问题
What would be the best way to handle redirect URIs for OAuth authentication?
In a few projects, I used to boot up a web server that would wait for the authentication to be sent back. Is there any way to trigger any type of code without a local web server, or is it the recommended way?
I'm not asking for help about any specific languages, this is more like a language agnostic question.
回答1:
Side note: nice avatar... :)
Deciding on the best approach will depend on the exact scenario and any additional requirements your application might have, however, we can look at a few options and possible implication of choosing them.
The OAuth 2.0 specification suggests a few options to solve this issue, either using an embedded user-agent or relying on an external one.
The embedded user-agent may allow you better control on the UI aspects, however, by leveraging an external user-agent your users might benefit from an already established session and avoid having to input credentials one more time.
For an external user-agent we have a few options:
External user-agent - the native application can capture the response from the authorization server using a (1) redirection URI with a scheme registered with the operating system to invoke the client as the handler, (2) manual copy-and-paste of the credentials, (3) running a local web server, (4) installing a user-agent extension, or by (5) providing a redirection URI identifying a server-hosted resource under the client's control, which in turn makes the response available to the native application.
Option 1:
You configure a redirect using a custom scheme that your application registered in the operationg system, this way your application gets called when an external user-agent receives a response indicating a redirect to your scheme.
Option 2:
You redirect somewhere that just shows a pretty page with the code and ask the user to input it manually in your application.
Option 3:
You already used this one, basically the application starts a local web server and you configure the redirect to be something along the lines of http://localhost:[port]/.
Option 4:
By installing a user-agent extension you would have code running with the browser that could communicate the code automatically to your applications.
Option 5:
You configure a redirection URI that points to some server-side code you host and that your client Android application is aware of so that it can grab the code from that URL.
For much more information on this topic, check: OAuth 2.0 for Native Apps
As an additional not, if you don't want to go full server-side on the options that require some logic on the server, you can accomplish the same using much less lines of code by writing your server-side logic as a Webtask (be sure to use a custom domain).
Disclosure: I'm an Auth0 engineer.
来源:https://stackoverflow.com/questions/40367795/oauth-redirect-uri-alternatives-for-non-web-applications