Secure REST API and Mobile(1)Document Read and Understand OAUTH2
I used to use OAuth1 before, but it seems that it is different from OAuth2.
1. Introduction on OAuth2
Resource Owner — User
Client — App
Authorization Server
Resource Server — API
Client should be registered first.
Client Registration
Client ID
Client Secret
Redirect URI
Public V.S. Confidential Client
Confidential - Server-side Application, send Client ID+Secret to Auth.Server
Public - Moible App/ JavaScript App
Endpoints
Authorization Endpoint — User authorize — Web Page — Grant — 302 to Client Redirect URI
Token Endpoint — Client fetch the token - JSON API - fetch the Token with Grant
Redirection Endpoint — Client receive the info
SSL, Auth.Server endpoints must be HTTPS, Client Redirection Endpoint is not.
Resource Server
Client use Token to fetch the info from Resource Server - Password-Free API
There are several flows (Taobao Top as example)
user ——— browser ———— ———— app ————— TOP
get app URL ——————>
<——— send 302 to Oauth
GET /authorize — — ——————————>
Logon and Grant —————————————————————>
<— —————— ——— redirect to redirect_URI
get redirect URI ————>
POST token————>
<—— — Access Token
2. Public Clients - Implicit Grant Flow
only for public client, Android App, iOS App, Javascript App.
Grant will not be transferred to Client, directly give Token
No Token Endpoint
Token has short lifetime
No Refresh Token
OAuth2 Provider
Facebook — Auth Code, Implicit, Client Cred.
Github — Auth Code, Password
Twitter — Client Cred.
Google — Auth Code, Implicit
Microsoft — Auth Code, Implicit
Dropbox — Auth Code, Implicit
Amazon — Auth Code, Implicit
Bitly — Auth Code, Password
Sina weibo — Auth Code
Douban — Auth Code, Implicit
BOX — Auth Code
Basecamp — Auth Code
3. Try to secure our API
It seems to me that we need to use other provide for authentication, we need to do the authorization ourselves.
Next step I will investigate PHP codes from our company, hello.js and some customized projects.
http://adodson.com/hello.js/
https://github.com/tcompiegne/oauth2-resource-server-samples
https://github.com/tcompiegne/oauth2-server
https://github.com/tcompiegne/oauth2-client-samples
References:
OAuth
http://sillycat.iteye.com/blog/1265917 protocol and the example
http://sillycat.iteye.com/blog/1265918 sample provider
http://sillycat.iteye.com/blog/1265922 sample provider
http://sillycat.iteye.com/blog/1265923 all about the protocol
OAuth2
http://oauth.net/2/
http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html
Very good MIT Library
https://github.com/MrSwitch/hello.js
http://adodson.com/hello.js/
http://security.stackexchange.com/questions/67343/secure-rest-api-and-single-page-app-by-using-external-oauth-2-authorization-code
example
https://github.com/jcleblanc/oauth
OpenId
http://sillycat.iteye.com/blog/1004721
http://sillycat.iteye.com/blog/1004723
http://sillycat.iteye.com/blog/1543234
http://sillycat.iteye.com/blog/1543929
http://sillycat.iteye.com/blog/1543974
oauth provider
https://oauth.io/providers
powerful OAUTH2 client
http://adodson.com/hello.js/
OAUTH2 providers
https://github.com/tcompiegne/oauth2-resource-server-samples
https://github.com/tcompiegne/oauth2-server
https://github.com/tcompiegne/oauth2-client-samples
分享到:
相关推荐
yii2-oauth2-rest-template, 带有OAuth2服务器的Yii2 REST API 模板 在 Yii2上,使用OAuth2服务器的 REST API 应用程序。这是一个 Yii2 Rest应用程序模板,配置了OAuth2服务器( 使用 ...
赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息文件:spring-security-oauth2-2.3.5.RELEASE.pom; 包含...
Oauth 2演示 Spring OAuth 2.0演示 Oauth2刷新令牌请求 http : // localhost:8080/oauth2/oauth/token?grant_type=password&client_id=rajith-client-id&client_secret=12345&username=rajith&password=password { ...
User-OAuth2-Login是react+fastapi前后端分离OAuth2权限验证的用户登陆案例.后端采用fastapi创建的OpenAPI接口,后端通过OAuth2的token来验证前端的登陆请求.前端采用React+Material UI布局,通过Axios访问接口获得...
具有Oauth2的简单API服务器使用Oauth2进行身份验证的简单REST API服务器。安装npm install 用法启动服务器node server 创建用户要求 curl -X POST -H "Content-Type: application/json" -d '{"username":"admin", ...
python库。 资源全名:django-rest-framework-social-oauth2-1.0.1.tar.gz
How to secure REST services using Basic Auth and OAuth 2.0 How to handle large data sets using pagination How to build REST clients using RestTemplate How to test REST services using the Spring MVC ...
解决方案包含五个项目 ...3.WebApiTest.ApiOauth2:.Net4.5+oauth2+swagger编写的接口 4.WebApiTest.ApiController:.Net4.5+jwt+swagger编写的接口 5.WebApiTest.MVC:在mvc中使用webapi(WebApiTest.ApiOauth2)
REST是设计分布式网络服务或API时遵循的架构原则以及设计风格, 前后端分离最佳实践的开发标准或规范。本文为资料收藏的.md笔记,选取比较重要的资料,收集了以下内容: 重要概念介绍,如前述的第2-第4个关键词。 ...
SpringCloud(八):API网关整合OAuth2认证授权服务。
medium-api-docs, 中型API的OAuth2文档 基于的媒体文档 API这个库包含了 medium API的文档。电子邮件内容概述身份验证失败基于浏览器的认证工具自颁发的访问令牌资源用户出版物帖子图像测试插件sdk 1.概述媒体API是...
在 Loopback 2 中为 REST API 实现 OAuth2 安装 1.安装Strongloop 有关如何安装 Strongloop 的完整说明,请访问 $ npm install -g strongloop 2.安装依赖 $ npm install 3. 定义你的数据源 目前使用 MongoDB ...
This book is intended to be a comprehensive and thorough treatment of the OAuth 2.0 protocol and many of its surrounding technologies, including OpenID Connect and JOSE/JWT. We want you to come away ...
api_rest_oauth2
通过winform使用httpclient客户端调用webApi接口,api使用oauth2.0权限控制,调用接口需要进行token获取认证、
具有Node和OAuth 2.0的简单REST API 此示例应用程序展示了如何在Node中创建REST API以及如何使用Okta使用OAuth 2.0客户端凭据来保护它。 这也有一个示例客户端,该客户端编写为CLI,可以通过Okta进行身份验证并使用...
赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息文件:spring-security-oauth2-2.3.5.RELEASE.pom; 包含...
mobileAPI:使用Kotlin编写的使用Springboot 2.2.X的Oauth2 REST API
With OAuth 2.0 Identity and Access Management Patterns, you will be able to build a secure OAuth 2.0 client application with full confidence and will completely understand what data is exchanged when...
yii2-oauth2-server, 用于实现OAuth2服务器的包装器( https yii2-oauth2-server用于实现OAuth2服务器的包装器( https://github.com/bshaffer/oauth2-server-php 插件)安装安装这里扩展的首选方法是通过 Composer 。...