当服务提供商提供消费者时,OAuth 1.0a是否“有效”(Does OAuth 1.0a “Work” When Service Provider Provides The Consumer)

我正在设计RESTful API / Web服务,期望它最终能够被多个客户端Web应用程序/消费者使用。 作为此服务的一部分,我希望第一批消费者是Web浏览器,其中API /服务提供可以访问API的网站。

是否有一种可行/安全的方式,OAuth 1.0a可以用于消费者(在这种情况下,网站),最终由与API本身“相同”的服务提供?

主要是,如果通过网络发送消费者,我如何确保此消费者拥有有效的秘密消费密钥? 有没有办法在发送之前用自己的消费者密钥“预注册”网页实例?

(我打算在此设计中使用HTTPS。)

任何直接的答案都表示赞赏,并且对可能回答我的问题的其他在线资料的任何引用也表示赞赏。

谢谢。

I am in the process of designing a RESTful API/web-service with the expectation that it will eventually be able to be consumed by several client web applications/consumers. As part of this service, I would like to have the first consumers be web browsers, in which the API/service provides a website that can access the API.

Is there a feasible/secure way in which OAuth 1.0a may be used for a Consumer (in this case, website) that is ultimately provided by the "same" service as the API itself?

Mainly, how can I ensure that this consumer has a valid secret Consume Key if it gets sent over the wire? Is there a way to "pre-register" an instance of the webpage, with its own Consumer Key, prior to sending?

(I plan on using HTTPS with this design.)

Any direct answers are appreciated, and any references to other online material that may answer my question(s) is also appreciated.

Thanks.

最满意答案

在进一步的研究中,我发现OAuth 2.0的目标之一是考虑处理基于浏览器的Web应用程序的用例。

在Oauth 2.0中,基于浏览器的应用程序被视为“公共客户端”; 规范具有Implicit Grant工作流来处理此类客户端。 公共客户端是无法确保客户端标识符或客户端密钥保密的客户端,因此,隐式授权流程不明确依赖于它具有客户端密钥的要求。 相反,客户端在获取访问令牌之前预先向授权服务器注册redirect-URI。

因此,简而言之,没有一种好方法可以在基于浏览器的应用程序中“通过线路”传递客户端密钥。 (或者至少不是我发现的好方法。)而是可以使用OAuth 2.0 Implicit Grant工作流程。

During further research, I have found that one of the goals of OAuth 2.0 is to factor in a use-case that handles browser-based web applications.

In Oauth 2.0, browser-based applications are considered "public clients;" the specification has an Implicit Grant workflow to handle clients of this type. Public clients are clients that cannot ensure that a client identifier or client secret be kept secret, therefore, the Implicit Grant flow does not explicitly rely on the requirement that it have a client secret. Rather, the client pre-registers a redirect-URI with the authorization server prior to gaining access tokens.

So, in short, there isn't a good way to pass a client secret "over the wire" in a browser-based application. (Or at least not a good way that I have discovered.) Rather the OAuth 2.0 Implicit Grant workflow can be used instead.

当服务提供商提供消费者时,OAuth 1.0a是否“有效”(Does OAuth 1.0a “Work” When Service Provider Provides The Consumer)

我正在设计RESTful API / Web服务,期望它最终能够被多个客户端Web应用程序/消费者使用。 作为此服务的一部分,我希望第一批消费者是Web浏览器,其中API /服务提供可以访问API的网站。

是否有一种可行/安全的方式,OAuth 1.0a可以用于消费者(在这种情况下,网站),最终由与API本身“相同”的服务提供?

主要是,如果通过网络发送消费者,我如何确保此消费者拥有有效的秘密消费密钥? 有没有办法在发送之前用自己的消费者密钥“预注册”网页实例?

(我打算在此设计中使用HTTPS。)

任何直接的答案都表示赞赏,并且对可能回答我的问题的其他在线资料的任何引用也表示赞赏。

谢谢。

I am in the process of designing a RESTful API/web-service with the expectation that it will eventually be able to be consumed by several client web applications/consumers. As part of this service, I would like to have the first consumers be web browsers, in which the API/service provides a website that can access the API.

Is there a feasible/secure way in which OAuth 1.0a may be used for a Consumer (in this case, website) that is ultimately provided by the "same" service as the API itself?

Mainly, how can I ensure that this consumer has a valid secret Consume Key if it gets sent over the wire? Is there a way to "pre-register" an instance of the webpage, with its own Consumer Key, prior to sending?

(I plan on using HTTPS with this design.)

Any direct answers are appreciated, and any references to other online material that may answer my question(s) is also appreciated.

Thanks.

最满意答案

在进一步的研究中,我发现OAuth 2.0的目标之一是考虑处理基于浏览器的Web应用程序的用例。

在Oauth 2.0中,基于浏览器的应用程序被视为“公共客户端”; 规范具有Implicit Grant工作流来处理此类客户端。 公共客户端是无法确保客户端标识符或客户端密钥保密的客户端,因此,隐式授权流程不明确依赖于它具有客户端密钥的要求。 相反,客户端在获取访问令牌之前预先向授权服务器注册redirect-URI。

因此,简而言之,没有一种好方法可以在基于浏览器的应用程序中“通过线路”传递客户端密钥。 (或者至少不是我发现的好方法。)而是可以使用OAuth 2.0 Implicit Grant工作流程。

During further research, I have found that one of the goals of OAuth 2.0 is to factor in a use-case that handles browser-based web applications.

In Oauth 2.0, browser-based applications are considered "public clients;" the specification has an Implicit Grant workflow to handle clients of this type. Public clients are clients that cannot ensure that a client identifier or client secret be kept secret, therefore, the Implicit Grant flow does not explicitly rely on the requirement that it have a client secret. Rather, the client pre-registers a redirect-URI with the authorization server prior to gaining access tokens.

So, in short, there isn't a good way to pass a client secret "over the wire" in a browser-based application. (Or at least not a good way that I have discovered.) Rather the OAuth 2.0 Implicit Grant workflow can be used instead.