使用自己的 oauth2 实现时,使用 oAuth2 安全服务器连接到 3rd party rest api
[英]Connect to 3rd party rest api with oAuth2 security server when using own oauth2 implementing
问题描述
Im trying to find some best practices on how to solve my problem.
我试图找到一些关于如何解决我的问题的最佳实践。
I have a microservice application with oauth2 and firebase for authentication and authorization.我有一个带有 oauth2 和 firebase 的微服务应用程序,用于身份验证和授权。 Our application needs to connect to a 3rd party rest api which is secured with oauth2 as well.我们的应用程序需要连接到 3rd 方 rest api,该 api 也使用 oauth2 进行保护。
Is it possible to integrate both implementations or do i need to make my own solution?是否可以集成这两种实现,还是我需要制定自己的解决方案?
One of my co-workers implemented the authorization-code flow needed to access the api and we basicly store access and refresh_tokens in the database to access this 3rd party api.我的一位同事实现了访问 api 所需的授权代码流,我们基本上将 access 和 refresh_tokens 存储在数据库中以访问这个 3rd 方 api。 But it doesn't feel right, i cant find any best practices either, can anyone help me out?但感觉不对,我也找不到任何最佳实践,有人可以帮我吗?
1 个解决方案
解决方案1
0 已采纳 2020-08-25 16:59:38
What your co-worker implemented is pretty typical: separating out the authentication and authorization for your own application (which you manage with Firebase) from your users authorizing your use of the 3rd party API.您的同事实施的是非常典型的:将您自己的应用程序(您使用 Firebase 管理)的身份验证和授权与授权您使用第 3 方 API 的用户分开。
Here are some best practices you should be following when implementing your OAuth flow:以下是您在实施 OAuth 流程时应遵循的一些最佳实践:
- Use the
stateparameter to avoid CSRF attacks.使用state参数来避免 CSRF 攻击。 Store it in your database and compare the callbackstatewith the one that you randomly generated for the user将其存储在您的数据库中,并将回调state与您为用户随机生成的state进行比较 - Encrypt access and refresh tokens.加密访问和刷新令牌。 Refresh tokens in particular provide long-lived access刷新令牌特别提供长期访问
- Verify that the
scopeyou asked for is thescopethat was returned: some providers allow users to adjust the permissions, which can lead to unexpected errors验证scope,你问的是scope,这是返回:一些供应商允许用户调整的权限,这可能会导致意外的错误 - Make sure your refresh tokens don't expire.确保您的刷新令牌不会过期。 Check with the provider's docs to see how refresh tokens are deauthorized.查看提供者的文档以了解如何取消对刷新令牌的授权。 Some are time-based, some are based on new refresh tokens being issued, but in any case, make sure your refresh token stays valid, as if it is not, you must get the user to re-authorize your application有些是基于时间的,有些是基于正在发布的新刷新令牌,但无论如何,请确保您的刷新令牌保持有效,如果不是,您必须让用户重新授权您的应用程序
You can also use a managed OAuth provider to abstract away all these elements.您还可以使用托管 OAuth 提供程序来抽象出所有这些元素。 Xkit , which I work on, integrates with Firebase Authentication so your users can authorize your app, and you can retrieve each user's tokens with one API call.我正在研究的Xkit与 Firebase 身份验证集成,因此您的用户可以授权您的应用程序,并且您可以通过一个 API 调用检索每个用户的令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.