çŸåšãOAuthãããŒãã¢ã«ãŠã³ãã®åãæ¿ããããŒã¯ã³ç®¡çãããããã®ãã©ã³ãã£ã³ã°ãªã©ãäžå¿ã«å€ãã®åé¡ãçºçããŠããŸããããã¯ãããããã¹ãŠãæ°ããaccount
ã¢ããªã§ããå®çšçã«ããè©Šã¿ã§ããããããã¹ãŠã®æžå¿µã
OAuthãããã€ããŒãšããŠæ©èœãããã¹ãŠã®ã¢ã«ãŠã³ããšèªèšŒã«é¢ããæžå¿µäºé ã«å¯Ÿå¿ãããå®å šãªæ©èœãšãã©ã³ãåãããæ§æUIãšããŠæ©èœããã¢ããª
ãŠã§ã
çŸåšã®å®è£ ã®å€§ããªåé¡ã¯ããŠãŒã¶ãŒã®æ確ããšã³ã³ããã¹ããäžè¶³ããŠããããšã ãšæããŸãã OAuthã¢ããªãç¬ç«ããèªèšŒãšã³ãã£ãã£ãšããŠèªèããããšã¯å°é£ã§ãã çç±ã¯æ¬¡ã®ãšããã§ãã
ã¢ã«ãŠã³ãã¢ããªãã©ã®ããã«æ³å®ããŠãããã瀺ã3ã€ã®ã¯ã€ã€ãŒãã¬ãŒã ãäœæããŸãããã¯ã€ã€ãŒãã¬ãŒã ãèŠã
ïŒå³äžã®ãŠãŒã¶ãŒããããããŠã³ã«çµ±åãããŠããã¢ã«ãŠã³ãã¹ã€ããã£ãŒã«æ³šæããŠãã ããïŒ
ã¯ãã @johanstokking @htdvisser ãç¶è¡ããã®ãè¯ããšæããã©ããæããŠãã ããã
ã³ã³ãœãŒã«ãšoauthãããã€ããŒéã®ãã°ã€ã³/ãã°ã¢ãŠãã®æ··ä¹±ã®åé¡å šäœã«é¢ããŠããããç§ã®èšç»ã§ãïŒ
Account
ããŽã䜿çšããã³ã³ãœãŒã«ã«ã䜿çšããã®ãšåãããããŒã³ã³ããŒãã³ãã䜿çšããŸãïŒcc @pierrephïŒ/console/login
/account/login
ã«èªåçã«ãªãã€ã¬ã¯ãããŸã/users/logout
ã«ãŒãã䜿çšããŠããŸããã®èšç»ã«ã€ããŠã®èŠæ ããªãå Žåã¯ããããå®è£ ãå§ããŸãã
çŽ æŽãããèšç»ã®ããã«èãããŸãã ã³ã³ãœãŒã«ããæ瀺çã«ãã°ã¢ãŠãããå¿ èŠã¯ãªããUXã§ã¯OAuthãä»ããŠãã°ã€ã³ãããŸãŸã«ããããšã«åæããŸããããã®ããã«æ©èœããŸãã
ã¯ãã¹ãªãªãžã³ãã°ã¢ãŠãã«ã¯äœãå¿ èŠã§ããïŒ ããã¯åçŽãª2段éã®ã¢ãããŒãã§ã¯ãªãã§ããããã ãããŒãžããããã°ã¢ãŠãããŠãã³ã³ãœãŒã«ã«ä¿åãããŠããã¢ã¯ã»ã¹ããŒã¯ã³ãåé€ããŠãããã¢ã«ãŠã³ãã¢ããªããã°ã¢ãŠãããäžè¬çãªãã°ã¢ãŠãããŒãžã«ãªãã€ã¬ã¯ãããŸããïŒ ãŸãã¯ããªãã€ã¬ã¯ãããã«ãã°ã¢ãŠããšã³ããã€ã³ãã«æçš¿ããŸããïŒ
ãã°ã¢ãŠãã«ã€ããŠã¯ãOpenIDConnectã®ãã°ã¢ãŠãããã€ã³ã¹ãã¬ãŒã·ã§ã³ãåŸãããšãã§ããŸãã çŽ æŽãããèŠçŽã¯ããã«ãããŸãïŒ https ïŒ//medium.com/@robert.broeckelmann/openid -connect-logout-eccc73df758f
çŽ æŽãããèšç»ã®ããã«èãããŸãã ã³ã³ãœãŒã«ããæ瀺çã«ãã°ã¢ãŠãããå¿ èŠã¯ãªããUXã§ã¯OAuthãä»ããŠãã°ã€ã³ãããŸãŸã«ããããšã«åæããŸããããã®ããã«æ©èœããŸãã
