简体繁体 English

OAuth2 客户端凭据

[英]OAuth2 client credentials

原文 2022-05-18 20:38:16 1 1 node.js/ oauth-2.0

So right now I'm implementing oauth2 in my server, but I just want to support the client_credentials grant.所以现在我正在我的服务器中实现 oauth2，但我只想支持client_credentials授权。 The thing is, the node-oauth2-server says that supports this type of grant, and I pretty much debugged the whole library, and there are some things that doesn't make sense to me.问题是， node-oauth2-server说支持这种类型的授权，我几乎调试了整个库，有些东西对我来说没有意义。

As far as I understand, the client_credentials grant should work like this:据我了解， client_credentials授权应该像这样工作：

An internal request should be made to generate the client_id and client_secret for the client, this is the only time we will get the client_secret and we should give this to our client应该发出一个内部请求来为客户端生成client_id和client_secret ，这是我们唯一一次获得client_secret并且我们应该将其提供给我们的客户端
The client_id should be stored in database with any extra data (like the account id associated or something like this) and a hash of client_secret so we can later validate it client_id应该与任何额外的数据（如关联的帐户 ID 或类似的东西）和client_secret的哈希一起存储在数据库中，以便我们稍后验证它
The client sends a request to the server including the client_id and client_secret客户端向服务器发送请求，包括client_id和client_secret
The server should then generate an access token (in my case I will be using JWT) and return from the request.然后服务器应该生成一个访问令牌（在我的例子中，我将使用 JWT）并从请求中返回。 We also need to store this token in database so we can revoke the permission if needed我们还需要将此令牌存储在数据库中，以便我们可以在需要时撤销权限
The client must use this access token in future requests to access resources from server, and the server will validate on each request if the token is valid (didn't expire, didn't lose permissions, etc)客户端必须在以后的请求中使用此访问令牌从服务器访问资源，如果令牌有效（未过期，未丢失权限等），服务器将验证每个请求

I may be wrong about this, but this is what I need and this exactly what C# Identity does and it is explained here .我可能错了，但这就是我需要的，这正是C# Identity所做的，这里有解释。

In my case I'm working with nodejs.就我而言，我正在使用 nodejs。 Actually is a NestJS project, so I was trying to use this lib which is basically a wrapper for node-oauth2-server , and if you take a look inside node-oauth2-server , looks like they only support authorization codes, this is because the AuthorizeHandler.handle() always returns an authorization code and AuthenticateHandler.handle() always expects the authorization code and returns the access token.实际上是一个 NestJS 项目，所以我试图使用这个库，它基本上是node-oauth2-server的包装器，如果你看一下node-oauth2-server ，看起来它们只支持授权码，这是因为AuthorizeHandler.handle()总是返回一个授权码，而AuthenticateHandler.handle()总是需要授权码并返回访问令牌。 Basically I need to call the AuthenticateHandler.handle() but instead of checking the authorization code, I must pass and check the client_id and client_secret .基本上我需要调用AuthenticateHandler.handle()但不是检查授权码，我必须通过并检查client_id和client_secret 。

This is a recent issue which has the exact same issue than me: https://github.com/oauthjs/node-oauth2-server/issues/552这是最近的一个问题，与我的问题完全相同： https ://github.com/oauthjs/node-oauth2-server/issues/552

So, first, I want to confirm that I'm right and this lib have this implemented in a bad way, and second, is there any other nodejs lib that has client_credentials built in?所以，首先，我想确认我是对的，并且这个库的实现方式很糟糕，其次，是否还有其他内置了client_credentials的 nodejs 库？

1 个解决方案

As you've mentioned that it doesn't support client_credentials grant at the moment, you can still utilize the authorization code flow grant type internally to get the access token.正如您所提到的，它目前不支持client_credentials授权，您仍然可以在内部使用授权代码流授权类型来获取访问令牌。

Prepare client_credentials grant type request and submit to server.准备 client_credentials 授权类型请求并提交给服务器。
Map this request to authorization code flow with additional attributes require for the authorization code flow.将此请求映射到具有授权代码流所需的附加属性的authorization code流。
Submit the request to Authorization server.向授权服务器提交请求。
Get the code from response.从响应中获取代码。
Prepare the token exchange call with the oauth code .使用oauth code准备令牌交换调用。
Get the access_token .获取access_token 。
Return the token in response to client_credentials call.返回令牌以响应 client_credentials 调用。