{"id":62,"date":"2014-04-19T07:01:49","date_gmt":"2014-04-19T05:01:49","guid":{"rendered":""},"modified":"2018-09-17T21:54:20","modified_gmt":"2018-09-17T19:54:20","slug":"ako-doverovat-cudzim-alebo-protokol-oauth-2-0","status":"publish","type":"post","link":"https:\/\/spireng.sk\/en\/ako-doverovat-cudzim-alebo-protokol-oauth-2-0\/","title":{"rendered":"Ako d\u00f4verova\u0165 cudz\u00edm alebo protokol OAuth 2.0"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"imgp_img\" style=\"float: left; margin: 2px 5px;\" src=\"\/sites\/default\/files\/imagepicker\/1\/3343062926_4e65c72b65_o.png\" alt=\"Obr\u00e1zok\" width=\"200\" height=\"200\" \/>Oblas\u0165 v\u00fdpo\u010dtovej techniky prech\u00e1dza neust\u00e1lym v\u00fdvojom, \u010do m\u00e1 za n\u00e1sledok objavovanie sa nov\u00fdch probl\u00e9mov a samozrejme aj ich rie\u0161en\u00ed. Jedn\u00fdm z tak\u00fdchto probl\u00e9mov, ktor\u00e9mu museli svojho \u010dasu \u010deli\u0165 ve\u013ek\u00e9 internetov\u00e9 spolo\u010dnosti ako Google a Facebook bolo, \u017ee sa za\u010dalo objavova\u0165 mno\u017estvo aplik\u00e1ci\u00ed tret\u00edch str\u00e1n, ktor\u00e9 chceli pristupova\u0165 k \u00fadajom pou\u017e\u00edvate\u013ea ulo\u017een\u00fdm na takomto serveri. Ako ale vyrie\u0161i\u0165 probl\u00e9m, kedy aplik\u00e1cii nechcete zveri\u0165 svoje meno a heslo (preto\u017ee nem\u00e1te \u017eiadnu z\u00e1ruku, \u017ee bude robi\u0165 len to, \u010do m\u00e1), ale z\u00e1rove\u0148 chcete, aby napr\u00edklad vedela \u010d\u00edta\u0165 va\u0161e fotografie? Odpove\u010f pri\u0161la vo forme protokolu OAuth. My sa dnes pozrieme na jeho druh\u00fa verziu.<!--break--><!--more--><\/p>\n<p>Na pochopenie OAuth protokolu je d\u00f4le\u017eit\u00e9 pochopi\u0165, \u010do sa vlastne chce dosiahnu\u0165. Predstavte si, \u017ee m\u00e1te \u00fa\u010det na Facebooku, kde m\u00e1te mnoho r\u00f4znych \u00fadajov. N\u00e1sledne si do mobilu nain\u0161talujete aplik\u00e1ciu, ktor\u00e1 v\u00e1m umo\u017en\u00ed prezera\u0165 si fotografie z v\u00e1\u0161ho Facebook \u00fa\u010dtu. Na to, aby sa k nim dostala, potrebuje va\u0161e meno a heslo. Vy ale neviete, \u010di m\u00f4\u017eete tej aplik\u00e1cii d\u00f4verova\u0165. Pred chv\u00ed\u013eou ste si ju nain\u0161talovali a autor v\u00e1m nie je povedom\u00fd. Kto zaru\u010d\u00ed, \u017ee okrem \u010d\u00edtania fotografi\u00ed nepre\u010d\u00edta v\u0161etky va\u0161e kontakty a niekam ich neodo\u0161le? Potrebovali by ste aplik\u00e1cii da\u0165 pr\u00edstup, ale len obmedzen\u00fd. Ur\u010dite ju nepusti\u0165 k in\u00fdm \u00fadajom ako s\u00fa fotky a mo\u017eno jej pr\u00edstup aj celkovo \u010dasovo obmedzi\u0165. A presne na to sl\u00fa\u017ei OAuth protokol.<\/p>\n<p>&nbsp;<\/p>\n<p>V Aouth protokole vystupuj\u00fa tieto objekty:<\/p>\n<ul>\n<li><em>Majite\u013e zdrojov (Resource Owner)<\/em> \u2013 to ste vy. Niekto, komu patria \u00fadaje ulo\u017een\u00e9 na serveri. Vy rozhodujete, ak\u00fd a komu poskytnete pr\u00edstup.