Spring 启动,OAuth2 自定义身份验证服务器
[英]Spring Boot, OAuth2 Custom Auth Server
问题描述
I am trying to venture into the full-stack development realm during some of my free time, and I just have a few general questions about my current understanding of OAuth2.
在我的一些空闲时间里,我试图冒险进入全栈开发 realm,我只是对我目前对 OAuth2 的理解有一些一般性的问题。 I am very green when it comes to this stuff, but I've watched some Udemy videos to gain a basic understanding.我对这些东西很陌生,但我看过一些 Udemy 视频以获得基本的了解。
Anyway... this project that I'm working on, I'm planning on having a custom authorization server, a resource server, and a single client (which will likely be a SPA).无论如何...我正在从事的这个项目,我计划拥有一个自定义授权服务器、一个资源服务器和一个客户端(可能是一个 SPA)。 This authorization server will only allow the authorization code (probably with the PKCE extension) grant type.此授权服务器将只允许授权代码(可能带有 PKCE 扩展)授权类型。 Which leads me to my first general question...这引出了我的第一个一般性问题......
Intuitively, I assumed that the password grant type would be sufficient.直觉上,我假设密码授予类型就足够了。 As I've done more and more reading, it looks like this grant flow is not the way to go.随着我阅读的越来越多,看起来这个授权流程不是通往 go 的方式。 As I understand it, using this flow would require the client to provide some form so that the user may login.据我了解,使用此流程需要客户端提供某种形式,以便用户可以登录。 Doing so gives the client access to user credentials, which very much defeats one of the purposes of OAuth2.这样做使客户端可以访问用户凭据,这在很大程度上违背了 OAuth2 的目的之一。 I'm not sure this is an issue with what I'm developing, however, because I am creating the authorization server.但是,我不确定这是我正在开发的问题,因为我正在创建授权服务器。 I know by using this grant flow, I am not validating the client.我知道通过使用这个授权流程,我没有验证客户。 Can someone explain how this might be an issue?有人可以解释这可能是一个问题吗? Is there anything else I'm missing here?还有什么我在这里想念的吗? Everything I've read has deterred me from using this grant flow, which is mostly why I ended up deciding on the authorization code (w/ PKCE) flow.我读过的所有内容都阻止了我使用这个授权流程,这主要是我最终决定授权代码(w/PKCE)流程的原因。
So... assuming I go with this flow, my client should provide a login button.所以......假设我使用此流程 go ,我的客户应该提供一个登录按钮。 Pressing this login button will re-direct the client to a web page where the resource owner can authorize the client and provide user credentials.按此登录按钮会将客户端重定向到 web 页面,资源所有者可以在该页面授权客户端并提供用户凭据。 My authorization server will then validate these user credentials.然后,我的授权服务器将验证这些用户凭据。 I plan on storing user credentials in a database on the VM running the auth server.我计划将用户凭据存储在运行身份验证服务器的 VM 上的数据库中。 I don't plan on allowing users to register an account.我不打算允许用户注册帐户。 Instead, I'm just going to have a static list of account credentials in this database for people on my team.相反,我将在此数据库中为我的团队成员提供一个 static 帐户凭据列表。 So I guess I'm just going to insert these accounts when the database is created?所以我想我只是要在创建数据库时插入这些帐户? If so, how do I allow these users to change their passwords?如果是这样,我如何允许这些用户更改他们的密码? I guess I'm thinking that initially these accounts will be assigned an e-mail, username, and random password that I can communicate with them.我想我在想,最初这些帐户将被分配一个电子邮件、用户名和随机密码,我可以与他们交流。 However, I'd like the user an option to change this random password to something more familiar.但是,我希望用户可以选择将此随机密码更改为更熟悉的密码。 I don't currently know how to do something like this with the OAuth2 implementation.我目前不知道如何用 OAuth2 实现做这样的事情。 Do I just provide a way in the client to change the password when the user is logged in?当用户登录时,我是否只是在客户端中提供一种更改密码的方法? If so, doesn't this somewhat defeat the purpose of using OAuth2 as now my client would have knowledge of the user credentials?如果是这样,这是否有点违背使用 OAuth2 的目的,因为现在我的客户将了解用户凭据? If I were to do this, however, would this just be implemented as a POST request to a REST API at the auth server for updating the password?但是,如果我要这样做,这是否只是作为对身份验证服务器上的 REST API 的 POST 请求来更新密码?
Thanks!谢谢!
1 个解决方案
解决方案1
0 2021-11-18 14:42:51
I would start by using a free cloud provider as the Authorization Server.我将从使用免费的云提供商作为授权服务器开始。 Have a look at the following tutorial of mine, which uses Authorization Code Flow + PKCE:看看我的以下教程,它使用授权代码流 + PKCE:
This sample uses AWS Cognito which is a fast option for getting started.此示例使用AWS Cognito ,这是一个快速入门选项。 It will enable you to create users - they will then be prompted to change the password on the first login.它将使您能够创建用户 - 然后将提示他们在第一次登录时更改密码。
The important points are these:重点是这些:
- Write simple standards based code in your apps and spend time learning the recommended flows and design ppatterns在您的应用程序中编写基于标准的简单代码,并花时间学习推荐的流程和设计模式
- Once code is written you should be able to switch to a different Authorization Server later, if needed编写代码后,如果需要,您应该能够稍后切换到不同的授权服务器
- Avoid building your own Authorization Server, and use one that has been provided by specialists避免构建自己的授权服务器,并使用专家提供的授权服务器
You should only need Spring for the resource server (my API above uses Node.js).对于资源服务器,您应该只需要 Spring(我上面的 API 使用 Node.js)。 If you want an easy to follow Spring resource server sample maybe see this one .如果您想要一个易于遵循的 Spring 资源服务器示例,可以查看这个。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.