我正在构建一个使用REST API来处理所有逻辑的移动应用程序(可能还有一个网站)。
话虽如此,REST API本身应该调用第三方REST API(Spotify一个)来处理应用程序/网站的逻辑。
因此,基本上,用户应该使用其Spotify帐户登录到我的应用程序/网站,而我的API应该调用来Spotify Web Api
使用其访问令牌检索用户数据,然后将它们发送回应用程序/网站。
现在,我已经花了很多时间在这里研究有关身份验证的Spotify指南,看起来Authorization Code Flow
应该适合我的用例。
我绝对需要调用/authorize
端点来code
从我的应用程序中检索,因为我需要为此进行用户交互。在那之后,我确实得到了**code**
我应该access_token
与和交换的refresh_token
。
但是正如我所说,调用Spotify API的不是应用程序本身,而是我的API。因此,从理论上讲,我应该将接收code
到的数据发送到我的API,并让他处理检索和刷新access_token
and refresh_token
。
所以我的问题是这是否有意义?是否可以将其code
从应用发送到我的api?不确定是否很清楚,所以我将附上我打算做什么的图表。
Also probably after receiving the code, I would send back my own token to the app to be used with each future request (somehow similar with what you would do when you handle authorization with Facebook or other socials)
Hmm - some assumptions below, but I would aim to use standard flows. Some solutions are not possible in a good way though.
BUSINESS SOLUTION
Are you trying to build an app that combines the user's Spotify data with your own data for the user?
ARCHITECTURE TO AIM FOR
Your own UIs and APIs should use tokens issued by you and not Spotify. Only use Spotify tokens when you need to access Spotify resources. This leads to simple and reliable code.
STANDARD OPTION 1
This is based on you being in control of data from multiple sources:
You should have your own login and token issuing system. UI first logs into your app, which enables it to call your API with a token.
When you want to access Spotify you need to redirect the user again. The user can then consent to you using Spotify resources in your app, after which your web / mobile UIs get a Spotify token and can call Spotify APIs.
STANDARD OPTION 2
This is based on allowing the user to sign in with a familiar credential, which works via a federated login:
Meanwhile your Web API has its own connection to Spotify that uses the Client Credentials Flow.
DOUBLE HOPPING CODES / TOKENS
这不是不安全的,但是会增加很多复杂性,并且不是标准的。您将需要维护某种API会话,每位用户使用2种令牌,访问令牌过期将是一个可怕的领域。
移动流量
对于移动应用程序,您应该使用授权码流(PKCE)-我的博客文章中包含有关消息和用户体验的内容。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句