Oauth 2 - 参数排序和签名完整性 [英] Oauth 2 - params ordering and signature integrity

问题描述

我有两个问题:

问题 1: 为什么 OAuth2 要求对参数进行排序和编码(对于 2-legged)?

Q1: Why does OAuth2 require params to be ordered and encoded (for 2-legged)?

它只需要担心给定数据(查询字符串)两端的匹配签名.

All it has to worry about is the matching signature in both the end for the given data(query string).

我们可以只检查使用查询字符串生成的签名.(例如?a=1&b=2).由于签名是基于只有客户端和提供者知道的密钥生成的，我们只能考虑查询字符串，没有任何排序/编码.

We can just check the signature generated using the query string.(e.g ?a=1&b=2). Since the signature is generated based on the secret key which is known only to the client and provider, we can only consider the query string without any ordering/encoding.

那么，先排序/编码然后创建签名有什么好处?

So, what's the advantage in doing ordering/encoding and then creating the signature?

问题 2:此签名如何使我免于中间人攻击?

Q2: How can this signature save me from man-in-the middle attack?

如果我必须从客户端向我的服务器发出这样的请求:

If I have to make a request like this to my server from a client:

increaseUserPoints?userId=1&pointsToAdd=5&appId=x&token=XYZ

现在令牌 XYZ 将始终相同，因此黑客可以不断发布相同的请求以增加 points.由于从给定的 appId 生成的令牌是相同的，服务器将允许这样做.此案如何处理?

Now the token XYZ will be always same, so a hacker could keep posting the same request to increase points. Since the generated token from the given appId is the same, the server will allow this. How is this case handled?

推荐答案

Q1:对查询参数进行排序使 HMAC 更加清晰.

假设您有两个参数:pointsToAdd"和appId".使用查询字符串 pointsToAdd=X&appID=y 创建与 appID=y&pointsToAdd=X 不同的 HMAC.因为您和服务器都需要生成相同的 HMAC 来验证具有无序查询参数的请求是否会失败.

Q1: Ordering the query parameters brings sanity to the HMAC.

Let's say you have two parameters: 'pointsToAdd' and 'appId'. Using the query string pointsToAdd=X&appID=y creates a different HMAC to appID=y&pointsToAdd=X. Because both you and the server need to generate the same HMAC to verify the requests having unordered query parmeters plain fails.

你有一个密钥，只有你和服务器知道.此密钥签署请求.如果 HMAC 与此密钥不匹配，则请求失败.

You have a secret key, and only you and the server knows it. This key signs the request. If the HMAC doesn't match according to this secret key, the request fails.

由于所有参数都已用于创建 HMAC，因此请求不会受到 MITM 攻击——黑客无法更改、添加或删除任何查询参数，或者服务器在尝试授权时会产生不同的 HMAC，并且请求失败.

Because all parameters have been used to create the HMAC the request is secure from MITM attacks — a hacker can't change, add or delete any query parameters, or the server will produce a different HMAC when it attempts to authorise and the request fails.

这篇关于Oauth 2 - 参数排序和签名完整性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！