[英]Is there an OpenID Connect grant type or mechanism for an app to poll for the auth-code when redirect_uri doesn't apply?
If you have an on-device application (eg desktop program, mobile device app) you can use OpenID Connect with some caveats: 如果您有设备上的应用程序(例如桌面程序,移动设备应用程序),您可以使用OpenID Connect一些注意事项:
Using Resource Owner Credentials ( grant_type: password
) is the simplest, but might not be possible if the authentication server operator won't let you use that grant-type because of trust reasons (ie they don't want you collecting the user's username+password yourself) - or if they have a dynamic or custom authentication UI that would be hard to replicate in a native app. 使用资源所有者凭据(
grant_type: password
)是最简单的,但如果认证服务器运营商由于信任原因不允许您使用该授权类型,则可能无法实现(即他们不希望您收集用户的用户名+自己密码) - 或者如果他们有一个很难在本机应用程序中复制的动态或自定义身份验证UI。
With the interactive flows (implicit, hybrid) the authentication sever's authentication page is shown in an in-app web-view. 通过交互式流(隐式,混合),身份验证服务器的身份验证页面显示在应用程序内的Web视图中。 Most users will have no idea that the application can snoop on the authentication page and capture their username and password, especially on mobile devices - but this way the application code can easily capture the authorization code and/or access token, and automatically dismiss the web-view without any additional user interaction.
大多数用户不知道应用程序可以窥探身份验证页面并捕获他们的用户名和密码,尤其是在移动设备上 - 但这样,应用程序代码可以轻松捕获授权代码和/或访问令牌,并自动关闭Web - 没有任何额外的用户交互。 (I'm surprised I haven't heard of more cases of users' details being captured by malicious apps this way.)
(我很惊讶我没有听说过恶意应用程序以这种方式捕获用户详细信息的更多案例。)
...so the advice is to always open the authentication page using the system's web-browser, but on the Windows desktop there is no good, standard way for the system web-browser to return the server response to the application code, though there are a number of approaches currently in use: ...所以建议总是使用系统的Web浏览器打开身份验证页面,但在Windows桌面上没有好的标准方法让系统Web浏览器将服务器响应返回给应用程序代码,尽管那里目前正在使用的一些方法:
access_token
response) back into the desktop application. access_token
响应)复制并粘贴回桌面应用程序。 access_token
that way. access_token
那种方式。 authHelper.exe
that when invoked forwards its command-line arguments to a named-pipe in the user's session. authHelper.exe
,在调用时会将其命令行参数转发到用户会话中的命名管道。 authHelper.exe
as a temporary URI scheme handler in the per-user HKCU\\Software\\Classes
key, eg my-application:
such that the contents of any my-application:
URI are passed as arguments into authHelper.exe
. authHelper.exe
注册为每用户HKCU\\Software\\Classes
键中的临时URI方案处理程序,例如my-application:
这样任何my-application:
URI的内容都作为参数传递给authHelper.exe
。 redirect_uri
parameter set to my-application:
, so after the user authenticates in the browser, the browser will request the custom URI scheme which is handled by Windows, which invokes authHelper.exe "access_token=..."
which then sends the data down the named-pipe to the running application. redirect_uri
参数设置为my-application:
因此在用户在浏览器中进行身份验证后,浏览器将请求由Windows处理的自定义URI方案,该方案将调用authHelper.exe "access_token=..."
然后将命名管道中的数据发送到正在运行的应用程序。 HKCU\\Software\\Classes
key, or if they're using a version of Windows that doesn't support custom URI scheme handlers with EXE registrations then this doesn't work. HKCU\\Software\\Classes
键,或者他们使用的Windows版本不支持具有EXE注册的自定义URI方案处理程序,那么这不起作用。 I was wondering if a different approach could be used: why can't the application simply poll the authentication server for the status of the authentication attempt? 我想知道是否可以使用不同的方法:为什么应用程序不能简单地轮询身份验证服务器以获取身份验证尝试的状态? Or does this approach already exist, and if so, what is the name of the flow or grant?
或者这种方法是否已经存在,如果是,流程或授权的名称是什么?
Here's the flow I'm proposing: 这是我提出的流程:
status: pending
, but eventually after the user successfully authenticates within a timeout window then the application's poll request would indicate a successful attempt and also contains the access_token
or authorization code as is applicable. status: pending
,但最终在用户在超时窗口内成功进行身份验证之后,应用程序的轮询请求将指示成功尝试,并且还包含适用的access_token
或授权代码。 If the user failed to authenticate (eg 3 incorrect attempts) or left the window open long enough causing a timeout then the poll response would indicate failure. Does this already exist and does it have a name? 这已经存在并且有名字吗? Are there any potential security risks or vulnerabilities with this approach?
这种方法是否存在潜在的安全风险或漏洞?
It exists and has a name, "OAuth 2.0 Device Flow for Browserless and Input Constrained Devices", but is not yet fully standardized, see: https://tools.ietf.org/html/draft-ietf-oauth-device-flow 它存在且名称为“无浏览器和输入约束设备的OAuth 2.0设备流程”,但尚未完全标准化,请参阅: https ://tools.ietf.org/html/draft-ietf-oauth-device-flow
Google also implemented this flow avant-la-lettre in a vendor-specific way: https://developers.google.com/identity/protocols/OAuth2ForDevices Google还以特定于供应商的方式实施了此流程avant-la-lettre: https : //developers.google.com/identity/protocols/OAuth2ForDevices
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.