H
H
hack3p2017-09-20 16:46:42
API
hack3p, 2017-09-20 16:46:42

How to authorize users through OAuth2 in your own application?

Hello, for the first time I am writing an API, and even more so user authorization through it. I read OAuth2 RFC , and I understand how the protocol works, in rfc there are two rather visual illustrations and a description for them. However, it was not possible to google the solution and search on the toaster / habr. Everywhere, basically, the description in Russian is the same as in rfc, without specific explanations and implementations.
I can't figure out how to authorize a simple user who, judging by the RFC, is also a client? (in general, simple user authorization on the site login:password).
I understand how to authorize a third-party application to view/modify the resource owner's data.
Here is what is in the RFC on this subject:


1.3.3. Resource Owner Password Credentials
The resource owner password credentials (ie username and password)
can be used directly as an authorization grant to obtain an access
token. The credentials should only be used when there is a high
degree of trust between the resource owner and the client (eg the
client is part of the device operating system or a highly privileged
application), and when other authorization grant types are not
available (such as an authorization code).
Even though this grant type requires direct client access to the
resource owner credentials, the resource owner credentials are used
for a single request and are exchanged for an access token. This
grant type can eliminate the need for the client to store the
resource owner credentials for future use, by exchanging the
credentials with a long-lived access token or refresh token.
1.3.4. Client Credentials
The client credentials (or other forms of client authentication) can
be used as an authorization grant when the authorization scope is
limited to the protected resources under the control of the client,
or to protected resources previously arranged with the authorization
server. Client credentials are used as an authorization grant
typically when the client is acting on its own behalf ( the client is
also the resource owner
), or is requesting access to protected
resources based on an authorization previously arranged with the
authorization server.

It follows from this that when registering users, you need to register them also as clients with full rights, and then check the access_token obtained in this way in requests. However, it seems to me that this is not the right solution due to the fact that at least there is an overhead: user registration, client registration, link them (without user confirmation), generate auth_key, generate access_token and resfresh_token, return them.
Could you suggest implementation details and put on the right path?
UPD:
I found a similar question on SO , but there is also no correct answer there.
To the main question, I add one more option for implementing user authorization on my own site. We register our site as an application (client), and when registering all users, we add them to our application. And then we already get the token, and give it to the user.

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question