There is an app that wants to authenticate with my users using oAuth2.
有一个应用程序想要使用oAuth2与我的用户进行身份验证。
So they open a window, with the authorize URL, and parameters (such as redirect uri)
所以他们打开一个窗口,带有授权URL和参数(例如重定向uri)
Like: https://my-website.com/api/authLauncherauthorize?redirect=SOME_URI
喜欢:https://my-website.com/api/authLauncherauthorize?redirect = SOME_URI
Now I have my own firebase-login, and when the user logs in, I get their access token from firebase. Which is what I want to respond with.
现在我有自己的firebase-login,当用户登录时,我从firebase获取他们的访问令牌。这是我想要回应的内容。
However, in oAuth2 guides/explanations like https://aaronparecki.com/oauth-2-simplified/ I see I am supposed to return an authorization code, and I don't understand where can I get that from?
但是,在oAuth2指南/解释中,如https://aaronparecki.com/oauth-2-simplified/,我看到我应该返回一个授权码,我不明白我从哪里可以得到它?
What I can do, is generate a bullshit code, pair it in the DB to the access token, and then in the "token" request, send the correct access token. Is that what I am supposed to do?
我能做的是,生成一个废话代码,将它在数据库中与访问令牌配对,然后在“令牌”请求中发送正确的访问令牌。那是我应该做的吗?
Just to be clear, this is my first time writing an oAuth2 service myself.
为了清楚起见,这是我第一次自己编写oAuth2服务。
2 个解决方案
#1
2
OAuth is a system that provides authenticated access to resources. This resource can be for example a user page or editing rights to that user page. So your goal is to provide access to permissions to the right people.
OAuth是一个提供对资源的身份验证访问的系统。该资源可以是例如用户页面或对该用户页面的编辑权限。因此,您的目标是为合适的人提供权限访问权限。
When someone logs in, they get a token. Your part is to generate that token however you want, may it be some form of userdata into base64 or completely random. Take this token and link it against permissions, like viewing a page, editing it or even simpler things like viewing the email of a user.
当有人登录时,他们会获得一个令牌。你的部分是生成你想要的令牌,可能是某种形式的用户数据到base64或完全随机。获取此令牌并将其与权限相关联,例如查看页面,编辑页面甚至更简单的内容,例如查看用户的电子邮件。
OAuth2 tokens and/or permissions should be revokable without deleting a user. You should not use OAuth2 to identify someone.
OAuth2令牌和/或权限应该可以撤销而不删除用户。您不应该使用OAuth2来识别某人。
If I am understanding your question correctly:
如果我正确理解你的问题:
- User visits some website
- 用户访问某些网站
- User wants to register or login using your websites OAuth2
- 用户希望使用您的网站OAuth2注册或登录
- You redirect back to the original page and send your generated token
- 您重定向回原始页面并发送生成的令牌
- The page can access content on your site with this token
- 该页面可以使用此令牌访问您网站上的内容
#2
1
Assuming you are the Host Site, given a User who wants to connect a 3rd party application, then the flow would be like this:
假设您是主机站点,给定一个想要连接第三方应用程序的用户,那么流程将如下所示:
-
User lands on site - Clicks Login with Github
用户登陆网站 - 点击登录Github
-
User is redirected to Github site where they login and click "Authorize"
用户被重定向到他们登录的Github站点并单击“授权”
-
Github redirects user back to your site
/authorizewith an auth token.Github使用身份验证令牌将用户重定向回您的站点/授权。
-
Your site then passes that token back to the 3rd party API (github in this case) in exchange for an access token and refresh token.
然后,您的站点将该令牌传递回第三方API(在本例中为github),以换取访问令牌和刷新令牌。
-
You can then pass that Authorization token to an API endpoint to get details about it. If the token expires, you can use the refresh token to get a new Auth token. Both Tokens should be stored in your database for your user.
然后,您可以将该授权令牌传递给API端点以获取有关它的详细信息。如果令牌过期,您可以使用刷新令牌获取新的Auth令牌。两个令牌都应存储在您的数据库*您的用户使用。
However writing that all out I realize you are asking how do you generate the Authorization token, so I'm guessing you're actually the 3rd party API in this example. So you would want to generate an Authorization token using a random generator. Since you are using firebase, you'll probably wanna try out their token generator: https://github.com/firebase/firebase-token-generator-node
但是写下这一切我意识到你问的是如何生成授权令牌,所以我猜你实际上是这个例子中的第三方API。因此,您需要使用随机生成器生成授权令牌。由于你使用的是firebase,你可能想尝试一下它们的令牌生成器:https://github.com/firebase/firebase-token-generator-node
There's also some more up-to-date info here I believe: https://firebase.google.com/docs/auth/admin/#create_a_custom_token
我相信还有一些更新的信息:https://firebase.google.com/docs/auth/admin/#create_a_custom_token
And like you said, you would store that in a database associated with the user, and then when the Host Site sends that user's auth token to your server, you exchange it for the Authorization token (and refresh token if requested).
