douhui3305 2016-08-24 06:43
浏览 222
已采纳

oauth2通过db为受信任的第三方客户端提供的客户端ID / secret获取访问令牌

I'm currently using "lucadegasperi/oauth2-server-laravel".

I'm making an api endpoint for a 3rd party trusted client and using the client_credentials grant.

now the thing is that access tokens tend to expire, so instead of giving the 3rd party user a access token, i would just supply them with the client id/secret.

on my side i would do the following when they do a curl request...

SELECT      a.id,
            expire_time

FROM        oauth_clients as c

left join   oauth_sessions as s on s.client_id = c.id

left join   oauth_access_tokens as a on a.session_id = s.id

where       c.id = 'asfasasf'

            and c.secret =  'asfasfasfasf'

order by    s.id desc

limit       1;

... The above pretty much checks if there is an access token and expire time relating to the client id/secret. I'd pretty much just generate a new one if one didn't exist or if it expired. Then a couple lines down, do a curl on my side to the endpoint they were after with the given access_token on my side without them worrying about doing it.

I've tested it and it works, but is this kind of dodgy/bad to do?

tldr;

  1. 3rd party client - goes to /api/endpoint with client id/secret
  2. my server side (checks for access token in db relating to client id/secret)
  3. generates if does not exists or is expired to use ...
  4. 3rd party client endpoint api continues to use db selected access token
  5. works

Is that a bad flow?

  • 写回答

2条回答 默认 最新

  • dongpeng8994 2016-08-24 09:06
    关注

    All you did was take out a step for their convenience.

    A lot of people would simply use an OAuth2 library they or someone else wrote and of course this wouldn't work because you don't have a standard OAuth2 system anymore.

    You've effectively reused one token for everyone else who uses the client app and I am not convinced that's a good thing. Tokens expiring is for security issues, if someone steals a token, you can invalidate it and stop their access or it expires and that's it. Of course you don't have this issue as you're not actually passing tokens through.

    This also means that you're now breaking other OAuth2 flows, many systems have a refresh token, that's gone as well. I guess it simplifies the client's life quite a bit but you can't say that you have an OAuth2 system anymore, because well, you don't.

    The clients are the ones who need to deal with tokens and it's their job to decide how to store them and what to do when things expire. You wouldn't normally need to worry about it, but now you do since you actually store the client tokens on your side.

    One other thing to consider is that you shifted the security concerns to your side. You are now responsible for the clients security. If someone gets access to your database then they can effectively impersonate all your clients forever more than likely without even you or the client knowing about it. From my point of view having tokens in a database is a bad idea and a security flaw especially when the client has no control over it.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)