堆栈内存溢出
  简体   繁体   English

oauth2 openid连接javascript(电子)桌面应用程序

[英]oauth2 openid connect javascript (electron) desktop application

 原文  2017-07-23 10:47:42       oauth-2.0/ desktop-application/ openid-connect/ google-openid

问题描述

What is the correct oauth2 flow for a desktop application? 桌面应用程序的正确oauth2流程是什么? Besides a desktop application I have a SPA Web GUI which does use the Implicit flow. 除了桌面应用程序,我还有一个使用Implicit流程的SPA Web GUI。 There it does not matters if the client Redirects after 3600s to the IdP to issue a new Access token. 如果客户端在3600s之后重定向到IdP以发布新的Access令牌,则无关紧要。

But the desktop application needs to be running 24/7 or could be running 24/7. 但是桌面应用程序需要全天候运行或者可以全天候运行。 So it needs to automatically refresh the access token via a refresh_token. 因此需要通过refresh_token自动刷新访问令牌。 But since the implicit flow does not provide refresh tokens it is probably the wrong flow for a desktop app, isn't it? 但由于隐式流不提供刷新令牌,因此桌面应用可能是错误的流程,不是吗?

I guess I need the auth code flow, which does provide a refresh_token. 我想我需要auth代码流,它确实提供了refresh_token。 But authentication requests needs a redirect_uri. 但身份验证请求需要redirect_uri。 Let's say I want to use Google as my openid provider. 假设我想使用Google作为我的openid提供商。 With google it looks like I can't register client credentials with a custom URI scheme ( https://developers.google.com/identity/protocols/OpenIDConnect ). 使用谷歌,我看起来无法使用自定义URI方案注册客户端凭据( https://developers.google.com/identity/protocols/OpenIDConnect )。 What does work is to register for example http://localhost:9300 , which theoretically could be handled by the app. 注册的例子是http:// localhost:9300 ,理论上可以由应用程序处理。

A 一个

Whats the correct oauth2 flow for a desktop app to receive a refresh_token? 什么是正确的oauth2流程,桌面应用程序接收refresh_token?

B

Can I catch the redirect_uri via a custom URI scheme without using the implicit flow (Google IdP)? 我可以通过自定义URI方案捕获redirect_uri而不使用隐式流(Google IdP)吗? It is way easier to listen for a custom uri scheme than listening on a local tcp port. 监听自定义uri方案比监听本地tcp端口更容易。

C C

This is more a general question. 这是一个普遍的问题。 Usually desktop apps are public apps, so I should not include client_secret right? 通常桌面应用程序是公共应用程序,所以我不应该包含client_secret吗? So the only flow which would be left is the implicit flow. 因此剩下的唯一流量就是隐含流量。 But how can I renew access tokens according to specs without bother the desktop user every 3600s? 但是如何根据规格更新访问令牌而不必每3600秒打扰桌面用户? In my case I could publish the app locally so not public, but how is it for a public app? 在我的情况下,我可以在本地发布应用程序,所以不公开,但它是如何为公共应用程序?

3 个解决方案

解决方案1
 2 已采纳  2017-07-23 11:50:25

A - Authorization Code Grant A - 授权码授予

B - Not sure here, You can register a Custom URI Scheme B - 不确定,您可以注册自定义URI方案

C - Not enough information provided. C - 提供的信息不足。 Are you using the AppAuth libraries? 您使用的是AppAuth库吗? If so you SHOULD use PKCE and then additional security measures for the refresh token should not be necessary, on the assumption that the client never sends the refresh token with anyone other than the IDP over a secure connection. 如果是这样的话,你应该使用PKCE ,然后假设客户端永远不会通过安全连接向IDP以外的任何人发送刷新令牌,则不需要对刷新令牌采取额外的安全措施。

Does this help? 这有帮助吗?

解决方案2
 1  2017-07-24 10:20:04

A: Yes use the code grant 答:是的,使用代码授予

B: yes use a custom scheme. B:是的,使用自定义方案。 In your case you should use the reverse of your client ID. 在您的情况下,您应该使用您的客户端ID的反向。 eg com.googleusercontent.apps.123 is the reverse DNS notation of the client ID. 例如,com.googleusercontent.apps.123是客户端ID的反向DNS表示法。 Register your client as "Other" in the Google developer console. 在Google开发者控制台中将您的客户注册为“其他”。

C: Yes, it should not include the client secret. C:是的,它不应该包含客户机密。 That is why you don't need to send the secret for native clients ("Other") when exchanging the code for a refresh token. 这就是为什么在交换刷新令牌代码时不需要为本机客户端(“其他”)发送秘密的原因。 Just leave that field blank and it'll work. 只需将该字段留空即可。

As suggested by jwilleke, please use an AppAuth library if it is available for your use case as it'll also handle some of the security issues (PKCE). 正如jwilleke所建议的,如果它可用于您的用例,请使用AppAuth库,因为它还将处理一些安全问题(PKCE)。

解决方案3
 0  2017-07-24 10:41:22

For native apps (Desktop), you can follow OAuth 2.0 for Native Apps . 对于原生应用(桌面),您可以关注OAuth 2.0 for Native Apps But this is still under review and you can refer the latest draft from provided link. 但这仍在审核中,您可以从提供的链接中参考最新草案。

With this flow, you can use authorisation code flow to obtain both access token and a refresh token. 通过此流程,您可以使用授权代码流来获取访问令牌和刷新令牌。 Refresh tokens should solve the UX related issue when it comes to extended app usage (24/7 and beyond). 刷新令牌应该解决与扩展应用程序使用(24/7及更高版本)相关的UX相关问题。

According to this working document, there are strict guidelines on client authentication. 根据该工作文档,客户端身份验证有严格的指导原则。 Section 8.5 discuss about them. 第8.5节讨论了它们。 As it says client credentials are not recommended 因为它说不建议客户端凭据

For this reason, and those stated in Section 5.3.1 of [RFC6819] , it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret 出于这个原因,以及[RFC6819]的第5.3.1节中所述,授权服务器不建议使用共享密钥对公共本机应用程序客户端进行客户端身份验证

Also as nvnagr has mentioned in his answer, PKCE [RFC7636] is a must to have for native public clients. 正如nvnagr在他的回答中提到的那样,PKCE [RFC7636]是本地公共客户必须拥有的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 具有OpenId的Oauth2连接 - Oauth2 with OpenId connect 这是OAUTH2和OpenID Connect的好用例吗 - Is this a good use case for OAUTH2 and OpenID Connect OpenID Connect/Oauth2 - 缓存/使用令牌 - OpenID Connect/Oauth2 - cache/use tokens 微服务OAuth2 / OpenID Connect流 - Microservices OAuth2/OpenID Connect flows OAuth2和OpenID Connect使用案例/示例 - OAuth2 and OpenID Connect Uses Cases/ Examples OpenID Connect,oAuth2-从哪里开始? - OpenID Connect, oAuth2 - Where to start? 如何将OAuth2 / OpenID Connect与UserService一起使用? - How to use OAuth2 / OpenID Connect with UserService? Openid connect/ Oauth2 for Rest APIs - Openid connect/ Oauth2 for Rest APIs 具有桌面应用程序安全性的 OAuth2 - OAuth2 with Desktop Application Security 从oAuth客户端角度来看,OpenID connect和oAuth2之间的区别 - Difference between OpenID connect and oAuth2 from an oAuth client perspective
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM