我实际上在研究 REST APIs 安全性,似乎很多人都在使用 OAuth2 和 OpenId 协议来管理身份验证.
I m actually studying REST Apis security, and it seems that many people are using OAuth2 and OpenId protocoles to manage authentication.
我尝试使用以下方法实现两个 OAuth2 服务器:
I have tried to implement two OAuth2 server using :
passportjs/ 用于客户端,github/jaredhanson/oauth2orize 用于服务器端
passportjs/ for the client side and github/jaredhanson/oauth2orize for the server side
www.npmjs/package/node-oauth2-服务器
对于第一个解决方案,运行示例工作正常,但我需要做一些无状态的事情(并且在示例中作者使用会话......)
For the first solution, running the examples is working correctly but I need to make something stateless (and in the example the author uses sessions...)
你能帮我创建最简单的 oauth2 服务器吗?或者默认解释这些库的全部功能?
Can you help me to create the simplest oauth2 server possible or defaultly explaining me the whole functionnement of these libraries ?
感谢提前
推荐答案我使用 "oauth2-server": "^3.0.0-b2"
var express = require('express'); var oauthServer = require('oauth2-server'); var Request = oauthServer.Request; var Response = oauthServer.Response; var authenticate = require('./components/oauth/authenticate') var app = express(); app.use(bodyParser.urlencoded({ extended: true })); app.use(bodyParser.json()); // github/manjeshpv/node-oauth2-server-implementation/blob/master/components/oauth/models.js var oauth = new oauthServer({ model: require('./models.js') }); app.all('/oauth/token', function(req,res,next){ var request = new Request(req); var response = new Response(res); oauth .token(request,response) .then(function(token) { // Todo: remove unnecessary values in response return res.json(token) }).catch(function(err){ return res.status( 500).json(err) }) }); app.post('/authorise', function(req, res){ var request = new Request(req); var response = new Response(res); return oauth.authorize(request, response).then(function(success) { res.json(success) }).catch(function(err){ res.status(err.code || 500).json(err) }) }); app.get('/secure', authenticate(), function(req,res){ res.json({message: 'Secure data'}) }); app.get('/me', authenticate(), function(req,res){ res.json({ me: req.user, messsage: 'Authorization success, Without Scopes, Try accessing /profile with `profile` scope', description: 'Try postman www.getpostman/collections/37afd82600127fbeef28', more: 'pass `profile` scope while Authorize' }) }); app.get('/profile', authenticate({scope:'profile'}), function(req,res){ res.json({ profile: req.user }) }); app.listen(3000);要模拟,请使用 Postman:www.getpostman/collections/37afd82600127fbeef28
To simulate, Use Postman: www.getpostman/collections/37afd82600127fbeef28
MySQL/PostgreSQL/MSSQL 兼容:github/manjeshpv/node-oauth2-server-implementation/blob/master/components/oauth/models.js
MySQL/PostgreSQL/MSSQL Compatiable: github/manjeshpv/node-oauth2-server-implementation/blob/master/components/oauth/models.js
MySQL DDL:github/manjeshpv/node-oauth2-server-implementation/blob/master/sql/oauth_demo.sql
Mongo 转储:github/manjeshpv/node-oauth2-server-implementation/tree/master/mongo-dump
请注意,他们有一个问题,需要将 validateScope 函数替换为:
Note that they have an issue there with the validateScope function needs to be replaced with:
function validateScope(user, client) { return user.scope === client.scope }更多推荐
使用 nodejs 创建 OAuth2 服务器
发布评论