I'm looking to set up Django to use OAuth2 to authenticate users for a service that I'm running, but I'm having a bit of difficulty understanding how the tokens are passed around.
我正在设置Django使用OAuth2来验证用户正在运行的服务,但是我很难理解令牌的传递方式。
I've been working my way through this tutorial: https://django-oauth-toolkit.readthedocs.org/en/0.7.0/tutorial/tutorial_01.html. I've been able to get a server up and running as the OAuth provider, and it seems to be working as it should. I'm able to log in to it and set up an application. The difficulty I'm having is figuring out how the various tokens are passed around.
我一直在学习本教程:https://django-oauth-toolkit.readthedocs.org/en/0.7.0/tutorial/tutorial_01.html。我已经能够启动并运行作为OAuth提供程序的服务器,它似乎正在按预期工作。我可以登录并设置应用程序。我遇到的困难是弄清楚各种令牌是如何传递的。
Suppose that my OAuth provider is sitting on one server - let's call this Provider.com - and my service that I'm wanting authenticated is on service.com. When a user first tries to make a request to the service, they first need to authenticate against the Provider. So they click on a login button which directs them to Provider.com. They enter their credentials. If everything is set up correctly on the server, they should be presented with a prompt that gives them a chance to allow or deny Service.com from accessing their account on Provider.com. Supposing that they click Allow, they are then redirected to Service.com, and are given a token. On future calls to Service.com, they pass in the token, and are, in theory, able to make authenticated calls.
假设我的OAuth提供商坐在一台服务器上 - 让我们打电话给这个Provider.com - 而我想要通过身份验证的服务是在service.com上。当用户首次尝试向服务发出请求时,他们首先需要对提供者进行身份验证。因此,他们点击登录按钮,将他们引导至Provider.com。他们输入他们的凭据。如果在服务器上正确设置了所有内容,则应向他们显示提示,以便他们有机会允许或拒绝Service.com访问其在Provider.com上的帐户。假设他们单击“允许”,则会将其重定向到Service.com,并获得令牌。在将来调用Service.com时,它们会传递令牌,理论上可以进行经过身份验证的调用。
The problem I'm having understanding is this: At what point do the Provider and the Service communicate? If a call comes in to the Service, how does it know that the authentication token passed in with the call is valid? There's know way it could know that a particular token is valid unless: A) it recognizes that same token from a previous call which was also authenticated or B) it talks to the OAuth 2 provider and verifies the authenticity of the token.
我理解的问题是:提供商和服务在什么时候沟通?如果呼叫进入服务,它如何知道通过呼叫传入的身份验证令牌是否有效?知道它可以知道特定令牌是有效的,除非:A)它识别来自先前调用的同一令牌,该令牌也经过验证或B)它与OAuth 2提供者通话并验证令牌的真实性。
A diagram like the one found here shows the process in the browser:
像这里找到的图表显示了浏览器中的过程:
At the end of this, it has the Client App sending the authentication code, client id, and client secret to the OAuth2 provider. In the previously mentioned tutorial, it isn't really clear how this is actually done. In the tutorial, the provider and the service are on the same machine, and it would appear that they also share the same database.
最后,它让客户端应用程序向OAuth2提供程序发送身份验证代码,客户端ID和客户端密钥。在前面提到的教程中,不清楚这是如何实际完成的。在本教程中,提供程序和服务位于同一台计算机上,看起来它们也共享同一个数据库。
This this brings about my question: How does one host a Django-based OAuth provider on a separate server than the resource/service being accessed? Is this possible?
这就引出了我的问题:如何在一个单独的服务器上托管基于Django的OAuth提供程序而不是正在访问的资源/服务?这可能吗?
From this other post, it indicates that this might not be possible: https://*.com/a/26656538/1096385 Is that indeed the case, at least with the existing Django OAuth2 provider framework?
从另一篇文章中可以看出这可能是不可能的:https://*.com/a/26656538/1096385情况确实如此,至少在现有的Django OAuth2提供程序框架中是这样吗?
1 个解决方案
#1
1
It depends on the oauth2 flow you're using. It seems like you're using authentication code.
这取决于你正在使用的oauth2流量。好像你正在使用身份验证代码。
In that case:
在这种情况下:
service.com sends the browser to provider.com for user authentication (uri contains service.com client_id and redirect_uri) User authenticates on provider.com, then the browser is redirected to service.com's redirect_uri with a ?code parameter. On your server side, handle this code parameter and ask for a token with it.
service.com将浏览器发送到provider.com进行用户身份验证(uri包含service.com client_id和redirect_uri)用户在provider.com上进行身份验证,然后使用?code参数将浏览器重定向到service.com的redirect_uri。在服务器端,处理此代码参数并请求带有令牌。
See https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps
请参阅https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps
#1
1
It depends on the oauth2 flow you're using. It seems like you're using authentication code.
这取决于你正在使用的oauth2流量。好像你正在使用身份验证代码。
In that case:
在这种情况下:
service.com sends the browser to provider.com for user authentication (uri contains service.com client_id and redirect_uri) User authenticates on provider.com, then the browser is redirected to service.com's redirect_uri with a ?code parameter. On your server side, handle this code parameter and ask for a token with it.
service.com将浏览器发送到provider.com进行用户身份验证(uri包含service.com client_id和redirect_uri)用户在provider.com上进行身份验证,然后使用?code参数将浏览器重定向到service.com的redirect_uri。在服务器端,处理此代码参数并请求带有令牌。
See https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps
请参阅https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps