使用节点 js 授予 OAuth2 密码

本文介绍了使用节点 js 授予 OAuth2 密码的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在设计一个web应用程序，主要分为以下两部分

I am designing a web application that is mainly divided into following two parts

网站 (UI):Node JS Express 应用程序将托管为 www.mysite

Rest API:业务逻辑(Atuhention、授权、业务逻辑)，将作为一些不同的域托管，例如 api.mysite

我想为此应用程序实施 OAuth2.我通读了 OAuth2 并了解它的各种流程，根据我的理解，我得出结论，资源所有者密码凭据"流程是一种方法，因为客户端和服务都属于我，用户也将直接在我的应用程序中注册，因此他们将提供用户名和密码.

I want to implement the OAuth2 for this application. I read through OAuth2 and understood it's various flows and based on my understanding, I concluded that "Resource Owner Password Credentials" flow is a way to go as Client and Service both belongs to me and user will also directly register with my application and thus they will provide username and password.

我对资源所有者密码凭据"流程进行了大量研究，但此流程的讨论和记录很少.我几乎没有接近零的想法，我应该如何在我的应用程序中实现这个流程.我正在 Node JS 中开发网站和 Rest API.请指导我如何实施?任何演示、文档都会有所帮助.

I researched a lot around "Resource Owner Password Credentials" flow but this flow is very less talked and documented. I have very little idea close to ZERO that how I should implement this flow in my application. I am developing Website and Rest API in Node JS. Please guide me around how should I implement this ? Any demos, documentations will be helpful.

提前致谢！

推荐答案

你说得对.它的文档很少，而且经常被误导性地解释错误.大多数对该流程的解释都没有指出该流程有两种不同的情况.

You are right. Its very little documented, plus it is often misleadingly explained wrong. Most explanations of that flow do not point out, that there are two different situations for that flow.

如果您有 SPA 或类似的开放式应用程序，您不希望在 ROPC 流程中拥有客户端 ID 或客户端机密.因为，每个人都可以阅读它.此外，RFC 中也没有要求.

If you have a SPA or similar open apps, you do NOT want to have the client id nor the client secret with the ROPC flow. Because, everyone could read it. Also, it is not required in the RFC.

你的情况是关于没有委托的 2-legged oauth.

Your situation is about 2-legged oauth without delegation.

这是一篇关于如何保护 ROPC 流的非常好的文章:andyfiedler/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps

Here is a very good article about how to secure the ROPC flow: andyfiedler/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps

希望能帮到你，我目前也遇到同样的问题.

Hope that helps, I currently struggle with the same issue.