发表新帖
发表新帖

Consuming own API for web app - Authentication process with OAuth2

后端 未结
关注
3 815
死守一世寂寞
死守一世寂寞 2021-02-04 04:43

Overview

I am currently in the process of creating an API for an image sharing app that will run on the web and sometime in the future, on mobile. I understood the logi

3条回答
  • 南方客
    南方客 (楼主)
    2021-02-04 05:07

    You don't really need oauth to authenticate to your own API.

    OAuth2 is usefull if you want another application to access your API.

    Let me explain a little bit how OAuth2 works:

    • A Client (application) wants to use your API so you give him Client credentials (client_token and client_secret). And you set in your database a set of redirect locations that the client can use.
    • The Client needs the user authorization for him to use your API in the user's behalf. So, the client sends the user to a url on your site (with the client_token, scope the client needs [you define the meaning of the different scopes], a redirect uri and a response_type [oauth2 defines different response_type but let's focus on 'code'])
    • The user logs into your site and accepts to give access to the client to your API on the user's behalf. When the user accepts this you'll generate a grant (the grant contains info of the user, the credentials requested [scope] and the client who can 'claim' the granted access).
    • The user is then redirected to the redirect_uri that the client requested (When the client sent the user to your auth site) and in the URL parameters you'll include the grant code (it's just an id).
    • At this stage, the client will make a request to your API providing the grant code, his own client_token, his client_secret and the grant_type (authorization_code) and he will get on the response the following: an authorization_token, refresh_token, token_type (for this case, Bearer), expires_in (expiration time in seconds) and the scope.
    • After all this the client will be able to make requests to your API on the user's behalf using the access_token privided until the token expires. Once the token expires the client will have to request for a new access_token using the refresh_token (instead of the authorization code).

    0 讨论(0)
 看不清?
提交回复
热议问题