<\/li>\n<li><em>Klient (Client)<\/em> \u2013 to je aplik\u00e1cia, ktor\u00fa ste si nain\u0161talovali do mobilu. Bude potrebova\u0165 nejak\u00fdm sp\u00f4sobom z\u00edska\u0165 pr\u00edstup k vybran\u00fdm \u00fadajom.<\/li>\n<li><em>Autoriza\u010dn\u00fd server (Authorization server)<\/em> \u2013 to je server, kde je ulo\u017een\u00fd v\u00e1\u0161 \u00fa\u010det a tie\u017e server, ktor\u00fd vie klientovi poskytn\u00fa\u0165 \u0161peci\u00e1lny token, ktor\u00fdm sa dostane k zdrojom.<\/li>\n<li><em>Server so zdrojmi (Resource server)<\/em> \u2013 to je server, na ktorom s\u00fa ulo\u017een\u00e9 va\u0161e \u00fadaje. Dok\u00e1\u017ee poskytn\u00fa\u0165 \u00fadaje ktorejko\u013evek aplik\u00e1cii s platn\u00fdm \u0161peci\u00e1lnym tokenom. M\u00f4\u017ee a nemus\u00ed to by\u0165 ten ist\u00fd server ako je autoriza\u010dn\u00fd.<\/li>\n<\/ul>\n<p>OAuth m\u00e1 \u0161tyri r\u00f4zne scen\u00e1re ako m\u00f4\u017ee d\u00f4js\u0165 k autoriz\u00e1cii klienta. Tieto s\u00fa ur\u010den\u00e9 pre r\u00f4zne pr\u00edpady a my sa na nich o chv\u00ed\u013eu pozrieme, ale e\u0161te predt\u00fdm si tak\u00fa autoriz\u00e1ciu ve\u013emi zjednodu\u0161ene pop\u00ed\u0161eme:<\/p>\n<ol>\n<li>Vy ako majite\u013e zdrojov spust\u00edte aplik\u00e1ciu.<\/li>\n<li>T\u00e1 potrebuje z\u00edska\u0165 \u0161peci\u00e1lny token na pr\u00edstup k\u00a0fotografi\u00e1m, a preto kontaktuje autoriza\u010dn\u00fd server.<\/li>\n<li>Autoriza\u010dn\u00fd server zobraz\u00ed obrazovku, na ktorej sa viete prihl\u00e1si\u0165 a tie\u017e potvrdi\u0165, \u017ee klient m\u00f4\u017ee pristupova\u0165 k\u00a0\u00fadajom, o ktor\u00e9 \u017eiada. Je to ale obrazovka autoriza\u010dn\u00e9ho servera, ktor\u00fa s\u00edce inicioval klient, ale inak s \u0148ou ni\u010d nem\u00e1. \u00dadaje (meno a heslo) teda zad\u00e1vate syst\u00e9mu, ktor\u00e9mu d\u00f4verujete.<\/li>\n<li>Autoriza\u010dn\u00fd server po\u0161le klientovi nasp\u00e4\u0165 \u0161peci\u00e1lny token na z\u00e1klade ktor\u00e9ho klient vie zo servera so zdrojmi z\u00edska\u0165 \u00fadaje.<\/li>\n<\/ol>\n<p>Hlavna my\u0161lienka je, \u017ee klientovi neodovzd\u00e1vate svoje meno a\u00a0heslo, ale prihlasujete sa st\u00e1le na str\u00e1nke, ktor\u00e1 v\u00e1\u0161 \u00fa\u010det vlastn\u00ed (teda Google, Facebook at\u010f.) a ona potom len klientovi vytvor\u00ed \u0161peci\u00e1lny token, ktor\u00fdm sa vie dosta\u0165 k obmedzenej mno\u017eine va\u0161\u00edch \u00fadajov. V\u0161etk\u00e9mu tomu ale mus\u00ed predch\u00e1dza\u0165 registr\u00e1cia klienta na autoriza\u010dnom serveri (\u010do rob\u00ed naj\u010dastej\u0161ie tvorca tohto klienta), pri\u010dom pri tejto registr\u00e1cii sa vygeneruj\u00fa tzv. Client secret a Client Id, ktor\u00e9 sa n\u00e1sledne pou\u017e\u00edvaj\u00fa v komunik\u00e1cii medzi klientom a autoriza\u010dn\u00fdm serverom.