ã¯ãã¹ãªãªãžã³ãã°ã¢ãŠãã«ã¯äœãå¿ èŠã§ããïŒ ããã¯åçŽãª2段éã®ã¢ãããŒãã§ã¯ãªãã§ããããã ãããŒãžããããã°ã¢ãŠãããŠãã³ã³ãœãŒã«ã«ä¿åãããŠããã¢ã¯ã»ã¹ããŒã¯ã³ãåé€ããŠãããã¢ã«ãŠã³ãã¢ããªããã°ã¢ãŠãããäžè¬çãªãã°ã¢ãŠãããŒãžã«ãªãã€ã¬ã¯ãããŸããïŒ ãŸãã¯ããªãã€ã¬ã¯ãããã«ãã°ã¢ãŠããšã³ããã€ã³ãã«æçš¿ããŸããïŒ
2段éã®ã¢ãããŒãã§åé¡ãããŸããã ç§ã®æžå¿µã¯ãã¢ã«ãŠã³ãã¢ããªã®ãã°ã¢ãŠããCSRFã§ç¡å¹ã«ããå¿
èŠãããããšã§ãããã€ãŸãããã°ã¢ãŠããªã³ã¯ãæã£ãŠãã人ã¯èª°ã§ãã誰ããèªåã®ã¢ã«ãŠã³ããããã°ã¢ãŠãããããã«èªæããå¯èœæ§ããããŸãã ããã¯çŸåšãv2ã¹ã¿ãã¯ã§ãå¯èœã§ãïŒ
ä»ã®ãšãããããã¯èš±å®¹ã§ãããšæããŸãããæ£ç¢ºã«ã¯ãã¹ããã©ã¯ãã£ã¹ã§ã¯ãããŸããã
ç§ã¯ä»ãæ°ããã¢ã«ãŠã³ãã¢ããªã®ããã«ããªãã®äœæ¥ãè¡ããŸããïŒ
ããã¯ãã¹ã¿ãã¯APIã䜿çšã§ããããã«ãã¢ã¯ã»ã¹ããŒã¯ã³ãããŒãã³ãŒãã£ã³ã°ããããšã§è¡ããŸããã ã¢ã«ãŠã³ãã¢ããªã®ã¢ã¯ã»ã¹ããŒã¯ã³ãååŸããããã®æè¯ã®æ¹æ³ãããããªããããçŸåšãé©åãªå®è£
ãé²ããããšãã§ããŸããã
çŸåšããoauthã¢ããªãã¯ãoauthãµãŒããŒã®èªèšŒãšã³ããã€ã³ãïŒãã°ã€ã³ããã°ã¢ãŠããããã³ã¢ã¯ã»ã¹ããŒã¯ã³ãå¿
èŠãšããªããã®ä»ã®ã¢ã«ãŠã³ãé¢é£ã®ãšã³ããã€ã³ãïŒã«æ¥ç¶ããåãªãSPAã§ãã
@htdvisserã¯ãç§ãã¡ã®æåã®ã¢ã€ãã¢ã¯ããã¹ã¯ãŒãä»äžã¿ã€ãã䜿çšããŠãã¢ã«ãŠã³ãã¢ããªãåå¥ã®oauthã¯ã©ã€ã¢ã³ããšããŠäœ¿çšããããšã§ãããšç§ã«èšããŸããã ç§ã¯ããã«ã€ããŠã®è°è«ãéãã¹ãã ãšæããŸãããªããªãïŒ
ç§ã¯ãã§ã«@htdvisserã«ãããã®å§ä»»ãããèªèšŒ/æ¿èªã®åŽé¢å šäœãç§ã«ã¯ããå§åçã§ããããã®ãããªã»ãã¥ãªãã£ã«ææãªåé¡ã«è²¬ä»»ãè² ãã»ã©ã®ç¥èããªããšæããŠãããšèšããŸããã
ç§ãã¡ãç®æãã¹ãã¯ãå ¬åŒã¯ã©ã€ã¢ã³ãã®èªèšŒãããŒããã€ãã£ãèªèšŒã®ããã«æãããããããŒã§ãïŒä»ã®ã³ã¡ã³ããåç §ïŒãã€ãŸãããã°ã€ã³ãšãã°ã¢ãŠãã¯ã°ããŒãã«ã§ãããã¯ã©ã€ã¢ã³ãã®èªèšŒç¶æ ãšæ¿èªãããã€ããŒã
ãã®ãããã¢ã«ãŠã³ãã¢ããªãç¶è¡ããã«ã¯ããã«ããšå ¥åãå¿ èŠã§ãã ãããã©ã®ããã«èª¿æŽã§ããŸããïŒ
ãœãŒã¹ã«ãã£ãŠã¯ããå ¬åŒãã§ä¿¡é Œã§ããã¯ã©ã€ã¢ã³ãã§ãã£ãŠãããã¹ã¯ãŒãä»äžã¿ã€ãã¯æšå¥šãããŸããã
