can integrate Auth0 authentication into your application.
例如, Auth0为您提供了passport-auth0 ,可以抽象并简化将Auth0身份验证集成到应用程序中的方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.