<\/p>\n<p>Ako som spomenul vy\u0161\u0161ie, existuj\u00fa \u0161tyri r\u00f4zne scen\u00e1re:<\/p>\n<ol>\n<li><span lang=\"sk-SK\"><em>Server-Side Web Application Flow<\/em><\/span><span lang=\"sk-SK\"> \u2013 ur\u010den\u00e9 pre web klientov, ktor\u00fdch hlavn\u00e1 logika je na serveri. Teda napr\u00edklad PHP. V takom pr\u00edpade browser od autoriza\u010dn\u00e9ho servera z\u00edskava len tzv. Authorization code, ktor\u00fd je e\u0161te serverom klienta vymie\u0148an\u00fd za Access token v druhej komunik\u00e1cii s autoriza\u010dn\u00fdm serverom.<\/span><\/li>\n<li><span lang=\"sk-SK\"><em>Client-Side Web Application Flow<\/em><\/span><span lang=\"sk-SK\"> \u2013 ur\u010den\u00e9 pre web klientov, ktor\u00fdch hlavn\u00e1 logika je na strane klienta \u2013 teda v prehliada\u010di. Napr\u00edklad JavaScriptov\u00e9 str\u00e1nky. Vtedy klient z\u00edskava priamo Access token na pr\u00edstup k \u00fadajom.<\/span><\/li>\n<li><em>Resource Owner Password Flow<\/em> \u2013 v tomto pr\u00edpade klientovi poskytujete meno a\u00a0heslo, ale on ich neuklad\u00e1 (nemal by), ale vymen\u00ed ich za Access token pre komunik\u00e1cii s autoriza\u010dn\u00fdm serverom. Ak\u00fa to m\u00e1 v\u00fdhodu? Napr\u00edklad t\u00fa, \u017ee ak si zmen\u00edte heslo na serveri s\u00a0\u00fa\u010dtami, t\u00e1to aplik\u00e1cia s t\u00fdm nebude ma\u0165 probl\u00e9m (na rozdiel od pr\u00edpadu, kedy si k\u00f3piu mena a hesla uchov\u00e1 vo svojej datab\u00e1ze).<\/li>\n<li><em>Client Credentials Flow<\/em> \u2013 v tomto pr\u00edpade je Resource Owner aplik\u00e1cia a vy ako pou\u017e\u00edvate\u013e ani neviete, \u017ee doch\u00e1dza k v\u00fdmene \u00fadajov s autoriza\u010dn\u00fdm serverom. Pou\u017e\u00edva sa pre klientov s vysok\u00fdm stup\u0148om d\u00f4very.<\/li>\n<\/ol>\n<p>Komunik\u00e1cia medzi klientom a autoriza\u010dn\u00fdm serverom m\u00f4\u017ee prebieha\u0165 tie\u017e pomocou digit\u00e1lne podp\u00edsan\u00fdch spr\u00e1v. V protokole je to ale volite\u013en\u00e1 s\u00fa\u010das\u0165, \u010do vyvolalo tie\u017e kritiku.<\/p>\n<p><span lang=\"sk-SK\">Ak to nebolo z doteraj\u0161\u00edch inform\u00e1ci\u00ed jasn\u00e9, tak OAuth rie\u0161i autoriz\u00e1ciu \u2013 teda to, \u010di m\u00e1 niekto pr\u00e1vo pristupova\u0165 k ur\u010dit\u00fdm \u00fadajom. Pre rie\u0161enie autentifik\u00e1cie (identifik\u00e1cie toho, kto ste a \u010di ste to naozaj vy) sl\u00fa\u017ei roz\u0161\u00edrenie <\/span><a href=\"https:\/\/openid.net\/connect\/\">OpenID <\/a><a href=\"https:\/\/openid.net\/connect\/\">C<\/a><a href=\"https:\/\/openid.net\/connect\/\">onnect<\/a><span lang=\"sk-SK\"> (nem\u00fdli\u0165 s <\/span><a href=\"http:\/\/en.wikipedia.org\/wiki\/OpenId\">OpenID<\/a><span lang=\"sk-SK\"> \u2013 nie je to to ist\u00e9), \u010do je samostatn\u00e1 \u010das\u0165 \u0161pecifik\u00e1cie, ktor\u00fa m\u00f4\u017eete a nemus\u00edte pou\u017ei\u0165.