ã¯ãããã¹ã¯ãŒãã®ä»äžã¯äœ¿çšããªãã§ãã ãããããã§ä»æ§ãšçç±ãåç §ããŠãã ããïŒ
çŸåšïŒ2148ã«ãã£ãŠãããã¯ãããŠããŸã
ã§ãããããã°ããããã«é¢ãã£ãåŸãç§ã¯ããã€ãã®ã€ã³ããããå¿ èŠã ãšæããŸãã
ã¢ã«ãŠã³ãã¢ããªã®å ã ã®ã¢ã€ãã¢ã¯ãçŸåšã®oauthã¢ããªã眮ãæãããããã¡ã€ã«ãšã»ãã·ã§ã³ã®ç®¡çã«åããŠæ©èœãæ¡åŒµããããšã§ããïŒOPãåç §ïŒã ããã«é¢ããåé¡ã¯ããã®ãããªæ©èœãå®è£ ããããã«ãã¢ããªãã¢ã¯ã»ã¹ããŒã¯ã³ãå¿ èŠãšããããšã§ããã€ãŸããã¢ã«ãŠã³ãã¢ããªã¯OAuthãããã€ããŒãšã¯ã©ã€ã¢ã³ãã®äž¡æ¹ã«ãªããšããããšã§ãã
ç§ã®ã¢ã€ãã¢ã¯ãæ°ããOAuthã¯ã©ã€ã¢ã³ãïŒ account
ïŒãããã³ããšã³ãããšã«å°å
¥ããŠãæ©èœãçŸåšã®OAuthã¢ããªãšãã¬ã³ãããããšã§ããã ãŠãŒã¶ãŒã«ãšã£ãŠã¯ãOAuthãããã€ããŒïŒãã°ã€ã³ãç»é²ãã¢ã«ãŠã³ãã®æ€èšŒãªã©ïŒãšã¢ã«ãŠã³ãã¢ããªã¯ã©ã€ã¢ã³ãïŒãããã¡ã€ã«èšå®ãã»ãã·ã§ã³ç®¡çãæ¿èªç®¡çïŒã®äž¡æ¹ã1ã€ã®åãã¢ããªã±ãŒã·ã§ã³ã§ããããã«èŠããŸãããããã¯ã°ã©ãŠã³ãã§ã¯OAuthãããã€ããŒãšã¯ã©ã€ã¢ã³ãã®éã®æè¡çãªåé¢ã§ãã ããã¯ãšã³ãã§ã¯ãã¢ã«ãŠã³ãã¯ã©ã€ã¢ã³ãã¯oauth
ããã±ãŒãžã®äžéšã«ãªããŸãã ããã³ããšã³ãã«é¢ããŠã¯ãåããšã³ããªãã€ã³ãïŒ account.js
ïŒã䜿çšããŠãäž¡æ¹ãåãã¢ããªãšããŠæ±ãããšãã§ããŸãã
åæ§ã«ãã«ãŒãã£ã³ã°ã¯ãã®ãã¬ã³ããåæ ããŸããäŸïŒ
/account/login
[OAuthãããã€ããŒã¬ã€ã€ãŒ]/account/register
[OAuthãããã€ããŒã¬ã€ã€ãŒ]/account/forgot-password
[OAuthãããã€ããŒã¬ã€ã€ãŒ]/account/client/login/ttn-stack
ïŒæ¿èªïŒ[OAuthã¯ã©ã€ã¢ã³ãã¬ã€ã€ãŒ]/account/client/oauth/callback
ã¯ãèªèšŒã³ãŒãã亀æããŸã[OAuthã¯ã©ã€ã¢ã³ãã¬ã€ã€ãŒ]/account
oauthã¯ã©ã€ã¢ã³ãã®æŠèŠããŒãž[OAuthã¯ã©ã€ã¢ã³ãã¬ã€ã€ãŒ]ãŸãã¯ãäž¡æ¹ã®æžå¿µäºé
ãåé¢ããŠãOAuthãããã€ããŒïŒ /oauth
çµç±ã§pkg/oauth
ïŒããã®ãŸãŸã«ããŠãã¢ã«ãŠã³ãã¢ããªïŒ /account
çµç±ã§pkg/account
ïŒãåŠçããããšãã§ããŸãã ïŒã³ã³ãœãŒã«ã®å Žåãšåæ§ã«ãå®å
šã«å¥åã®ãã®ãšããŠã ãã®å ŽåãOAuthãããã€ããŒã¯ãæ¿èªããŠãŒã¶ãŒã¢ã«ãŠã³ãã®ç»é²ãªã©ã®èªèšŒã®åé¡ã«ã®ã¿è²¬ä»»ãè² ããŸãããçŸåšã®ããã«ç¬èªã®èªèšŒããããã¥ãŒã¯ãããŸããã 代ããã«ããã°ã€ã³åŸãããã©ã«ãã§ã¢ã«ãŠã³ãã¢ããªã«ãªãã€ã¬ã¯ããããããŒã¯ã³ãèªåçã«ååŸãããŸãã
