Oauth 2.0无需访问即可将访问令牌重定向到其他页面
[英]Oauth 2.0 get access token without redirecting the user to different page
问题描述
I wanted to implement a login flow where users can log on my website using 
我想实现一个登录流程,使用户可以使用以下方式登录我的网站
- 3rd party Oauth providers, OR 第三方Oauth提供商,或者
- Email id and password. 电子邮件ID和密码。
For point 1, I get it that 对于第一点,我明白了
- Grant type would be "Authorization code". 授予类型为“授权码”。
- My website will redirect the user to 3rd party Oauth provider 我的网站会将用户重定向到第三方Oauth提供商
- I will get an authorization code and then access token using the code. 我将获得一个授权代码,然后使用该代码访问令牌。
For point 2, 对于第二点
- I will be hosting a Oauth server 我将托管Oauth服务器
- I do not want to redirect user to a different page, so "authorization code", "client credentials" and "implicit" grant types isn't what I am looking for. 我不想将用户重定向到其他页面,所以我不是要查找“授权代码”,“客户端凭据”和“隐式”授予类型。
- Which leaves me with "Resource owner password credentials". 这给我留下了“资源所有者密码凭证”。
- If I use "Resource owner password credentials" I have to expose the client secret to the web application, which I heard is a bad idea. 如果使用“资源所有者密码凭据”,则必须将客户端机密公开给Web应用程序,听说这是个坏主意。
My query: 我的查询:
- What is the most appropriate way to get access token without redirecting the user to different page. 在不将用户重定向到其他页面的情况下获取访问令牌的最合适方法是什么。 Currently the authorization server is the server which is hosting the main application. 当前,授权服务器是承载主应用程序的服务器。 I want this to validate a user using email and password which are stored on my website itself 我希望这可以使用存储在我的网站本身中的电子邮件和密码来验证用户
- If "Resource owner password credentials" is the way to go, what are the security implications of exposing the client secret. 如果要使用“资源所有者密码凭据”,那么公开客户端机密的安全性意味着什么。
I am new to Oauth so please correct me if I am wrong anywhere. 我是Oauth的新手,所以如果我在任何地方都不对,请纠正我。
Note: My Client application is an Angular 2 app in browser. 注意:“我的客户端”应用程序是浏览器中的Angular 2应用程序。
Thanks. 谢谢。
1 个解决方案
解决方案1
0 2017-07-04 21:30:13
You can use a popup sign-in window to complete the sign in with the implicit flow. 您可以使用弹出式登录窗口以隐式流程完成登录。 This will load up the identity providers sign-in page (the /authorize endpoint), but will not do a full redirect in your browser. 这将加载身份提供者登录页面(/ authorize端点),但不会在浏览器中进行完全重定向。 Then the identity provider can set the appropriate cookies and get you an access token. 然后,身份提供者可以设置适当的cookie并获取访问令牌。 This is the canonical pattern for single-page apps (angular, react, etc.). 这是单页应用程序的规范模式(角度,反应等)。 Here's some reading that can give some color to the protocol (in the scope of Azure AD, but a lot of this transcends identity provider implementation details). 这是一些可以给协议增添色彩的读物 (在Azure AD的范围内,但其中很多超越了身份提供程序的实现细节)。
The resource owner password flow is generally not a good idea, but can be used in a few situations. 资源所有者密码流通常不是一个好主意,但是可以在少数情况下使用。 Things like daemons apps or testing are good cases. 守护程序应用程序或测试之类的东西就是很好的例子。 In general, it's very brittle and won't support things like MFA or dynamic consent situations. 一般来说,它非常脆弱,不支持MFA或动态同意情况。 Moreover, it's intrinsically less secure that a tradtional implicit or auth code flow. 而且,从本质上讲,传统的隐式或身份验证代码流的安全性较低。 Here's a great blog post about good cases to use it in the scope of Azure AD (enterprise account identity provider). 这是一篇很棒的博客文章,介绍了在Azure AD(企业帐户身份提供者)的范围内使用它的良好案例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.