<\/span><\/p>\n<p>OAuth je v\u00fdsledkom situ\u00e1cie, \u017ee internet je pln\u00fd aplik\u00e1ci\u00ed, ktor\u00e9 s\u00fa cudzie, ale ktor\u00e9 z\u00e1rove\u0148 vy\u017eaduj\u00fa ur\u010dit\u00fd stupe\u0148 pr\u00edstupu k va\u0161\u00edm \u00fadajom, aby mohli fungova\u0165. Ke\u010f\u017ee s narastaj\u00facim po\u010dtom pou\u017e\u00edvate\u013eov internetu a po\u010dtom aplik\u00e1ci\u00ed je tento probl\u00e9m st\u00e1le viac a viac roz\u0161\u00edren\u00fd, aj OAuth zaznamenal v posledn\u00fdch rokoch n\u00e1rast v pou\u017e\u00edvan\u00ed. Pre v\u00e4\u010d\u0161inu roz\u0161\u00edren\u00fdch programovac\u00edch jazykov u\u017e existuj\u00fa hotov\u00e9 kni\u017enice, ktor\u00e9 v\u00e1m umo\u017e\u0148uj\u00fa implementova\u0165 autoriza\u010dn\u00fd server, aj server so zdrojmi. Tie\u017e ve\u013ek\u00fd poskytovatelia autoriz\u00e1cie ako Google, Facebook alebo Microsoft zverejnili kni\u017enice, ktor\u00e9 umo\u017e\u0148uj\u00fa protokol jednoducho pou\u017e\u00edva\u0165 na strane klientskej aplik\u00e1cie. V takom pr\u00edpade len treba by\u0165 pripraven\u00fd na ur\u010dit\u00e9 rozdiely v implement\u00e1cii, ktor\u00e9 nie s\u00fa \u0161pecifik\u00e1ciou dobre pokryt\u00e9.<\/p>","protected":false},"excerpt":{"rendered":"<p>Oblas\u0165 v\u00fdpo\u010dtovej techniky prech\u00e1dza neust\u00e1lym v\u00fdvojom, \u010do m\u00e1 za n\u00e1sledok objavovanie sa nov\u00fdch probl\u00e9mov a samozrejme aj ich rie\u0161en\u00ed. Jedn\u00fdm z tak\u00fdchto probl\u00e9mov, ktor\u00e9mu museli svojho \u010dasu \u010deli\u0165 ve\u013ek\u00e9 internetov\u00e9 spolo\u010dnosti ako Google a Facebook bolo, \u017ee sa za\u010dalo objavova\u0165 mno\u017estvo aplik\u00e1ci\u00ed tret\u00edch str\u00e1n, ktor\u00e9 chceli pristupova\u0165 k \u00fadajom pou\u017e\u00edvate\u013ea ulo\u017een\u00fdm na takomto serveri. Ako [&hellip;]<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-62","post","type-post","status-publish","format-standard","hentry","category-vyvoj-softveru"],"_links":{"self":[{"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/posts\/62","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/comments?post=62"}],"version-history":[{"count":3,"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/posts\/62\/revisions"}],"predecessor-version":[{"id":257,"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/posts\/62\/revisions\/257"}],"wp:attachment":[{"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/media?parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/categories?post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/spireng.sk\/en\/wp-json\/wp\/v2\/tags?post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}