æåã®è§£æ±ºçã¯ãçŸåšèªèšŒãšã¢ã«ãŠã³ã管çãäžå¿ã«å±éããŠããæ··ä¹±ã®äžéšãåé¿ã§ãããšæããŸããããããä»ã®åé¡ãåŒãèµ·ããå¯èœæ§ããããã©ããã¯äºæž¬ã§ããŸããã 2çªç®ã®è§£æ±ºçã¯ããã¯ãªãŒã³ã«èŠããŸãããåé¡ã¯åé¢ãã©ã®ããã«äŒé/ãã©ã³ãåãããã§ãã ããšãã°ãäž¡æ¹ãšããã¢ã«ãŠã³ãã¢ããªããšããŠãŸã äŒéããå¿
èŠããããŸããïŒ ãããšãThe Things Stack Single Sign On
ãšThe Things Stack Account Application
ã§ããããïŒ
ãæèŠããèãããã ããã
ããŒããäžæ©åŸéããŠãã¢ã«ãŠã³ãã¢ããªãOAuthã¯ã©ã€ã¢ã³ãã«ããç®çã¯äœã§ããïŒ OAuthãä»ããŠã©ã®ãããªæ©èœãå¿ èŠã§ããïŒ
ã¢ã¯ã»ã¹ããŒã¯ã³ã¯ãããããã®RPCãæ¿èªããå¯äžã®æ¹æ³ã§ãããããããããã¹ãŠã«ã¢ã¯ã»ã¹ããŒã¯ã³ãå¿ èŠã§ãã
OAuthãããã€ããŒïŒããšãã°ã TheThings Network Communityããªã©ã®å€éšïŒãšããã€ã³ãThingsStackã«æ ŒçŽãããŠãããŠãŒã¶ãŒãšã³ãã£ãã£ã®ãã£ãŒã«ãã®ç®¡çã«é¢ãããŠãŒã¶ãŒç®¡çãåé¢ããå¿ èŠããããŸããäžèšã®ã³ã¡ã³ãã«æžããã
/api/v3/*
ãšã³ããã€ã³ãã¯ãCORSã«å¯Ÿå¿ããŠãããããCookieèªèšŒãåãå
¥ããŸããã ãããã¯ãAPIããŒãšã¢ã¯ã»ã¹ããŒã¯ã³ã§ã®ã¿æ©èœããŸãã
- ãããã¡ã€ã«èšå®ïŒååãã¡ãŒã«ã¢ãã¬ã¹ããããã£ãŒã«åçïŒ
- ã»ãã·ã§ã³ç®¡çïŒã¬ãã¥ãŒãåãæ¶ãïŒ
- æ¿èªç®¡çïŒã¬ãã¥ãŒãåãæ¶ãïŒ
- ïŒå°æ¥çã«ã¯ä»ã®TTESé¢é£ã®ã¡ã¿èšå®ã«ãªãå¯èœæ§ããããŸãïŒ
ã¢ã¯ã»ã¹ããŒã¯ã³ã¯ãããããã®RPCãæ¿èªããå¯äžã®æ¹æ³ã§ãããããããããã¹ãŠã«ã¢ã¯ã»ã¹ããŒã¯ã³ãå¿ èŠã§ãã
ã³ã³ãœãŒã«ã®ãããã®éšåãäœæããããšãã§ããŸãããããã¯ã³ã³ãœãŒã«ãããçšåºŠã®æžå¿µãæ··åããããšãæå³ããŸãã ä»ã®ãã¹ãŠã®ã³ã³ãœãŒã«æ©èœã®ãªãŒããŒããããªãã§ã¢ã«ãŠã³ã管çãå®è¡ããæ¹ãè¯ãç¶æ³ãèŠãããšãã§ããŸããããããããããã¯ç§ããããéå°ã«èšèšããŠããããšã§ãð€·ââïžã
äžè¬çã«ãåé¡ã¯ãã³ã³ãœãŒã«ããããã¯ãŒã¯é¢é£ã®åé¡ã管çããããã®ããŒã«ãšããŠã®ã¿èŠãããã©ããã§ãã ãã¹ãŠã®TTSé¢é£äºé ã®æ±çšç®¡çãã©ãããã©ãŒã ãšããŠãªãŒãã³ã«ããããšããããã¢ãããã¯ã§åé¢ã«åºå·ããããŸããŸãªæžå¿µäºé ã«å¯ŸããŠããŸããŸãªã¢ããª/ã¯ã©ã€ã¢ã³ãã䜿çšããããšãã§ããŸãã ããã¯æŠç¥çãªè³ªåã§ãã äž¡æ¹ã®ã±ãŒã¹ããããŸãã
