如何使用 Laravel Passport 在 API 中正确实施 OAuth?
How to Implement OAuth correctly in API with Laravel Passport?
我正在尝试创建一个 API 并在我自己的应用程序(网络应用程序和本机移动应用程序)中使用它,并使其可供第三方使用应用程序(这是为了将来的目的)。
我已经阅读了 Laravel Passport 文档,但我有一些疑问,希望有人能帮助我。
作为一名开发人员,我总是努力寻找最佳和正确的方法来实施我的项目,并为项目的目的找到合适的包。
简要说明我想做什么:
我想创建一个 API 并且我将在我的网站中使用我自己的 API 和移动应用程序,我的 API 有两个端点用于注册和登录 students 和 teachers .他们可以使用电子邮件和密码登录。每种用户类型都有自己的信息。老师可以有一个简历,学生可以看到老师的简历(整个创建和阅读简历都在我的API中处理), 他们两种用户类型都可以相互通信。我正在使用 laravel 6.x 版本来构建我的 API。我们的子域中有一个开发人员部分,开发人员 可以注册帐户,get/buy 访问令牌 可以向我的 API 并使用它,另一方面,我希望当学生或教师登录他们的帐户时 API 生成一个 访问令牌 为该用户,然后我的应用程序可以使用该令牌并在每个请求中传递该令牌,以使用户经过身份验证以访问他们的私有资源,如我们所知的他们的仪表板 API's 是无状态的,我们不能使用会话来存储用户凭据,因此我们需要一个访问令牌。
Can Laravel Passport generate the both Developer access token, and User( teacher or student) access token?
Is it correct to use OAuth in here to develop my API?
Or can I just use tymondesigns/JWT package for these purposes?
我不得不说我是 Oauth 和基于 API 的应用程序 的新手。我读过一些关于 Oauth 的文章,我对 Oauth 术语 有点熟悉,但我仍然不知道如何正确实施这个项目。
所以这是我的问题:
- What is exactly Oauth server? Is it my own server that is hosted by API?
- After Laravel Passport configuration and database migration, Laravel Passport created some tables in my database, I would be really appreciated if you could tell me what is the purpose of each tables? table names are failed_jobs, oauth_access_tokens, oauth_auth_codes, oauth_clients, oauth_personal_access_clients, oauth_refresh_tokens.
- I've configured my Laravel application to use the Laravel Passport and I created two Routes in my api.php file
Route::post('login','API\Auth\UserAuthController@login');
Route::post('register','API\Auth\UserAuthController@register');
然后,我创建了 UserAuthController.php 文件并编写了登录和注册方法。他们工作没有任何问题。用户注册或登录他们的帐户后,我的代码将生成一个 个人访问令牌。
$token = $user->createToken('authentication')->accessToken;
然后学生或老师可以使用这个访问令牌访问他们自己的私人资源。为我的两类用户创建一个 个人访问令牌 是否正确? 个人访问令牌到底是什么?
我只知道你可以将它传递到请求头中,服务器将授权你访问私有资源。我所说的私有资源是指受 API 中间件 保护的端点,如下所示:
Route::post('/update-info','API\Auth\UserAuthController@update')->middleware('auth:api');
- Am I doing right to create a personal access token when teachers and students login to their account or I should do another way to handle it?! this way works, but I'm looking for correct way if there is anything else.
- The weird thing here is Laravel Passport create a token every time users login and it doesn't check if they have already created token or not? If someone can access the
API endpoint, they can make a post request to /login endpoint and create a lot of tokens. Is it a problem? How to fix it?
- When I create a personal access token I need to pass an argument to
createToken($arg) method, and it stores in oauth_personal_access_clients table. what is the purpose of this? Is it just for Laravel Passport purpose, or maybe I need it in the future?
- I have some endpoints which are not protected by
auth:api middleware, for example, every user visit my application they can search for teachers name and lessons and ... , it's not necessary to make them login or register first. These endpoints are accessible to everyone in my application, and they are free to search and advance search for some information. My question is if I make it accessible to everyone, how can I protect these endpoints that only my first-party app and third-party app can access them. I mean I don't want people to access them by command line or postman or some kind of these tools without access token, I want to protect these endpoints from attackers not to make a huge requests to make my server down. How can I protect this kind of endpoints? I know I can limit requests per minute, but I don't know how much limit it? Is there any other way?
- I see there is a term called clients in Oauth terminology, as I understand clients are the applications like web applications or native mobile app and any other applications that use my API are called clients. Am I right? And I think this is for third-party application authentication. I'm a little bit confused after reading Laravel Passport documentation about clients, and when I configured the Laravel Passport, it generates two clients and stored them in database. Do I need to create a client for my Applications?! How Can I ignore authorization flow just for first-party applications?
- After Laravel Passport configuration, now I can see it generates some default route for clients.
/oauth/clients
/oauth/clients/{client-id}
/oauth/authorize
/oauth/token
这些路由有什么用?!我需要他们来创建我的第一方应用程序吗?
- As I said the future purpose of this application is to make the API accessible by third-party applications, I have to create a web page that developers register an account and get/buy a token to access my API. is it possible to do it with Laravel Passport or I should write my own logic to make it work? Do I need to create a client for my third-party clients?
非常感谢您的帮助<3
我要花很长时间才能深入回答你的每个问题,所以我已经
尝试 link 阅读 RFC 中的相关部分以进一步阅读。
基本上,我建议您为您的第一方客户端(您的移动应用程序和网络应用程序)使用 password credentials grant flow。其中一位客户认为
Laravel 会为您创建,会是“Laravel 密码 G运行t 客户端”及其
文档可用 here.
您仍然需要定义自己的“注册”路由,但您可以使用 oauth/token 路由
而不是您自己的 /login 路线。
- What is exactly Oauth server? Is it my own server that is hosted by API?
OAuth 服务器将是您的 运行 Passport 服务器。或者在官方
根据 RFC 的术语,
OAuth server/Passport 服务器将被称为“授权服务器”。
在您的情况下,API 为您的内容提供服务的“资源服务器”将是
与“授权服务器”相同的服务器。
- After Laravel Passport configuration and database migration, Laravel Passport created some tables in my database, I would be really appreciated if you could tell me what is the purpose of each tables? table names are failed_jobs, oauth_access_tokens, oauth_auth_codes, oauth_clients, oauth_personal_access_clients, oauth_refresh_tokens.
failed_jobs table 与 Passport 没有直接关系。它与 Laravel 的队列有关。参见 Dealing With Failed Jobs。
其余 table 都在那里,以便 Passport 可以跟踪它创建的客户端和代码。
oauth_clients:见RFC clients section.oauth_access_tokens:见RFC access tokens section.oauth_auth_codes:参见Authorization Code Grant。oauth_personal_access_clients: 个人访问客户端似乎不是官方规范的一部分,但它基本上是一个客户端,用于当用户想要直接获取访问令牌而不是通过应用程序时或网站。通常这将是想要获得访问令牌以便能够在他们自己的帐户上调用 API 端点的开发人员。
个人访问客户端 table 存储专门为此目的创建的客户端。通常会有
只做其中之一。oauth_refresh_tokens:见RFC refresh tokens section.
- Is it right to create a personal access token for my two types of users? What is exactly a personal access token?
每个用户都需要获得自己的访问令牌,而不是个人访问令牌。
个人访问令牌只是专门为想要生成的用户创建的访问令牌
并自己使用访问令牌。在 Laravel Passport 中,具体来说,它们是访问令牌
linked 到“Laravel 个人访问客户端。”
因此,在您的情况下,您的服务器将为用户创建“正常”访问令牌,而不是“个人”访问
令牌。
- Am I doing right to create a personal access token when teachers and students login to their account or I should do another way to handle it?! this way works, but I'm looking for correct way if there is anything else.
参见问题 3 的答案。
- The weird thing here is Laravel Passport create a token every time users login and it doesn't check if they have already created token or not? If someone can access the
API endpoint, they can make a post request to /login endpoint and create a lot of tokens. Is it a problem? How to fix it?
我认为这不是问题。 oauth/token 路由是有速率限制的。您可以对其进行更多速率限制。
您还可以收听events并删除或撤销令牌
如果想限制单个用户的代币数量。
- When I create a personal access token I need to pass an argument to
createToken($arg) method, and it stores in oauth_personal_access_clients table. what is the purpose of this? Is it just for Laravel Passport purpose, or maybe I need it in the future?
此 table 仅适用于 Laravel 护照。当您以后要审核或调试某些内容时,它也很有用。
您在 oauth_personal_access_clients table 中看到的行是在您 运行 php artisan passport:install.
时创建的
当您调用 createToken 时,一个新行被插入 oauth_access_tokens。
- I have some endpoints which are not protected by
auth:api middleware, for example, every user visit my application they can search for teachers name and lessons and ... , it's not necessary to make them login or register first. These endpoints are accessible to everyone in my application, and they are free to search and advance search for some information. My question is if I make it accessible to everyone, how can I protect these endpoints that only my first-party app and third-party app can access them. I mean I don't want people to access them by command line or postman or some kind of these tools without access token, I want to protect these endpoints from attackers not to make a huge requests to make my server down. How can I protect this kind of endpoints? I know I can limit requests per minute, but I don't know how much limit it? Is there any other way?
是的,您必须进行速率限制。您必须进行试验,看看什么对您有用。
- I see there is a term called clients in Oauth terminology, as I understand clients are the applications like web applications or native mobile app and any other applications that use my API are called clients. Am I right? And I think this is for third-party application authentication. I'm a little bit confused after reading Laravel Passport documentation about clients, and when I configured the Laravel Passport, it generates two clients and stored them in database. Do I need to create a client for my Applications?! How Can I ignore authorization flow just for first-party applications?
是的,客户端就像 Web 应用程序、移动应用程序等。通常您会有一个新的
每个移动应用程序、Web 应用程序、CLI 等的客户端,但除了这些应用程序之外,Laravel 定义
您的“密码 G运行t 客户端”和“个人访问客户端”客户端具有
具体用途。
您可以使用 Laravel Password Grant Client
您的两个应用程序,因为它们是第一方应用程序。
您可以忽略第一方应用程序的授权流程,方法是使用
/oauth/token 提供的路线
密码 g运行t 个客户端。
有关密码凭据流程的 RFC 部分可用 here。
您可以阅读有关 RFC 如何定义客户端的更多信息 here。
- What is the usage of these routes? do I need them to create my first-party applications?
第一方应用程序需要:
/oauth/token
第一方应用不需要:
/oauth/clients:这是供第三方开发者查看他们创建了哪些客户端。/oauth/clients/{client-id}:供第三方开发人员更新其客户端之一。/oauth/authorize:该路由将被第三方开发者调用以启动
authorization grant flow 以及他们的客户端 ID 和密码。
您可以在 Managing clients.
的“JSON API”部分阅读更多关于上述路线的信息
- As I said the future purpose of this application is to make the API accessible by third-party applications, I have to create a web page that developers register an account and get/buy a token to access my API. is it possible to do it with Laravel Passport or I should write my own logic to make it work? Do I need to create a client for my third-party clients?
Laravel Passport provides 您可以使用的 Vue 组件,以便开发人员能够创建客户端。您可以使用这些组件,也可以创建自己的前端并调用
来自您自己前端的 JSON API routes。
请记住,OAuth 最初是为第三方应用程序需要代表用户访问内容而设计的。因此,第三方应用程序将获得客户端 ID 和客户端密码,而不是获取访问令牌,他们将需要为他们想要代表的每个用户通过 authorization grant flows 之一。
如果您永远不会拥有需要代表用户行事的第三方应用程序,则可能值得考虑评论中提到的其他协议。
我正在尝试创建一个 API 并在我自己的应用程序(网络应用程序和本机移动应用程序)中使用它,并使其可供第三方使用应用程序(这是为了将来的目的)。
我已经阅读了 Laravel Passport 文档,但我有一些疑问,希望有人能帮助我。
作为一名开发人员,我总是努力寻找最佳和正确的方法来实施我的项目,并为项目的目的找到合适的包。
简要说明我想做什么:
我想创建一个 API 并且我将在我的网站中使用我自己的 API 和移动应用程序,我的 API 有两个端点用于注册和登录 students 和 teachers .他们可以使用电子邮件和密码登录。每种用户类型都有自己的信息。老师可以有一个简历,学生可以看到老师的简历(整个创建和阅读简历都在我的API中处理), 他们两种用户类型都可以相互通信。我正在使用 laravel 6.x 版本来构建我的 API。我们的子域中有一个开发人员部分,开发人员 可以注册帐户,get/buy 访问令牌 可以向我的 API 并使用它,另一方面,我希望当学生或教师登录他们的帐户时 API 生成一个 访问令牌 为该用户,然后我的应用程序可以使用该令牌并在每个请求中传递该令牌,以使用户经过身份验证以访问他们的私有资源,如我们所知的他们的仪表板 API's 是无状态的,我们不能使用会话来存储用户凭据,因此我们需要一个访问令牌。
Can Laravel Passport generate the both Developer access token, and User( teacher or student) access token?
Is it correct to use OAuth in here to develop my API? Or can I just use tymondesigns/JWT package for these purposes?
我不得不说我是 Oauth 和基于 API 的应用程序 的新手。我读过一些关于 Oauth 的文章,我对 Oauth 术语 有点熟悉,但我仍然不知道如何正确实施这个项目。
所以这是我的问题:
- What is exactly Oauth server? Is it my own server that is hosted by API?
- After Laravel Passport configuration and database migration, Laravel Passport created some tables in my database, I would be really appreciated if you could tell me what is the purpose of each tables? table names are failed_jobs, oauth_access_tokens, oauth_auth_codes, oauth_clients, oauth_personal_access_clients, oauth_refresh_tokens.
- I've configured my Laravel application to use the Laravel Passport and I created two Routes in my api.php file
Route::post('login','API\Auth\UserAuthController@login');
Route::post('register','API\Auth\UserAuthController@register');
然后,我创建了 UserAuthController.php 文件并编写了登录和注册方法。他们工作没有任何问题。用户注册或登录他们的帐户后,我的代码将生成一个 个人访问令牌。
$token = $user->createToken('authentication')->accessToken;
然后学生或老师可以使用这个访问令牌访问他们自己的私人资源。为我的两类用户创建一个 个人访问令牌 是否正确? 个人访问令牌到底是什么?
我只知道你可以将它传递到请求头中,服务器将授权你访问私有资源。我所说的私有资源是指受 API 中间件 保护的端点,如下所示:
Route::post('/update-info','API\Auth\UserAuthController@update')->middleware('auth:api');
- Am I doing right to create a personal access token when teachers and students login to their account or I should do another way to handle it?! this way works, but I'm looking for correct way if there is anything else.
- The weird thing here is Laravel Passport create a token every time users login and it doesn't check if they have already created token or not? If someone can access the
APIendpoint, they can make a post request to /login endpoint and create a lot of tokens. Is it a problem? How to fix it?
- When I create a personal access token I need to pass an argument to
createToken($arg)method, and it stores in oauth_personal_access_clients table. what is the purpose of this? Is it just for Laravel Passport purpose, or maybe I need it in the future?
