douhui3305 2016-08-24 06:43
浏览 222
已采纳

oauth2通过db为受信任的第三方客户端提供的客户端ID / secret获取访问令牌

I'm currently using "lucadegasperi/oauth2-server-laravel".

I'm making an api endpoint for a 3rd party trusted client and using the client_credentials grant.

now the thing is that access tokens tend to expire, so instead of giving the 3rd party user a access token, i would just supply them with the client id/secret.

on my side i would do the following when they do a curl request...

SELECT      a.id,
            expire_time

FROM        oauth_clients as c

left join   oauth_sessions as s on s.client_id = c.id

left join   oauth_access_tokens as a on a.session_id = s.id

where       c.id = 'asfasasf'

            and c.secret =  'asfasfasfasf'

order by    s.id desc

limit       1;

... The above pretty much checks if there is an access token and expire time relating to the client id/secret. I'd pretty much just generate a new one if one didn't exist or if it expired. Then a couple lines down, do a curl on my side to the endpoint they were after with the given access_token on my side without them worrying about doing it.

I've tested it and it works, but is this kind of dodgy/bad to do?

tldr;

  1. 3rd party client - goes to /api/endpoint with client id/secret
  2. my server side (checks for access token in db relating to client id/secret)
  3. generates if does not exists or is expired to use ...
  4. 3rd party client endpoint api continues to use db selected access token
  5. works

Is that a bad flow?

  • 写回答

2条回答 默认 最新

  • dongpeng8994 2016-08-24 09:06
    关注

    All you did was take out a step for their convenience.

    A lot of people would simply use an OAuth2 library they or someone else wrote and of course this wouldn't work because you don't have a standard OAuth2 system anymore.

    You've effectively reused one token for everyone else who uses the client app and I am not convinced that's a good thing. Tokens expiring is for security issues, if someone steals a token, you can invalidate it and stop their access or it expires and that's it. Of course you don't have this issue as you're not actually passing tokens through.

    This also means that you're now breaking other OAuth2 flows, many systems have a refresh token, that's gone as well. I guess it simplifies the client's life quite a bit but you can't say that you have an OAuth2 system anymore, because well, you don't.

    The clients are the ones who need to deal with tokens and it's their job to decide how to store them and what to do when things expire. You wouldn't normally need to worry about it, but now you do since you actually store the client tokens on your side.

    One other thing to consider is that you shifted the security concerns to your side. You are now responsible for the clients security. If someone gets access to your database then they can effectively impersonate all your clients forever more than likely without even you or the client knowing about it. From my point of view having tokens in a database is a bad idea and a security flaw especially when the client has no control over it.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥60 fail to initialize keyboard hotkeys through kernel.0000000000
  • ¥30 ppOCRLabel导出识别结果失败
  • ¥15 Centos7 / PETGEM
  • ¥15 csmar数据进行spss描述性统计分析
  • ¥15 各位请问平行检验趋势图这样要怎么调整?说标准差差异太大了
  • ¥15 delphi webbrowser组件网页下拉菜单自动选择问题
  • ¥15 wpf界面一直接收PLC给过来的信号,导致UI界面操作起来会卡顿
  • ¥15 init i2c:2 freq:100000[MAIXPY]: find ov2640[MAIXPY]: find ov sensor是main文件哪里有问题吗
  • ¥15 运动想象脑电信号数据集.vhdr
  • ¥15 三因素重复测量数据R语句编写,不存在交互作用