服务器端oauth：如何处理收到的令牌

This is my first time doing a full implementation of server side OAuth (as described here https://developers.google.com/identity/protocols/OAuth2WebServer) and I am getting a bit confused as to what to do with the tokens after receiving them from the auth provider. I can see a few options

Send it to the user for local storage and send it to the db. have the frontend send it in http headers on every request and compare it with the one in the db to authenticate.
Send it to the database and work out some other form of authentication through a jwt or cookie.
something else?

1 would be my preferred way, but something feels wrong about it...IDK what, while 2 feels a little wasteful because I will have to come up with an entirely different auth mechanism and then just pull the token from the db and refresh and use it as normal anyway...

What is an acceptable flow for this part of the application?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
doutao1939 2018-02-28 18:20
关注
First, you should decide which part of your application will have a role of the OAuth2 client. If you have a React SPA as a frontend, I would suggest you to make it the client and use the Implicit grant OAuth2 flow (designed for browser apps) instead of the Auth code grant. This way, the SPA initiates the authentication and it receives an ID token (to identify the user) and an access token to call Google services.

Then there is a question how to identify a user at the backend. I would use the ID token for that - the backend will have to check the Google signature and that the audience of the token is the client ID of your application. Based on this ID token, you can either issue your own token (just for the identification of your frontend user), create a backend session or to keep sending the Google ID token with each request.

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

go-oauth2无法获取令牌：错误的请求
2016-03-15 04:10

回答 1 已采纳 I can solve it by adding one more handler var ( conf *oauth2.Config ) func GoogleCallbackHan
oauth2无法获取令牌：错误的请求
2016-03-08 06:48

回答 1 已采纳 You are trying to access an url parameter (code) which is not defined in your url. r.URL.Query().
谷歌API 2支持Oauth：“令牌无效 - 无效的AuthSub令牌。” php
2011-09-29 13:47

回答 1 已采纳 Here's the corrected code: $endpoint = 'https://docs.google.com/feeds/default/private/full/-/
verify-apple-id-token:验证服务器端的Apple ID令牌
2021-03-17 15:12

应用程序将收到令牌应用程序应将idToken发送到后端，该后端将对其进行验证：使用服务器的公钥验证JWS E256签名验证随机数以进行身份验证验证iss字段包含验证aud字段是开发人员的client_id 验证时间早于...
Laravel OAUTH：限制用户请求他们想要的任何范围 laravel php
2018-10-24 12:39

回答 1 已采纳 Problem has been solved by adding a middleware ScopeLogic and adding it to the passport::routes.
Oauth :: timestamp在linkedin api中拒绝错误 php
2012-10-11 10:38

回答 3 已采纳 This happened to me in the past. Most people suggest that the clock on your system is wrong. Try c
Google OAuth2验证服务器流中的访问令牌 php
2016-12-18 20:55

回答 1 已采纳 As a result of authorization success from Google, you should also get refresh_token. If you are no
REST API 的安全认证，从 OAuth 2.0 到 JWT 令牌
2021-03-03 17:17

Java笔记虾的博客在服务器端，亚马逊也有你的访问密钥。它们接下来做什么？只需要使用你的 http 头信息和这个密钥进行签名。然后将签名字符串和你作为签名的字符串进行比较；如果相同那么就知道你是谁。最大的好处是你只需要发送一...
Twitter OAuth无法检索访问令牌 php twitter
2015-03-24 23:01

回答 1 已采纳 As it turns out my particular issue was caused by sessions and the callback url. I was accessing
使用PHP谷歌客户端获取YouTube播放列表（服务器端oauth） php
2017-03-28 14:54

回答 1 已采纳 Looking at the screenshots, you have created a Service Account. Service Accounts use two-legged OA
oauth2如何处理刷新令牌 php
2013-07-23 04:17

回答 1 已采纳 Here is my experience when implementing the oAuth library and api using this library. If you are
带有JWT的Spring Security：OAuth 2资源服务器
2020-04-23 00:43

cunxiedian8614的博客 Since version 5.2, Spring has introduced a new library, OAuth 2.0 Resource 小号ever, handling JWT so that we no longer need to manually add a Filter to extract claims from JWT to...
Oauth2客户端+用户访问令牌流 php
2015-05-18 15:07

回答 1 已采纳 A (single) client is either public, i.e. it has no client_secret associated with it, or confidenti
OAuth2 Java Shiro 服务器端
2016-10-25 22:33

围观岳老师的博客目前很多开放平台如新浪微博开放平台都在使用提供开放API接口供开发者使用，随之带来了第三方应用要到开放平台进行授权的问题，OAuth就是干这个的，OAuth2是OAuth协议的下一个版本，相比OAuth1，OAuth2整个授权流程...
OAuth2.0与Node.js：简化应用程序的开发流程
2023-07-24 01:49

禅与计算机程序设计艺术的博客作者：禅与计算机程序设计艺术 1.简介 OAuth（开放授权）是一个基于标准协议，允许用户授权第三方应用访问他们存储在...虽然很多网站都提供了 OAuth 服务，但对于一般开发者来说，其实现起来却比较复杂。比如，要让
没有解决我的问题, 去提问

悬赏问题

¥100 set_link_state
¥15 虚幻5 UE美术毛发渲染
¥15 CVRP 图论物流运输优化
¥15 Tableau online 嵌入ppt失败
¥100 支付宝网页转账系统不识别账号
¥15 基于单片机的靶位控制系统
¥15 真我手机蓝牙传输进度消息被关闭了，怎么打开？(关键词-消息通知)
¥15 装 pytorch 的时候出了好多问题，遇到这种情况怎么处理？
¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
¥15 手机接入宽带网线，如何释放宽带全部速度

服务器端oauth：如何处理收到的令牌

2条回答 默认 最新

悬赏问题

2条回答默认最新