就像你说的那样,你将它存储在与用户相关的数据库中,然后当主机站点将该用户的身份验证令牌发送到你的服务器时,你将它交换为授权令牌(如果请求则刷新令牌)。
It's also worth reading through how google does it, because you'd be doing something similar: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
谷歌如何做到这一点也值得一读,因为你会做类似的事情:https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
JWT is another option of generating tokens: https://jwt.io/
JWT是生成令牌的另一种选择:https://jwt.io/
#1
2
OAuth is a system that provides authenticated access to resources. This resource can be for example a user page or editing rights to that user page. So your goal is to provide access to permissions to the right people.
OAuth是一个提供对资源的身份验证访问的系统。该资源可以是例如用户页面或对该用户页面的编辑权限。因此,您的目标是为合适的人提供权限访问权限。
When someone logs in, they get a token. Your part is to generate that token however you want, may it be some form of userdata into base64 or completely random. Take this token and link it against permissions, like viewing a page, editing it or even simpler things like viewing the email of a user.
当有人登录时,他们会获得一个令牌。你的部分是生成你想要的令牌,可能是某种形式的用户数据到base64或完全随机。获取此令牌并将其与权限相关联,例如查看页面,编辑页面甚至更简单的内容,例如查看用户的电子邮件。
OAuth2 tokens and/or permissions should be revokable without deleting a user. You should not use OAuth2 to identify someone.
OAuth2令牌和/或权限应该可以撤销而不删除用户。您不应该使用OAuth2来识别某人。
If I am understanding your question correctly:
如果我正确理解你的问题:
- User visits some website
- 用户访问某些网站
- User wants to register or login using your websites OAuth2
- 用户希望使用您的网站OAuth2注册或登录
- You redirect back to the original page and send your generated token
- 您重定向回原始页面并发送生成的令牌
- The page can access content on your site with this token
- 该页面可以使用此令牌访问您网站上的内容
#2
1
Assuming you are the Host Site, given a User who wants to connect a 3rd party application, then the flow would be like this:
假设您是主机站点,给定一个想要连接第三方应用程序的用户,那么流程将如下所示:
-
User lands on site - Clicks Login with Github
用户登陆网站 - 点击登录Github
-
User is redirected to Github site where they login and click "Authorize"
用户被重定向到他们登录的Github站点并单击“授权”
-
Github redirects user back to your site
/authorizewith an auth token.Github使用身份验证令牌将用户重定向回您的站点/授权。
-
Your site then passes that token back to the 3rd party API (github in this case) in exchange for an access token and refresh token.
然后,您的站点将该令牌传递回第三方API(在本例中为github),以换取访问令牌和刷新令牌。
-
You can then pass that Authorization token to an API endpoint to get details about it. If the token expires, you can use the refresh token to get a new Auth token. Both Tokens should be stored in your database for your user.
然后,您可以将该授权令牌传递给API端点以获取有关它的详细信息。如果令牌过期,您可以使用刷新令牌获取新的Auth令牌。两个令牌都应存储在您的数据库*您的用户使用。
However writing that all out I realize you are asking how do you generate the Authorization token, so I'm guessing you're actually the 3rd party API in this example. So you would want to generate an Authorization token using a random generator. Since you are using firebase, you'll probably wanna try out their token generator: https://github.com/firebase/firebase-token-generator-node
但是写下这一切我意识到你问的是如何生成授权令牌,所以我猜你实际上是这个例子中的第三方API。因此,您需要使用随机生成器生成授权令牌。由于你使用的是firebase,你可能想尝试一下它们的令牌生成器:https://github.com/firebase/firebase-token-generator-node
There's also some more up-to-date info here I believe: https://firebase.google.com/docs/auth/admin/#create_a_custom_token
我相信还有一些更新的信息:https://firebase.google.com/docs/auth/admin/#create_a_custom_token
And like you said, you would store that in a database associated with the user, and then when the Host Site sends that user's auth token to your server, you exchange it for the Authorization token (and refresh token if requested).
就像你说的那样,你将它存储在与用户相关的数据库中,然后当主机站点将该用户的身份验证令牌发送到你的服务器时,你将它交换为授权令牌(如果请求则刷新令牌)。
It's also worth reading through how google does it, because you'd be doing something similar: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
谷歌如何做到这一点也值得一读,因为你会做类似的事情:https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
JWT is another option of generating tokens: https://jwt.io/
JWT是生成令牌的另一种选择:https://jwt.io/