安全存储 OpenID 标识符和 OAuth 令牌 [英] Securly Storing OpenID identifiers and OAuth tokens

问题描述

我正在创建一个 Web 应用程序，它将在 Youtube 中使用 OpenID 登录名和 OAuth 令牌.我目前正在数据库中以纯文本形式存储 OpenID 身份和 OAuth 令牌/令牌秘密.

I am creating a web app that will use OpenID logins and OAuth tokens with Youtube. I am currently storing the OpenID identity and OAuth token/token secret in plain text in the database.

将这些值存储为纯文本是否不合适?我可以对 OpenID 标识符使用单向加密，但我不知道这是否有必要.对于 OAuth 令牌，我需要使用双向加密，因为我的应用程序依赖于获取会话令牌以用于某些用途.

Is it inappropriate to store these values as plain text? I could use a one-way encryption for the OpenID identifier but I don't know if that is necessary. For the OAuth tokens, I would need to use a two-way encryption as my app relies on getting the session token for some uses.

是否需要对 OpenID 身份进行加密?有人可以使用它来访问用户的帐户吗?

Is it necessary to encrypt the OpenID identity? Could someone use it to gain access to a user's account?

推荐答案

首先，有一个注册的应用程序，它有 consumer_key 和 consumer_secret.

First, there is a registered application that has consumer_key and consumer_secret.

当用户验证并允许"您注册的应用程序时，您将返回:access_token 被认为是用户的密码"，并允许您的应用程序代表用户进行操作.

When users authenticate and "allow" your registered application, you get back: an access_token that is considered the user's "password" and would allow JUST YOUR application to act on the user's behalf.

因此，如果用户没有 consumer_key 和 consumer_secret，仅从您的数据库中获取用户的 access_token 将无济于事以获得完整的访问权限.

So, getting just the user's access_token from your database won't help much if they don't also have the consumer_key and consumer_secret for complete access.

服务提供商根据请求比较所有 4 个参数.最好在存储前对这 4 个参数进行加密，在响应前对其进行解密.

The service provider compares all 4 parameters on request. It would be smart to encrypt these 4 parameters before storage and decrypt them before response.

这只是当您需要代表用户更新或更改用户的资源所有者时.要让用户保持登录您的网站，请使用会话.

This is just when you need to update or make changes to the user's resource owner on behalf of a user. To keep a user logged-in on your site, use sessions.

这篇关于安全存储 OpenID 标识符和 OAuth 令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！