ã³ã³ãœãŒã«ïŒåã¯ã©ã¹ã¿ãŒã«ã³ã³ãœãŒã«ãããããããã¹ãŠã®ã³ã³ãœãŒã«ïŒããŠãŒã¶ãŒã«å¯Ÿããå®å šãªæš©éãæã€ã¹ãã§ã¯ãªããšæããŸãã æ¿èªãããOAuthã¯ã©ã€ã¢ã³ããã»ãã·ã§ã³ããã©ã€ããªé»åã¡ãŒã«ã¢ãã¬ã¹ãé£çµ¡å æ å ±ã管çããããã«ã³ã³ãœãŒã«ã䜿çšããªãã§ãã ããã å°çšã®ãŠãŒã¶ãŒç®¡çã¢ããªïŒã¢ã«ãŠã³ãã¢ããªïŒã䜿çšããæ¹ãã¯ããã«åªããŠããŸãã
確ãã«ãè¯ãç¹ã 次ã«ãæåã®è³ªåã«æ»ããŸãã
ç§ã®èŠè§£ã¯ïŒ
æ··åã¢ãããŒãïŒ
åé¢ãããã¢ãããŒãïŒ
ç§ã¯æ··åã¢ãããŒãã«åŸããŠããŸãã
- ãããã¡ã€ã«èšå®ïŒååãã¡ãŒã«ã¢ãã¬ã¹ããããã£ãŒã«åçïŒ
- ã»ãã·ã§ã³ç®¡çïŒã¬ãã¥ãŒãåãæ¶ãïŒ
- æ¿èªç®¡çïŒã¬ãã¥ãŒãåãæ¶ãïŒ
- ïŒå°æ¥çã«ã¯ä»ã®TTESé¢é£ã®ã¡ã¿èšå®ã«ãªãå¯èœæ§ããããŸãïŒ
ããã¯ã¢ã«ãŠã³ãã¢ããªã§ãããïŒ OAuthã§ã¯ãããŸãããïŒ
- è³¢æãªãã©ã³ãã£ã³ã°ãšã³ãã¥ãã±ãŒã·ã§ã³ãå¿ èŠãšããoauthã¢ããªã®é£ã«æ°ããã¢ããªãå°å ¥ããŸã
ããã§ãOAuthã¢ããªã¯äœã§ããïŒ
OAuthã¯ã©ã€ã¢ã³ããã¢ã«ãŠã³ãã¢ããªã«è¿œå ããæ©èœã®ãã¡ãæ°ãããšã³ããã€ã³ããä»ããŠã¢ã«ãŠã³ãã¢ããªã«çµã¿èŸŒãããšãã§ããªãæ©èœããªã¹ãã§ããŸããïŒ
ããã¯ã¢ã«ãŠã³ãã¢ããªã§ãããïŒ OAuthã§ã¯ãããŸãããïŒ
ã¯ããããã¯ã¢ã«ãŠã³ãã¢ããªã§ãã ããããèšç»ã§ã¯ãOAuthã¢ããªãšããŠçŸåšæã£ãŠãããã®ãã¢ã«ãŠã³ãã¢ããªã®äžéšã«ãªãäºå®ã§ããã
ããã§ãOAuthã¢ããªã¯äœã§ããïŒ
èªèšŒïŒOAuthãããŒã®äžéšãšããŠïŒããŠãŒã¶ãŒç»é²ãã¯ã©ã€ã¢ã³ãèªèšŒããã¹ã¯ãŒãã®ãªã»ããã åºæ¬çã«ããŠãŒã¶ãŒã®èªèšŒãšã¯ã©ã€ã¢ã³ãã®æ¿èªã«é¢ä¿ãããã¹ãŠã®ãã®ã
OAuthã¯ã©ã€ã¢ã³ããã¢ã«ãŠã³ãã¢ããªã«è¿œå ããæ©èœã®ãã¡ãæ°ãããšã³ããã€ã³ããä»ããŠã¢ã«ãŠã³ãã¢ããªã«çµã¿èŸŒãããšãã§ããªãæ©èœããªã¹ãã§ããŸããïŒ
åé¡ã¯ããã«éã§ãã¢ã¯ã»ã¹ããŒã¯ã³ãååŸããå¿ èŠããããããçŸåšã®OAuthã¢ããªãã¢ã«ãŠã³ãã¢ããªã«å¿ èŠãªæ©èœã§åçŽã«æ¡åŒµããããšã¯ã§ããŸããã é¶ãå ãåµãå ããšããåé¡ã§ãã ã¢ã«ãŠã³ãã¢ããªã®æ©èœïŒã»ãã·ã§ã³ãæ¿èªãªã©ïŒã«ç°ãªãæ¿èªæ段ããã£ãå Žåãããšãã°OAuthã¢ããªãæã€ã»ãã·ã§ã³Cookieãä»ããå Žåãããã¯ç°ãªããŸãã ããããç§ãèŠããšãããããã¯å®è¡äžå¯èœã§ãã
