使用 oauth2 进行编程身份验证
[英]Programmatic authentication with oauth2
问题描述
We have used the API of some organization for some time, but now they are starting to use OAuth2 for authentication.
我们已经使用了一些组织的 API,但现在他们开始使用 OAuth2 进行身份验证。 Their API is completely used programmatically by our application.他们的 API 完全由我们的应用程序以编程方式使用。 So now we have to authenticate with OAuth2 so we can use their API again.所以现在我们必须使用 OAuth2 进行身份验证,以便我们可以再次使用他们的 API。
I am a little confused about this authentication process.我对这个身份验证过程有点困惑。 Is there a way so one can authenticate with OAuth programmatically?有没有办法以编程方式使用 OAuth 进行身份验证? It says that when authenticating the user will be asked to login before continuing with authentication, how do you achieve this logging in only from code?它说在进行身份验证时,将要求用户在继续身份验证之前登录,您如何仅从代码中实现这种登录? Or do you need to authenticate first using browser and then use the access token for further requests from the application.或者您是否需要先使用浏览器进行身份验证,然后使用访问令牌来处理来自应用程序的进一步请求。 What is the typical process of OAuth2 authentication for this scenario?这种场景下 OAuth2 认证的典型流程是什么?
EDIT: There is only one user that is the account used for our application for accessing their data.编辑:只有一个用户是我们的应用程序用于访问其数据的帐户。 That user is registered on their end as the consumer of the API.该用户最终注册为 API 的使用者。
2 个解决方案
解决方案1
1 已采纳 2019-07-17 09:30:11
You are confusing different OAuth flows. 您混淆了不同的OAuth流。 The flow where an user authenticate is usually the authorization_code flow, whereas the one you want to use should be the client_credentials flow. 用户进行身份验证的流通常是authorization_code流,而您要使用的流应该是client_credentials流。
Let's call your application 'A' and the organization whose service you're consuming 'B'. 让我们将应用程序称为“ A”,将您正在使用其服务的组织称为“ B”。
In the client_credentials flow, A will send his client_id and client_secret to B's authorization server. 在client_credentials流中,A将把他的client_id和client_secret发送到B的授权服务器。 This server will return an access token that you can now use to call B's resource server (the service itself). 该服务器将返回访问令牌,您现在可以使用该访问令牌来调用B的资源服务器(服务本身)。
+---------------+ +------------------+
| Application A | 1 | Authorization |
| +----------+ serveur |
+---------------+ 2 +------------------+
+---------------+ +------------------+
| Application A | 3 |Resource Server |
| +----------+ |
+---------------+ 4 +------------------+
- Token request with client_id and client_secret 使用client_id和client_secret的令牌请求
- Token response: json with an access_token 令牌响应:带有access_token的json
- Service request with the header "Authorization: Bearer " 标头为“授权:承载”的服务请求
- Service response as usual. 服务响应照常。
The token request usually had this format: 令牌请求通常具有以下格式:
POST /token HTTP/1.1
Host: authorization-server.com
grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx But some may opt to enforce the other option: passing the client infos in the authorization header: 但有些人可能会选择强制执行另一种选择:在授权标头中传递客户端信息:
POST /token HTTP/1.1
Host: authorization-server.com
Authorization: Basic base64(client_id:client_secret)
grant_type=client_credentials Base64 is here the function, not the literal string. Base64是函数,而不是文字字符串。
解决方案2
0 2021-10-16 19:22:36
I upvoted both the question and and Turtle's answer.我对这个问题和 Turtle 的回答都投了赞成票。 I think anyone who has looked up this question like I have would also benefit from:我认为任何像我一样查过这个问题的人也会受益于:
https://auth0.com/docs/authorization/flows/which-oauth-2-0-flow-should-i-use https://auth0.com/docs/authorization/flows/which-oauth-2-0-flow-should-i-use
There are different flows.有不同的流量。 Think of them in box / handshake diagrams before code.在编写代码之前在方框/握手图中考虑它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.