具有自定义身份验证的OAuth2提供程序
[英]OAuth2 Provider with custom authentication
问题描述
I am trying to implement a OAuth2 Provider, that authenticates users with a custom login. 
我正在尝试实现OAuth2提供程序,该程序使用自定义登录名对用户进行身份验证。 For understanding I looked at the Spring Boot OAuth2 Tutorial . 为了理解,我看了Spring Boot OAuth2教程 。 I don't quite get, how I can implement my own Authentication meachnism to work with the OAuth2 SSO from my Server. 我不太了解如何实现自己的身份验证机制,以与服务器上的OAuth2 SSO一起使用。
I want to add custom authentication mechanisms (like "user has to answer a question for authentication" or "user has to enter id and click button for authentication") instead of the Facebook and Github examples. 我想添加自定义身份验证机制(例如“用户必须回答身份验证问题”或“用户必须输入ID并单击按钮进行身份验证”),而不是Facebook和Github示例。
I read about implementing my own AuthenticationProvider, but I am stuck how to combine all the puzzle parts. 我读过有关实现自己的AuthenticationProvider的信息,但是我对如何组合所有难题部分一无所知。
1 个解决方案
解决方案1
0 2017-03-27 18:35:15
Let's go one step at a time. 让我们一次走一步。 OAuth is only authz provider so not talk about authentication. OAuth只是authz提供程序,因此不谈论身份验证。 Now for your usecase specifically, if you want user to be authenticated then OAuth authz code based flow makes sense (You can even go for implicit flow, check rfc 6749). 现在专门针对您的用例,如果您希望对用户进行身份验证,则基于OAuth身份验证代码的流程就很有意义(您甚至可以使用隐式流程,请检查rfc 6749)。 Now how will this work for you. 现在,这将如何为您工作。 I am picking up the implicit flow for simplicity, Authz flow is just extension of it where end client gets a temporary code which it exchanges with Identity Server later to get the access token. 为了简单起见,我选择了隐式流程,Authz流程只是它的扩展,最终客户端获得了一个临时代码,该代码稍后与Identity Server交换以获取访问令牌。 Here are the steps: 步骤如下:
Client App hits the /authorization uri with data as per rfc 6749
客户端应用使用rfc 6749的数据访问/ authorization uri After validating the submitted data, server forwards user to Login page (or other page for authentication).
验证提交的数据后,服务器会将用户转发到“登录”页面(或用于身份验证的其他页面)。 After authentication, cookie is set in the browser or data is stored in server to mark a user as authenticated. 认证后,在浏览器中设置cookie或将数据存储在服务器中以将用户标记为已认证。 - After authentication server redirects user to user consent page (You can even skip this if needed depending on need, But OAuth 2 spec contains this) where user specifies which all permissions (scopes) are allowed, here user can allow either allow or deny. 身份验证服务器将用户重定向到用户同意页面后(根据需要甚至可以根据需要跳过此页面,但是OAuth 2规范包含此页面),其中用户指定允许所有许可(范围),这里用户可以允许或拒绝。
- if user allows then these permissions are submitted to server and then server stores the data and redirects the user to client URI with access token in # fragement of client redirect URI (callback URI submitted during actual request) 如果用户允许,则将这些权限提交给服务器,然后服务器存储数据,并在#客户碎片化重定向URI(在实际请求期间提交的回调URI)中将用户重定向到具有访问令牌的客户URI。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.