OAuthã¢ããªã¯ã¹ã¿ã³ãã¢ãã³ã®ãã®ã§ããïŒ OAuthã¯ã©ã€ã¢ã³ãã®ãªãã€ã¬ã¯ããããŒãå®è£ ããŠããŸããïŒ ãããšãOAuthã¯ã©ã€ã¢ã³ãèªäœã§ããïŒ
匷調é±å±±ïŒ
ç§ã®ã¢ã€ãã¢ã¯ãæ°ããOAuthã¯ã©ã€ã¢ã³ãïŒ
account
ïŒãããã³ããšã³ãããšã«å°å ¥ããŠãæ©èœãçŸåšã®OAuthã¢ããªãšãã¬ã³ãããããšã§ããã ãŠãŒã¶ãŒã«ãšã£ãŠã¯ã OAuthãããã€ããŒïŒãã°ã€ã³ãç»é²ãã¢ã«ãŠã³ãã®æ€èšŒãªã©ïŒãšã¢ã«ãŠã³ãã¢ããªã¯ã©ã€ã¢ã³ãïŒãããã¡ã€ã«èšå®ãã»ãã·ã§ã³ç®¡çãæ¿èªç®¡çïŒã®äž¡æ¹ã1ã€ã®åãã¢ããªã±ãŒã·ã§ã³ã§ããããã«èŠããŸãããããã¯ã°ã©ãŠã³ãã§ã¯OAuthãããã€ããŒãšã¯ã©ã€ã¢ã³ãã®éã®æè¡çãªåé¢ã§ãã ããã¯ãšã³ãã§ã¯ãã¢ã«ãŠã³ãã¯ã©ã€ã¢ã³ãã¯oauth
ããã±ãŒãžã®äžéšã«ãªã
ããã«èŠããŸãã
oauth
ããã±ãŒãžç§ã¯ææ¡ãç解ããããšããŠããŸããããŸã äœãäœã§ããããå®å šã«ã¯ç解ããŠããŸããã
ã§ã¯ãå¿ èŠãªæ©èœã¯äœã§ããïŒ
ã»ãã·ã§ã³èªèšŒã䜿çšããã°ãOAuthã«ãŸã£ãã觊ããã«1ã6ãå®è£ ã§ãããšæããŸãã ããã¯å¯èœã§ãããïŒ
ãããããããªããã ããã«ã¯åºå®ãããŠããªãçšèªãããã€ãããã説æãéåžžã«é£ãããªã£ãŠããŸãã å°ãªããšããåé¡ã®è€éãã«ã€ããŠã®è¯ãæŽå¯ãåŸãããŸãð ã
ããã§ã¯ãçŸç¶ãèŠãŠã¿ãŸãããã
OAuthãããã€ããŒ
OAuth 2.0ä»æ§ã«åŸã£ãŠæ¿èªïŒãã®å Žåã¯èªèšŒãïŒãæäŸãããšã³ãã£ãã£ã ãã®å Žåãããã¯pkg/oauth
ããã±ãŒãžã§ãããOAuthã¢ããªïŒä»¥äžãåç
§ïŒã䜿çšããŠããŠãŒã¶ãŒæ
å ±ïŒãã°ã€ã³ãç»é²ãæ¿èªãã¥ãŒãªã©ã®ã¬ã³ããªã³ã°ïŒãååŸããããã«å¿
èŠãªãŠãŒã¶ãŒã€ã³ã¿ãŒãã§ã€ã¹ãå®è£
ããŸãã
OAuthã¢ããª
ããã¯ããã³ããšã³ãã®reactWebã¢ããªã±ãŒã·ã§ã³ã§ãã ããã³ããšã³ãã³ãŒãã¯ãreactã³ã³ããŒãã³ãããŠãŒãã£ãªãã£ãªã©ã®å
±ééšåãå
±æããããŸããŸãªã¢ããªïŒããŸããŸãªãšã³ããªãã€ã³ãoauth.js
/ console.js
ïŒã§æ§æãããŠããŸã
OAuthã¯ã©ã€ã¢ã³ã
ã³ã³ãœãŒã«ãCLIãªã©ãèªèšŒãšæ¿èªã«OAuthã䜿çšããç»é²æžã¿ã¯ã©ã€ã¢ã³ãã
oauthããã±ãŒãž
OAuthãããã€ããŒã®å®è£
ãæ
åœããGoããã±ãŒãžã ããã¯pkg/oauth
ã§ãã
