stackoom
  简体   繁体   中英

Programmatic authentication with oauth2

 原文  2019-07-17 09:11:13       java/ authentication/ oauth/ oauth-2.0/ meetup

Question

We have used the API of some organization for some time, but now they are starting to use OAuth2 for authentication. Their API is completely used programmatically by our application. So now we have to authenticate with OAuth2 so we can use their API again.

I am a little confused about this authentication process. Is there a way so one can authenticate with OAuth programmatically? It says that when authenticating the user will be asked to login before continuing with authentication, how do you achieve this logging in only from code? Or do you need to authenticate first using browser and then use the access token for further requests from the application. What is the typical process of OAuth2 authentication for this scenario?

EDIT: There is only one user that is the account used for our application for accessing their data. That user is registered on their end as the consumer of the API.

2 answers

solution1
 1 ACCPTED  2019-07-17 09:30:11

You are confusing different OAuth flows. The flow where an user authenticate is usually the authorization_code flow, whereas the one you want to use should be the client_credentials flow.

Let's call your application 'A' and the organization whose service you're consuming 'B'.

In the client_credentials flow, A will send his client_id and client_secret to B's authorization server. This server will return an access token that you can now use to call B's resource server (the service itself). 

+---------------+          +------------------+
| Application A |    1     | Authorization    |
|               +----------+ serveur          |
+---------------+    2     +------------------+



+---------------+          +------------------+
| Application A |    3     |Resource Server   |
|               +----------+                  |
+---------------+    4     +------------------+
  1. Token request with client_id and client_secret
  2. Token response: json with an access_token
  3. Service request with the header "Authorization: Bearer "
  4. Service response as usual.

The token request usually had this format: 

POST /token HTTP/1.1
Host: authorization-server.com

grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

But some may opt to enforce the other option: passing the client infos in the authorization header: 

POST /token HTTP/1.1
Host: authorization-server.com
Authorization: Basic base64(client_id:client_secret)

grant_type=client_credentials

Base64 is here the function, not the literal string.

solution2
 0  2021-10-16 19:22:36

I upvoted both the question and and Turtle's answer. I think anyone who has looked up this question like I have would also benefit from:

https://auth0.com/docs/authorization/flows/which-oauth-2-0-flow-should-i-use

There are different flows. Think of them in box / handshake diagrams before code.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Authentication through Oauth2 Oauth2 authentication JSP and OAUTH2 authentication Designing the flow of OAuth2 authentication Authentication issue Oauth2 in java Integration tests of an OAuth2 authentication service? Issue with OAuth2 authentication with google spreadsheet OAUTH2 user service with Custom Authentication Providers Use service account for OAuth2 authentication to gmail Spring Security Oauth2 Authentication for Javascript WebApp
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM