restify-oauth2

restify-oauth2

Use and Configuration

使用 Restify–OAuth2,，你需要传递一些附加设置，包括下面即将讨论的hooks 。Restify–OAuth2同样依赖于 authorizationParser 和bodyParser 插件， 后者的mapParams设置为 false。看起来像这样

var restify = require("restify");
var restifyOAuth2 = require("restify-oauth2");

var server = restify.createServer({ name: "My cool server", version: "1.0.0" });
server.use(restify.authorizationParser());
server.use(restify.bodyParser({ mapParams: false }));

restifyOAuth2.cc(server, options);
// or
restifyOAuth2.ropc(server, options);

不幸的是， Restify–OAuth2不是一个简单的 Restify 插件。 他需要为tokenendpoint安装一个 route , 而插件只需在每次请求时运行，不修改服务器的路由表。

Options

您传递给Restify-OAuth2的options主要依赖于你所选择的两个flows中的某个。两种flows的一些设置相同，但是options.hooks非常依赖于你选择的flow。一旦您提供相应的hooks，就可以实现OAuth 2。

Client Credentials Hooks客户端凭证

The idea behind this very simple OAuth 2 flow is that your API clients identify themselves with client IDs and secrets,and if those values authenticate, you grant them an access token they can use for further requests. The advantage ofthis over simply requiring basic access authentication headers on every request is that now you can set those tokens toexpire, or revoke them if they fall in to the wrong hands.

这背后很简单的OAuth2流的想法是，你的API客户认同客户端ID和秘密，如果这些值进行验证，您授予他们，他们可以使用更多的请求访问令牌。ofthis在只要求基本的接入认证报头在每次请求的好处是，现在你可以设置这些令牌toexpire，或撤销他们，如果他们倒在了错误的手中。

To install Restify–OAuth2's client credentials flow into your infrastructure, you will need to provide it with thefollowing hooks in theoptions.hooks hash. You can see someexample CC hooks in the demo application.

要安装Restify-OAuth2的客户端凭据流入你的基础设施，你将需要为它提供的options.hooks哈希以下几部件挂钩。你可以看到在演示应用的一些例子CC挂钩。

grantClientToken(clientId, clientSecret, cb)

检查客户端是否通过认证并且包含正确的secret来使用你的API，如果通过则返回一个新的令牌，如果不通过，认证则失败返回false，同样在认证过程出现内部服务器错误可以返回error

authenticateToken(token, cb)

Checks that a token is valid, i.e. that it was granted in the past by . It should call back with theclient ID for that token if so, orfalse if the token is invalid. It can also call back with an error if therewas some internal server error while looking up the token.

检查令牌是否有效，该令牌为grantClientToken返回的令牌，如果令牌有效，则应该回调与令牌对应的客户端ID，如果无效，返回false，同样在寻找令牌的过程出现内部服务器错误可以返回error

Resource Owner Password Credentials Hooks资源所有者密码证书挂钩

The idea behind this OAuth 2 flow is that your API clients will prompt the user for their username and password, andsend those to your API in exchange for an access token. This has some advantages over simply sending the user'scredentials to the server directly. For example, it obviates the need for the client to store the credentials, andallows expiration and revocation of tokens. However, it does imply that you trust your API clients, since they willhave at least one-time access to the user's credentials.

To install Restify–OAuth2's resource owner password credentials flow into your infrastructure, you will need toprovide it with the following hooks in theoptions.hooks hash. You can see someexample ROPC hooks in the demoapplication.

这背后的OAuth2流的想法是，你的API客户端将提示用户输入他们的用户名和密码，并将这些给你的API，以换取一个访问令牌。这有一些优势简单地直接发送用户的凭据到服务器。例如，它避免了需要在客户端存储的凭证，并允许过期和吊销的令牌。但是，它意味着你信任你的客户端的API，因为他们将不得不将用户的凭据至少一次访问。 

要安装Restify-OAuth2的资源拥有者密码凭据流入你的基础设施，你将需要为它提供的options.hooks哈希以下挂钩。你可以看到在演示应用的一些例子ROPC挂钩。

validateClient(clientId, clientSecret, cb)

Checks that the API client is authorized to use your API, and has the correct secret. It should call back withtrueorfalse depending on the result of the check. It can also call back with an error if there was some internal servererror while doing the check.

检查API客户端是否认证通过来使用你的API并且包含正确的secret，根据检查的结果回调true或者false。同样在认证过程出现内部服务器错误可以返回error

grantUserToken(username, password, cb)

Checks that the API client is authenticating on behalf of a real user with correct credentials. It should call backwith a new token for that user if so, orfalse if the credentials are incorrect. It can also call back with an errorif there was some internal server error while validating the credentials.

检查API客户端以确保正确的凭证，如果正确应当回调一个新的令牌给用户使用。同样在认证过程出现内部服务器错误可以返回error

authenticateToken(token, cb)

Checks that a token is valid, i.e. that it was granted in the past by grantUserToken. It should call back with theusername for that token if so, orfalse if the token is invalid. It can also call back with an error if therewas some internal server error while looking up the token.

检查令牌是否有效，该令牌为grantClientToken返回的令牌，如果令牌有效，则应该回调与令牌对应的客户端ID，如果无效，返回false，同样在寻找令牌的过程出现内部服务器错误可以返回error

Other Options

hooks是必选项，但是下面的这些同样有用:

• tokenEndpoint: 创建token的地址，默认为"/token".
• wwwAuthenticateRealm: the value of the "Realm" challenge in the WWW-Authenticate header. Defaults to "Who goes there?".
• tokenExpirationTime: 在expires_in中设置的token过期时间。注意，这仅仅是设置的一个值，你需要自己在authenticateToken检查token是否过期，默认为无穷大

What Does That Look Like?

OK, let's try something a bit more concrete. If you check out the example servers used in the integration tests, you'll see our setup. Here we'll walk you through the more complicated resource owner password credentials example, but the idea for the client credentials example is very similar.

/

The initial resource, at which people enter the server.

• 如果在Authorization头中提供一个有效的令牌, req.username is truthy, and the app responds with links to /public and /secret.
• If no token is supplied, the app responds with links to /token and /public.
• If an invalid token is supplied, Restify–OAuth2 intercepts the request before it gets to the application, and sends an appropriate 400 or 401 error.

/token

The token endpoint, managed entirely by Restify–OAuth2. It generates tokens for a given client ID/client secret/username/password combination.

The client validation and token-generation logic is provided by the application, but none of the ceremony necessary for OAuth 2 conformance, error handling, etc. is present in the application code: Restify–OAuth2 takes care of all of that.

/public

A public resource anyone can access.

• If a valid token is supplied in the Authorization header, req.username contains the username, and the app uses that to send a personalized response.
• If no token is supplied, req.username is null. The app still sends a response, just without personalizing.
• If an invalid token is supplied, Restify–OAuth2 intercepts the request before it gets to the application, and sends an appropriate 400 or 401 error.

/secret

A secret resource that only authenticated users can access.

• If a valid token is supplied in the Authorization header, req.username is truthy, and the app sends the secret data.
• If no token is supplied, req.username is null, so the application uses res.sendUnauthorized() to send a nice 401 error with WWW-Authenticate and Link headers.
• If an invalid token is supplied, Restify–OAuth2 intercepts the request before it gets to the application, and sends an appropriate 400 or 401 error.