javascript - Moving from Session-based token mechanism to OAuth 2.0 mechanism -


The owner of a Play Framework application to provide a set of restore APIs for acting as a backend server I am I have an Angular JS application that calls API via backend-server via AJAX.

Currently, I use a solution based on the session-token mechanism.
This means that when a user logs successfully, a cookie is recovered on the client side with an authentication token. On each request, the cookie value provided by the client request (Eth Token) is extracted on the server and if valid, the request is made.

Now I want to use OAuth 2.0. Are the reasons :

  • This is a great standard way of securing the API, to avoid using the datastore (memkachad), to keep the token on the server side, as I currently make available I am here.
  • I want to provide some clients_centers and nons better secure than a single cookie so that some avoid recurrence attacks ...
  • I restrict the quantity of customers I want, as far as the Public Rest API I provide, that is, the API allows anonymous calls, for example to list the list of items.

    The issue is that I do not want to include the third party because I have all the preserved resources myself
    I was understood how to protect the internal REST API with OAuth 2.0, which normally executes 2-leg instead of 3-step.

    However, I do not know how the client credentials flow can authenticate a specific user when calling a REST API that requires user authentication. is.

    In fact, the flow of client credentials is global client_id , client_secret key (global for the app, therefore in my case is based on my javascript) app ), And therefore specific users and administrators are not specific enough to target their specific rights.

    Any help would be great.

    It seems that you should use "resource owner" password credentials grant "() it dead Is simple - put in the Client ID / Privacy Authority header and put the username / password in the query variable. Here is an example from RFC: 

      POST / token HTTP / 1.1 host: server Example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content Type: Application / x-www-form-urlencoded grant_type = password and user no M = johndoe & password = a3ddj3w   
     The server side can check for both validity of the customer (both as well as users) just remember that client credentials It is impossible to protect because it will be embedded in your (downloadable) Javascript code. The username / password is entered directly by the end user.

Comments

Post a Comment

Popular posts from this blog

c - Mpirun hangs when mpi send and recieve is put in a loop -

I was trying to use the program to use mifrewan on 4 node clusters. Distributing node 0 data in nodes 1, 2 and 3. In the program, from '90 'to variable values ​​of' dior 'to be calculated. Therefore the node is distributing data and collecting results in an omitted fashion (for different values ​​of var 'dir') when do {*******} Whereas (dir Loop is given, Mippun is hanging, and no output is found. But when I comment on two {*******} (dir The loop output is obtained for the initial value of variable dir dir = -90 ), and that output is correct. The problem occurs when the loop is given. Can anyone help me in solving this problem. #include "mpi.h" int main (int argc, char * argv []) Float dir = -90; Int rank, nanoprakash; MPI_Status status; MPI_Init (& amp; argc, & argv); MPI_Comm_rank (MPI_COMM_WORLD, & amp; Rank); MPI_Comm_size (MPI_COMM_WORLD, & amp; numprocs); If (rank == 0) {/ / data to begin / / (dest = 1; dest ...
Read more

python - Apply coupon to a customer's subscription based on non-stripe related actions on the site -

I can not find anything in the source about using coupons after subscribing to a user's plan. Is it possible to use a coupon to credit a user's membership after initial subscription? If not, what is the best option? Specifically, I want to give a user 100% coupon for that month, when they take 5 [site specific actions]. This is possible, but may not be the best idea. Coupons are currently applied to the stripe, then apply again at the customer level and each client can have a single coupon. So if you are already offering discounts to the coupon, then the customer who is currently in the present will also give up. It also means that if you are using a recently-added multiple subscription capacity, then all of the user's subscription will be ready for the month. Coupons can be set to "Once", only once (as the only name) can be used by any customer, so if this credit can earn more than once, You will have to maintain a 100% discount coupon continuousl...
Read more

java - Unable to get JDBC connection in Spring application to MySQL -

मैंने स्प्रिंग में डीबी कॉन्फ़िगरेशन का पालन किया है: & lt; bean id = "dataSource" Class = "org.apache.commons.dbcp.BasicDataSource" नष्ट-विधि = "बंद" & gt; & Lt; प्रॉपर्टी नाम = "url" मान = "jdbc: dburl" / & gt; & Lt; संपत्ति नाम = "driverClassName" मान = "com.mysql.jdbc.Driver" / & gt; & Lt; संपत्ति नाम = "उपयोगकर्ता नाम" मान = "उपयोगकर्ता नाम" / & gt; & Lt; संपत्ति नाम = "पासवर्ड" मान = "पासवॉर्फ" / & gt; & Lt; प्रॉपर्टी नाम = "हटाए गए हटाए गए" मान = "सही" / & gt; & Lt; गुण नाम = "प्रारंभिक आकार" मान = "3" / & gt; & Lt; संपत्ति नाम = "अधिकतमअक्टिव" मान = "5" / & gt; & Lt; / सेम ​​& gt; डीबी से गुण मूल्यों को लोड करने के लिए अतिरिक्त कॉन्फ़िगरेशन। & lt; bean id = "config1" class = "org.apache.commons.configuration....
Read more