OAuth2和OpenID Connect – 移动应用程序和后端服务器访问和刷新令牌的使用

huangapple go评论151阅读模式
英文:

OAuth2 & OpenID Connect - mobile app & backend server access & refresh token usage

问题

所以我正在尝试在我的本机移动应用程序中使用Google登录和Apple登录,该应用程序还与我的后端服务器进行通信。我认为我已经掌握了OAuth2流程和OpenID Connect背后的ID令牌的概念。我唯一的疑问是,我是否可以/应该使用访问/刷新令牌对我的自有端点进行授权访问?在苹果的文档中没有明确说明这一点,在Google的网站上他们提到你可以使用它来访问Google API,但我没有找到任何关于你可以将其用于自己的后端服务器的信息。如果不能,应该如何处理(在验证授权服务器的ID令牌后生成自己的访问/刷新令牌对)?

请注意,我只需要通过这些平台对我的用户进行身份验证,我暂时不需要访问其他Google API。

简而言之:我可以使用苹果/谷歌的访问/刷新令牌对来授权访问我的后端端点,还是应该生成自己的令牌/执行其他操作?

英文:

So I'm trying to use Google Sign In and Sign in with Apple in my native mobile app which also communicates with my own backend server. I think I have the grasp of the OAuth2 flow and the concept of ID Tokens behind OpenID Connect. The only doubt I have is if I can/should use the access/refresh token pair to authorize access to my own endpoints? On apple's documentation this isn't clearly stated and on Google's site they mention you CAN use it to access Google APIs, but nowhere have I found you could use it for your own backend server. If not, how should this be approached (generating my own access/refresh token pair after validating the the authorization server's ID Token?)

Note that I only need to authenticate my users via these platforms, I don't want access to other Google APIs (for now).

TL;DR: Can I use Apple's/Google's access/refresh token pair to authorize access to my own backend's endpoints or should I generate my own/do something else?

答案1

得分: 1

你可以使用提供给你的令牌,但通常你迟早会想要自定义它们的内容,然后引入自己的本地提供者可能是一个解决方案。这样你的内部服务就可以信任来自你自己服务的令牌,你的身份验证服务器也可以信任来自Apple/Google的令牌。

第二个问题是你的内部系统可能需要信任多个令牌发行者。根据我的经验,内部只信任一个令牌服务而不是多个,即使这不是一个硬性要求。

OAuth2和OpenID Connect – 移动应用程序和后端服务器访问和刷新令牌的使用

英文:

You can use the tokens provided to you, but often you soon or later will want to customize what they contain and then introducing your own local provider can be a solution. So that your internal services trusts the tokens from your own service an your auth server trusts the tokens from Apple/Google.

The second problem is that your internal systems might need to trust multiple token issuers. In my experience is to internally only trust one token service and not multiple, even if this is not a hard requirement.

OAuth2和OpenID Connect – 移动应用程序和后端服务器访问和刷新令牌的使用

huangapple
  • 本文由 发表于 2022年11月16日 17:45:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/74458279.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定