- I have some endpoints which are not protected by
auth:apimiddleware, for example, every user visit my application they can search for teachers name and lessons and ... , it's not necessary to make them login or register first. These endpoints are accessible to everyone in my application, and they are free to search and advance search for some information. My question is if I make it accessible to everyone, how can I protect these endpoints that only my first-party app and third-party app can access them. I mean I don't want people to access them by command line or postman or some kind of these tools without access token, I want to protect these endpoints from attackers not to make a huge requests to make my server down. How can I protect this kind of endpoints? I know I can limit requests per minute, but I don't know how much limit it? Is there any other way?
- I see there is a term called clients in Oauth terminology, as I understand clients are the applications like web applications or native mobile app and any other applications that use my API are called clients. Am I right? And I think this is for third-party application authentication. I'm a little bit confused after reading Laravel Passport documentation about clients, and when I configured the Laravel Passport, it generates two clients and stored them in database. Do I need to create a client for my Applications?! How Can I ignore authorization flow just for first-party applications?
- After Laravel Passport configuration, now I can see it generates some default route for clients.
/oauth/clients
/oauth/clients/{client-id}
/oauth/authorize
/oauth/token
这些路由有什么用?!我需要他们来创建我的第一方应用程序吗?
- As I said the future purpose of this application is to make the API accessible by third-party applications, I have to create a web page that developers register an account and get/buy a token to access my API. is it possible to do it with Laravel Passport or I should write my own logic to make it work? Do I need to create a client for my third-party clients?
非常感谢您的帮助<3
我要花很长时间才能深入回答你的每个问题,所以我已经 尝试 link 阅读 RFC 中的相关部分以进一步阅读。
基本上,我建议您为您的第一方客户端(您的移动应用程序和网络应用程序)使用 password credentials grant flow。其中一位客户认为 Laravel 会为您创建,会是“Laravel 密码 G运行t 客户端”及其 文档可用 here.
您仍然需要定义自己的“注册”路由,但您可以使用 oauth/token 路由
而不是您自己的 /login 路线。
- What is exactly Oauth server? Is it my own server that is hosted by API?
OAuth 服务器将是您的 运行 Passport 服务器。或者在官方 根据 RFC 的术语, OAuth server/Passport 服务器将被称为“授权服务器”。
在您的情况下,API 为您的内容提供服务的“资源服务器”将是 与“授权服务器”相同的服务器。
- After Laravel Passport configuration and database migration, Laravel Passport created some tables in my database, I would be really appreciated if you could tell me what is the purpose of each tables? table names are failed_jobs, oauth_access_tokens, oauth_auth_codes, oauth_clients, oauth_personal_access_clients, oauth_refresh_tokens.
failed_jobs table 与 Passport 没有直接关系。它与 Laravel 的队列有关。参见 Dealing With Failed Jobs。
其余 table 都在那里,以便 Passport 可以跟踪它创建的客户端和代码。
oauth_clients:见RFC clients section.oauth_access_tokens:见RFC access tokens section.oauth_auth_codes:参见Authorization Code Grant。oauth_personal_access_clients: 个人访问客户端似乎不是官方规范的一部分,但它基本上是一个客户端,用于当用户想要直接获取访问令牌而不是通过应用程序时或网站。通常这将是想要获得访问令牌以便能够在他们自己的帐户上调用 API 端点的开发人员。 个人访问客户端 table 存储专门为此目的创建的客户端。通常会有 只做其中之一。oauth_refresh_tokens:见RFC refresh tokens section.
- Is it right to create a personal access token for my two types of users? What is exactly a personal access token?
每个用户都需要获得自己的访问令牌,而不是个人访问令牌。
个人访问令牌只是专门为想要生成的用户创建的访问令牌 并自己使用访问令牌。在 Laravel Passport 中,具体来说,它们是访问令牌 linked 到“Laravel 个人访问客户端。”
因此,在您的情况下,您的服务器将为用户创建“正常”访问令牌,而不是“个人”访问 令牌。
- Am I doing right to create a personal access token when teachers and students login to their account or I should do another way to handle it?! this way works, but I'm looking for correct way if there is anything else.