ã芧ã®ãšãããããã§ã¯3ã€ãŸãã¯4ã€ã®ç°ãªãã¬ã€ã€ãŒã䜿çšãããŠããŸãã åé¡ã¯ãçŸæç¹ã§æ¿èªãè¡ãæ¹æ³ãç¶æããå Žåãäžèšã§æŠèª¬ãããã¹ãŠã®åœ¹å²ãæãããã®ãåæã«æã€å¿ èŠããããšããããšã§ãã
ã»ãã·ã§ã³èªèšŒã䜿çšããã°ãOAuthã«ãŸã£ãã觊ããã«1ã6ãå®è£ ã§ãããšæããŸãã ããã¯å¯èœã§ãããïŒ
ã¯ãã 1ã4ã¯ãoauth /ã¢ã¯ã»ã¹ããŒã¯ã³ãªãã§ãã§ã«å¯èœã§ãã 5ãš6ã«ã¯çŸåšã¢ã¯ã»ã¹ããŒã¯ã³ãå¿ èŠã§ãã 7.iiã¯ãŸã å®è£ ãããŠããŸããã ã¢ã¯ã»ã¹ããŒã¯ã³ãªãã§5ãš6ãå¯èœã§ããã°ããããè¡ãããã«å¥ã®oauthã¯ã©ã€ã¢ã³ãã¯å¿ èŠãããŸããã ããã§ããå°æ¥ã¢ã«ãŠã³ãã¢ããªã«è¿œå ããå¯èœæ§ã®ãããã¹ãŠã®æ©èœã¯ãæ¿èªã®å¯äžã®æ段ãšããŠã¢ã¯ã»ã¹ããŒã¯ã³ã䜿çšããŠã¯ãªããªãããšãèæ ®ããå¿ èŠããããŸãã
ã¢ã¯ã»ã¹ããŒã¯ã³ãªãã§5ãš6ãå¯èœã§ããã°ããããè¡ãããã«å¥ã®oauthã¯ã©ã€ã¢ã³ãã¯å¿ èŠãããŸããã ããã§ããå°æ¥ã¢ã«ãŠã³ãã¢ããªã«è¿œå ããå¯èœæ§ã®ãããã¹ãŠã®æ©èœã¯ãæ¿èªã®å¯äžã®æ段ãšããŠã¢ã¯ã»ã¹ããŒã¯ã³ã䜿çšããŠã¯ãªããªãããšãèæ ®ããå¿ èŠããããŸãã
å³ã ããã¯ç§ã«ã¯éåžžã«çã«ããªã£ãŠããŸãã ããã¯ãããšãã°ãã¹ã¯ãŒããåå ¥åããåŸããŠãŒã¶ãŒãã¢ã«ãŠã³ãã¢ããªã§_only_ããããšãã§ãããsudoã¢ãŒããã®ããè¯ãåºç€ã«ããªããŸãã ããã§ããOAuthã¯ã©ã€ã¢ã³ããšã¢ã«ãŠã³ãã¢ããªã§ã§ããããšã«ã¯å€å°ã®éè€ããããããããŸãããããã®éè€ã¯ç§ã«ã¯å€§ããèŠããŸããã ã¢ã«ãŠã³ãã¢ããªå°çšã®ãã®ãç¶æããããšã«äŸ¡å€ããããšæããŸãã
ããã§ããã
@htdvisserç°è°ã¯ãããŸããïŒ ããã§ãªãå Žåã¯ãæ¿èªã®ããã«çžå¯Ÿçãªãã¡ã€ã«/ããã±ãŒãžãæããŠããã ããŸãããããã«ã€ããŠã¯ãããã«äœæ¥ããæéããªããšæããŸãïŒïŒïŒã
以åã«ã³ã¡ã³ãããããã«ã /api/v3/*
ãšã³ããã€ã³ãã¯CORS察å¿ã§ãããããCookieèªèšŒãåãå
¥ããŸããã CookieèªèšŒã®åãå
¥ããéå§ããå Žåã¯ãCORSããããŒããã確èªããå¿
èŠããããŸããããã¯ãæ»æè
ããããã®ãšã³ããã€ã³ãã«å¯ŸããŠCookieèªèšŒãããã¯ãã¹ãªãªãžã³ãªã¯ãšã¹ããè¡ãããšãå®éã«æãã§ããªãããã§ãã
ç§ãã¡ã®APIã¯ãã¹ãŠgRPCã§ãããèªèšŒã¯Authorization
ããããŒã䜿çšããŠè¡ããããªã¯ãšã¹ãã¡ã¿ããŒã¿ãšããŠgRPCã«äŒæãããŸãã ã»ãã·ã§ã³èªèšŒã®å®è£
ã¯æ¬¡ã®ããã«ãªããŸãã
SessionToken
ã¿ã€ããpkg/auth/auth.go
è¿œå ããŸãSession
ã¢ãã«ã«ç§å¯ã®éšåãè¿œå ããŸããAuthorization
