Secure REST API and Mobile(1)Document Read and Understand OAUTH2
I used to use OAuth1 before, but it seems that it is different from OAuth2.
1. Introduction on OAuth2
Resource Owner — User
Client — App
Authorization Server
Resource Server — API
Client should be registered first.
Client Registration
Client ID
Client Secret
Redirect URI
Public V.S. Confidential Client
Confidential - Server-side Application, send Client ID+Secret to Auth.Server
Public - Moible App/ JavaScript App
Endpoints
Authorization Endpoint — User authorize — Web Page — Grant — 302 to Client Redirect URI
Token Endpoint — Client fetch the token - JSON API - fetch the Token with Grant
Redirection Endpoint — Client receive the info
SSL, Auth.Server endpoints must be HTTPS, Client Redirection Endpoint is not.
Resource Server
Client use Token to fetch the info from Resource Server - Password-Free API
There are several flows (Taobao Top as example)
user ——— browser ———— ———— app ————— TOP
get app URL ——————>
<——— send 302 to Oauth
GET /authorize — — ——————————>
Logon and Grant —————————————————————>
<— —————— ——— redirect to redirect_URI
get redirect URI ————>
POST token————>
<—— — Access Token
2. Public Clients - Implicit Grant Flow
only for public client, Android App, iOS App, Javascript App.
Grant will not be transferred to Client, directly give Token
No Token Endpoint
Token has short lifetime
No Refresh Token
OAuth2 Provider
Facebook — Auth Code, Implicit, Client Cred.
Github — Auth Code, Password
Twitter — Client Cred.
Google — Auth Code, Implicit
Microsoft — Auth Code, Implicit
Dropbox — Auth Code, Implicit
Amazon — Auth Code, Implicit
Bitly — Auth Code, Password
Sina weibo — Auth Code
Douban — Auth Code, Implicit
BOX — Auth Code
Basecamp — Auth Code
3. Try to secure our API
It seems to me that we need to use other provide for authentication, we need to do the authorization ourselves.
Next step I will investigate PHP codes from our company, hello.js and some customized projects.
http://adodson.com/hello.js/
https://github.com/tcompiegne/oauth2-resource-server-samples
https://github.com/tcompiegne/oauth2-server
https://github.com/tcompiegne/oauth2-client-samples
References:
OAuth
http://sillycat.iteye.com/blog/1265917 protocol and the example
http://sillycat.iteye.com/blog/1265918 sample provider
http://sillycat.iteye.com/blog/1265922 sample provider
http://sillycat.iteye.com/blog/1265923 all about the protocol
OAuth2
http://oauth.net/2/
http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html
Very good MIT Library
https://github.com/MrSwitch/hello.js
http://adodson.com/hello.js/
http://security.stackexchange.com/questions/67343/secure-rest-api-and-single-page-app-by-using-external-oauth-2-authorization-code
example
https://github.com/jcleblanc/oauth
OpenId
http://sillycat.iteye.com/blog/1004721
http://sillycat.iteye.com/blog/1004723
http://sillycat.iteye.com/blog/1543234
http://sillycat.iteye.com/blog/1543929
http://sillycat.iteye.com/blog/1543974
oauth provider
https://oauth.io/providers
powerful OAUTH2 client
http://adodson.com/hello.js/
OAUTH2 providers
https://github.com/tcompiegne/oauth2-resource-server-samples
https://github.com/tcompiegne/oauth2-server
https://github.com/tcompiegne/oauth2-client-samples
Secure REST API and Mobile(1)Document Read and Understand OAUTH2
猜你喜欢
转载自sillycat.iteye.com/blog/2227060
今日推荐
周排行