参见问题 3 的答案。
- The weird thing here is Laravel Passport create a token every time users login and it doesn't check if they have already created token or not? If someone can access the
APIendpoint, they can make a post request to /login endpoint and create a lot of tokens. Is it a problem? How to fix it?
我认为这不是问题。 oauth/token 路由是有速率限制的。您可以对其进行更多速率限制。
您还可以收听events并删除或撤销令牌 如果想限制单个用户的代币数量。
- When I create a personal access token I need to pass an argument to
createToken($arg)method, and it stores in oauth_personal_access_clients table. what is the purpose of this? Is it just for Laravel Passport purpose, or maybe I need it in the future?
此 table 仅适用于 Laravel 护照。当您以后要审核或调试某些内容时,它也很有用。
您在 oauth_personal_access_clients table 中看到的行是在您 运行 php artisan passport:install.
当您调用 createToken 时,一个新行被插入 oauth_access_tokens。
- I have some endpoints which are not protected by
auth:apimiddleware, for example, every user visit my application they can search for teachers name and lessons and ... , it's not necessary to make them login or register first. These endpoints are accessible to everyone in my application, and they are free to search and advance search for some information. My question is if I make it accessible to everyone, how can I protect these endpoints that only my first-party app and third-party app can access them. I mean I don't want people to access them by command line or postman or some kind of these tools without access token, I want to protect these endpoints from attackers not to make a huge requests to make my server down. How can I protect this kind of endpoints? I know I can limit requests per minute, but I don't know how much limit it? Is there any other way?
是的,您必须进行速率限制。您必须进行试验,看看什么对您有用。
- I see there is a term called clients in Oauth terminology, as I understand clients are the applications like web applications or native mobile app and any other applications that use my API are called clients. Am I right? And I think this is for third-party application authentication. I'm a little bit confused after reading Laravel Passport documentation about clients, and when I configured the Laravel Passport, it generates two clients and stored them in database. Do I need to create a client for my Applications?! How Can I ignore authorization flow just for first-party applications?
是的,客户端就像 Web 应用程序、移动应用程序等。通常您会有一个新的 每个移动应用程序、Web 应用程序、CLI 等的客户端,但除了这些应用程序之外,Laravel 定义 您的“密码 G运行t 客户端”和“个人访问客户端”客户端具有 具体用途。
您可以使用 Laravel Password Grant Client 您的两个应用程序,因为它们是第一方应用程序。
您可以忽略第一方应用程序的授权流程,方法是使用
/oauth/token 提供的路线
密码 g运行t 个客户端。
有关密码凭据流程的 RFC 部分可用 here。
您可以阅读有关 RFC 如何定义客户端的更多信息 here。
- What is the usage of these routes? do I need them to create my first-party applications?
第一方应用程序需要:
/oauth/token
第一方应用不需要:
/oauth/clients:这是供第三方开发者查看他们创建了哪些客户端。/oauth/clients/{client-id}:供第三方开发人员更新其客户端之一。/oauth/authorize:该路由将被第三方开发者调用以启动 authorization grant flow 以及他们的客户端 ID 和密码。
您可以在 Managing clients.
的“JSON API”部分阅读更多关于上述路线的信息
- As I said the future purpose of this application is to make the API accessible by third-party applications, I have to create a web page that developers register an account and get/buy a token to access my API. is it possible to do it with Laravel Passport or I should write my own logic to make it work? Do I need to create a client for my third-party clients?
Laravel Passport provides 您可以使用的 Vue 组件,以便开发人员能够创建客户端。您可以使用这些组件,也可以创建自己的前端并调用 来自您自己前端的 JSON API routes。
请记住,OAuth 最初是为第三方应用程序需要代表用户访问内容而设计的。因此,第三方应用程序将获得客户端 ID 和客户端密码,而不是获取访问令牌,他们将需要为他们想要代表的每个用户通过 authorization grant flows 之一。
如果您永远不会拥有需要代表用户行事的第三方应用程序,则可能值得考虑评论中提到的其他协议。