使用OAuth2.0授权Rest API
[英]Authorization of rest api using OAuth2.0
问题描述
I am developing a REST API using node js and express js. 
我正在使用node js和express js开发REST API。 For example, my RESTful API end points are as follows 例如,我的RESTful API端点如下
/api/v1/books/:id
/api/v1/books
I want to authorize the end points only for specific application(web, android or ios). 我只想为特定应用程序(网络,Android或ios)授权端点。
**The users of the application may or may not authenticate in the application. **应用程序的用户可能会或可能不会在应用程序中进行身份验证。
ex: www.bookstore.com
bookstore android/ios app
ie. 即。 only these applications can have access to those end points. 只有这些应用程序才能访问这些端点。 How can I implement this using OAuth 2.0 and JWT 如何使用OAuth 2.0和JWT来实现
For example we can view every item in amazon(web/android/ios) without providing login credentials. 例如,我们可以查看亚马逊(web / android / ios)中的每个项目,而无需提供登录凭据。
How can this be implemented. 如何实现。
2 个解决方案
解决方案1
0 2018-02-20 01:11:36
Jwt and Oauth is used for user authentication and authorization. Jwt和Oauth用于用户身份验证和授权。 Here, I believe you want only specific clients to have access to your APIs. 在这里,我相信您只希望特定的客户端可以访问您的API。 For this purpose you may use joi validator available on npm registry. 为此,您可以使用npm注册表上可用的joi验证程序。 npm install joi. npm安装joi。 Now provide a schema for your app type and make it required. 现在为您的应用程序类型提供一个架构,并使其成为必需。
解决方案2
0 2018-02-21 08:59:42
The flow that you describe is a typical " client credentials grant ": 您描述的流程是典型的“ 客户端凭据授予 ”:
The client credentials (or other forms of client authentication) can
be used as an authorization grant when the authorization scope is
limited to the protected resources under the control of the client,
.... Client credentials are used as an authorization grant
typically when the client is acting on its own behalf (the client is
also the resource owner) ...
in this use case, the end-user is not required to login, only the client-id, which is your app. 在这种情况下,最终用户不需要登录,只需登录客户端ID(即您的应用)即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.