文章目录
UserAuthModule
Authentication Flow
AuthService
Storing Tokens and User Identifiers
用户认证的典型流程和包含步骤
Access Tokens in API Calls and Error Recovery
Persisting Authentication Data in the Browser Storage
ASM
Configuring Authorization Code Flow or Implicit Flow
Commerce Cloud的一个限制
Specifies if new refresh token should be created during refreshing an Access Token
reuseRefreshToken = true - old refresh token will be returned, refresh token can be used more than one time
reuseRefreshToken = false - new refresh token will be created
Specifies if new refresh token should be created during refreshing an Access Token
reuseRefreshToken = true - old refresh token will be returned, refresh token can be used more than one time
reuseRefreshToken = false - new refresh token will be created
Specifies if new refresh token should be created during refreshing an Access Token
reuseRefreshToken = true - old refresh token will be returned, refresh token can be used more than one time
reuseRefreshToken = false - new refresh token will be created
Commerce Cloud Authentication
SAP Spartacus 用户认证的实现
UserAuthModule
ClientAuthModule
UserAuthModule
源代码位置:spartacus\projects\core\src\auth\user-auth\user-auth.module.ts
https://github.com/SAP/spartacus/tree/develop/projects/core/src/auth/user-auth
UserAuthModule完成的5大任务
performing authentication flow: 执行认证流
storing tokens and user identifiers:存储token
adding access tokens for user calls:给用户发起的HTTP请求添加Access Token
recovering from API auth errors (for example, refreshing tokens when access tokens expire):API出现认证错误时的自动恢复机制,比如当Access Token过期时,自动刷新token
persisting the tokens in browser storage - 将token存储在浏览器storage里
Authentication Flow
Spartacus 3.0 使用开源的angular-oauth2-oidc来完成用户认证。
下图高亮区域包含了用户认证过程中使用到的服务。
AuthService
AuthService是一个service facade,消费者可以调用它提供的下列两个方法,触发认证流程。
loginWithCredentials:for the Resource Owner Password Flow
loginWithRedirect:for the Implicit Flow or the Authorization Code Flow
因为我们使用的开源angular-oauth2-oidc,需要相应的存储机制采取类似localStorage或者SessionStorage的工作方式来配合,因此在3.0里,我们从NgRx切换成了支持Stream的自定义服务。
这些服务高亮如下:用户认证的典型流程和包含步骤
a user invokes login - 用户触发登录动作
the authentication library perform the OAuth flow and receives tokens - 开源库执行OAuth认证流,接收到token
the authentication library directly sets the tokens in the through the setItem and removeItem methods - 开源OAuth库,调用AuthStorageServiced的setItem方法,将token存储:
authentication: { OAuthLibConfig: { responseType: 'token', // 'code`代表for Authorization Code Flow ,而token代表Implicit Flow }, },
Resource Owner Password Credentials 授权和 Client Credentials 授权, 简称 Password 方式和 Client 方式,都只适用于应用是受信任的场景。一个典型的例子是同一个企业内部的不同产品要使用本企业的 OAuth 2.0 体系。在有些情况下,产品希望能够定制化授权页面。由于是同个企业,不需要向用户展示“xxx将获取以下权限”等字样并询问用户的授权意向,而只需进行用户的身份认证即可。这个时候,由具体的产品团队开发定制化的授权界面,接收用户输入账号密码,并直接传递给鉴权服务器进行授权即可。如果信任关系再进一步,或者调用者是一个后端的模块,没有用户界面的时候,可以使用 Client 方式。
当然,如果不用Commerce Cloud默认的OAuth认证服务器,就可以选择切换到其他OAuth 认证 flow去。
oauthauthorizationserver.tokenServices.reuseRefreshToken=false”setting that to true should in theory only help in the case where:
you are logged in on 1 device
a bit later you log in on another device
your session expires on one first device
if the property is true, and it’s not 12 hours since login to 2nd device, you can still continue browsing. If false, you get logged out there too
Specifies if new refresh token should be created during refreshing an Access Token
reuseRefreshToken = true - old refresh token will be returned, refresh token can be used more than one time
reuseRefreshToken = false - new refresh token will be created
oauthauthorizationserver.tokenServices.reuseRefreshToken=false
Specifies if new refresh token should be created during refreshing an Access Token
reuseRefreshToken = true - old refresh token will be returned, refresh token can be used more than one time
reuseRefreshToken = false - new refresh token will be created
oauthauthorizationserver.tokenServices.reuseRefreshToken=false
Specifies if new refresh token should be created during refreshing an Access Token
reuseRefreshToken = true - old refresh token will be returned, refresh token can be used more than one time
reuseRefreshToken = false - new refresh token will be created
oauthauthorizationserver.tokenServices.reuseRefreshToken=false