ããããŒã«è»¢éããããã«ãŠã§ã¢ãè¿œå ããŸãcase
ã®switch tokenType {
ã«pkg/identityserver/entity_access.go
case
SessionToken
ãšããŠããã§èæ
®ãã¹ãããšã®1ã€ã¯ãã¢ã«ãŠã³ãã¢ããªãšv3APIãåããªãªãžã³ããæäŸããå¿
èŠãããããšãæå³ããŸãã ããããªããšãèªèšŒã³ã³ããã¹ããç°ãªããªãªãžã³ã§æ§æãããŠãããããCookieèªèšŒã¯æ©èœããŸããã
ãããã©ãã»ã©åãå
¥ãããããããããªãã å°ãªããšãå®éã«ã¯ãå±éã§åããªãªãžã³ã䜿çšããŠããããã§ãã
ã¯ãããããã¯åãèµ·æºã«ãªããŸãã
@kschifferã¯ãããã§é²è¡ç¶æ³ã®ãããã¯ã解é€ããæ¹æ³ãæããŠãã ããã
ããã«èŠçŽãæžããŸããïŒ https ïŒ
OKãããã§ãã®äŒè©±ãç¶ããŸãããã
@kschifferããã«å°ãåãçµã
- oauthã¢ããªã®ããã³ããšã³ãéšåã¯ãåºæ¬çã«èªèšŒç»é¢ã®ã¿ã§æ§æãããŸã
ã¯ã
- ãã®ããã ãã«
is.oauth.ui.*
èšå®ãä¿æããªããã°ãªããªãã®ã¯éåžžã«é¢åã ãšæããŸã
[...]- ãŸããCCãå£ããã«ã¹ã¿ãã¯æ§æãå€æŽããæ¹æ³ã®æ£ç¢ºãªå¶éã«ã€ããŠãå°ãããããŸããã
- ç§ã¯ããã§å®è¡å¯èœãªè§£æ±ºçãèŠã€ããã®ã«å°ãéãæªãã®ã§ãæ¬åœã«ããã€ãã®å ¥åãå¿ èŠã§ã
V3ã§æ§æã解é€ããããšã¯ã§ããŸããããæ°ããæ§æãå°å
¥ããå€ãæ§æãå»æ¢ããå€ãæ§æããã©ãŒã«ããã¯ãšããŠäœ¿çšãã bump/major
ãšããã©ãã«ã®ä»ããTODOã®åé¡ãæåºããŠãå€ãæ§æãåé€ããããšã¯ã§ããŸãã
ãããã£ãŠãç§ã®ææ¡ã¯ãå®å
šã«çœ®ãæããããæ°ããã¢ã«ãŠã³ãã¢ããªãæå¹ã«ããæ°ããæ§æãå°å
¥ããããšã§ãã äžäœäºææ§ã®ããã«ããŠãŒã¶ãŒããã®æ°ããæ§æãæå®ããªããŠãæ©èœããå¿
èŠããããŸããã€ãŸãã is.oauth.ui.*
ä»ããŠæ£åžžãªããã©ã«ãå€ãšå€ãæ§æã«äŸåããŸãã
@kschifferããã®ã¹ããŒã¿ã¹ã¯äœã§ããïŒ
çŸåšãããã§é²è¡äžã®æ°ããã¹ãã£ãã©ãŒã«ãã«åºã¥ããŠäœæ¥ããªããŒã¹ããŠããŸãïŒïŒ3453
次ã¯ãèªèšŒããããã¥ãŒã®ãªããŒã¹ãä¿®æ£ãPRãè¡ããçŸåšã®ãã¶ã€ã³ãæ°ãããã©ã³ãã«èª¿æŽããŸãã
@kschifferããã®ã¹ããŒã¿ã¹ã¯äœã§ããïŒ
ã¢ã«ãŠã³ãã¢ããªã¯3.11ã§å°å ¥ãããŸããã çŸåšãŸã äžè¶³ããŠããã®ã¯æ¬¡ã®ãšããã§ãã
ããã£ãã https://github.com/TheThingsNetwork/lorawan-stack/issues/488ã¯ãã§ã«éããããŠããããã§ãã
ããã¯å€§ããªåé¡ã§ãã ããã眮ãæããããã«ãäžèšã®1ã€ãŸãã¯2ã€ã®æ°ããåé¡ãæåºããŠãéããããšãã§ããŸããïŒ