英文:
Alternative to authorization code flow with PKCE for native mobile apps that provides native experience
问题
我一直在寻找最合适的原生移动应用认证标准/协议,迄今为止大多数文章/视频都建议使用具有PKCE的授权码流,并指出其优势。
然而,我的大多数客户(尤其是那些不需要第三方登录,只使用用户名/密码或手机认证的移动应用),拒绝弹出浏览器屏幕进行身份验证,称其为不好的用户体验(与许多文章建议的相反,他们看到一个带有URL的浏览器并不让他们觉得安全,反而让他们感到怀疑)。有一个旧的Stack Overflow问题,它已不再适用,仍然在尝试提供原生体验而不提供浏览器体验:https://stackoverflow.com/questions/58861305/mobile-native-authentication-user-experience-and-alternatives-to-auth-code-pk
因此,我的问题是,有没有一个从安全角度建议的标准/协议,具有良好的支持(可用的实现/库/工具),但仍然可以提供完全不使用浏览器的原生移动体验?
英文:
I've been searching for the most advisable standard/protocol for native mobile app authentication, and most of the articles/videos till these days suggest to use authorization code flow with PKCE and stating its advantages.
However, most of my clients (especially who don't need third party login and only has username/pass or phone auth in the mobile app), refuses to have a browser screen popping up for authentication saying that it's bad user experience (and on contrary to what many articles suggest, it doesn't give them relief when they see a browser with URL that this is secure but rather gives them suspension). There was an old question on SO which no longer holds and actually still just trying to work around without providing native experience:
https://stackoverflow.com/questions/58861305/mobile-native-authentication-user-experience-and-alternatives-to-auth-code-pk
so my question is, what is a good standard/protocol that is advised from security-perspective and has good support (available implementations/libs/tools), but still can provide native mobile experience without browsers at all?
答案1
得分: 1
在我的情况下(我使用Laravel Passport),尽管这不再是推荐的做法,但我使用密码授权类型和刷新令牌授权类型,将客户端ID和客户端密钥保留在后端,前端只接收用户和密码,后端向授权终端点发出请求,添加授权类型、客户端ID和客户端密钥到请求中,这样我可以向前端提供访问令牌和刷新令牌。
英文:
In my case (I use Laravel Passport) and although it is no longer a recommended practice, I use the password grant type and the refresh token grant type, I keep the client id and client secret in the backend, from the frontend I only receive the user and password, in the backend I make a request to the authorization endpoint adding the grant type, client id and client secret to the request, so I can provide the frontend with the access token and the refresh token.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论