[英]What is the correct way to use OAuth for mobile and website consuming my own API?
I have a question more related to the way OAuth 2 is working but since using IdentityServer to implement OAuth I think it's relevant. 我有一个问题与OAuth 2的工作方式有关,但由于使用IdentityServer实现OAuth,我认为这是相关的。 I could not find an answer anywhere. 我无法在任何地方找到答案。
I'm building a website and a mobile app that consumes my own API. 我正在建立一个消耗我自己的API的网站和移动应用程序。 Each user of my app will have a username and password, that will give him access to the app/website and though the API to his information. 我的应用程序的每个用户都将拥有一个用户名和密码,这将使他能够访问应用程序/网站,并通过API访问他的信息。
I'm not sure about the right way to handle the flow for user login: 我不确定处理用户登录流程的正确方法:
Edit 编辑
Just to clarify, because I find a lot of lectures and articles that explain the process from an API consumer point of view (ie. the third-party developer): I am the API owner and the auth server owner, I'm the owner of the user accounts (they are my users of my services), I'm also my own consumer (though the website and the mobile app), and in the future I want to enable third-party developers to allow my users to login with their accounts of my service (kinda like Facebook or Google) 只是为了澄清,因为我发现很多讲座和文章从API消费者的角度来解释这个过程(即第三方开发者):我是API所有者和auth服务器所有者,我是所有者用户帐户(他们是我服务的用户),我也是我自己的消费者(虽然是网站和移动应用程序),并且将来我想让第三方开发者允许我的用户登录他们对我服务的描述(有点像Facebook或谷歌)
You're correct that you shouldn't store the client_secret
in your app, but I doubt you will get around storing the client_id
. 你是不对的,你不应该在你的应用程序中存储client_secret
,但我怀疑你会绕过存储client_id
。 You could disable the consent screen for your app as well, and build a native login view. 您也可以为应用禁用同意屏幕,并构建本机登录视图。 You need to store the access_token
and the refresh_token
on the device (maybe encrypted in a database) if you don't want the user to login everytime they use your app. 如果您不希望用户每次使用您的应用程序时都登录,则需要在设备上存储access_token
和refresh_token
(可能在数据库中加密)。
As for problem 4, you could do the following: 至于问题4,您可以执行以下操作:
client_secret
in your (web) app 将client_secret
嵌入到您的(Web)应用程序中 session_secret
using hash(ip_address + session_salt)
客户端使用hash(ip_address + session_salt)
计算session_secret
hash(ip_address + session_salt)
session_secret
and the client_secret
for the API call 客户端使用session_secret
和client_secret
进行API调用 hash
and client_secret
服务器验证hash
和client_secret
It's nearly impossible to completely prevent someone from using your API. 完全阻止某人使用您的API几乎是不可能的。 But you should add various rate limiting methods, such as limiting IP addresses, API calls etc. But nothing will stop someone decompiling your app and accessing your client_id
. 但是你应该添加各种速率限制方法,例如限制IP地址,API调用等。但没有什么能阻止某人反编译您的应用并访问您的client_id
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.