Answer the question
In order to leave comments, you need to log in
What if you don't need oauth2?
Hey!
I'm trying to understand the issues of authentication / authorization. I'll tell you with an example.
1. Let's say there is a certain (micro) service, for example, a blog. This service has an external REST API https://acme.com/api/blog.
2. From the point of view of business logic, only the administrator (admin role) can write new blog posts. Regular logged in users (signed_user role) can comment, guests can just read.
3. There is a need to write a) SPA admin panel, b) General "normal" frontend, c) Native app for android and apple.
Access to the API is, of course, controlled by the access token in the request header.
The question is how to get this token. Almost any search on the AuthN/AuthZ topic in Google brings up articles on screwing up the protocol (if you can call it that) Oauth2. But I don't understand why he's here. Oauth2 allows the conditional Masha to allow the conditional service "my cats" to go to her (Masha's) VK profile and post photos of these same cats on behalf of Masha. That is, it is a delegation of authority protocol. I am aware of the "add-on" on top of it OpenID Connect, but still do not see the application in my situation of this solution.
First of all, I am confused by the ideology of scops. If Masha delegates authority to the "my cats" service, she will only allow VK to post pictures, but not read the correspondence, for example. In my case, users act explicitly (admin - writes, users - comment, guests - read). They do it consciously, directly. And I can't deduce any scopes from their roles. Well, that is, say, if there is some purely admin resource like https://acme.com/api/stats, then no one can get there anyway without passing an access_token with the required role.
In other words, I would need only the flow of obtaining two tokens from Oauth2 (after all, a refresh token is also required for native applications), without mentioning the scope.
Are there any examples of authentication/authorization for a REST API without delegation context? Or does everything somehow result in this notorious Oauth2 + OpenID Connect in any case, if the API is open?
Answer the question
In order to leave comments, you need to log in
If you don't need it, don't write. In general, Oauth is a common entity for uniform operation.
This article describes in detail.
https://habr.com/ru/company/dataart/blog/311376/
In principle, if you need authentication. You can implement your own exchange scheme, on the plus side, tokens will not be as verbose as JWT.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question