跨应用程序/服务器的 Rails 身份验证 [英] Rails authentication across apps/servers

问题描述

我一直在开发我的 rails 应用程序，同时尽可能保持它们的模块化.我正在尝试将下面的不同部分实现为服务.

I've been developing my rails apps whilst keeping them as modular as possible. I'm trying to implement different parts underneath as services.

说一个 Facebook 的例子:
a) 一个 MainApp，允许用户拥有一堵墙、帖子等.
b) 一个PhotoApp，用于存储照片，允许用户查看他的照片等.这是一个独立的应用程序，将有一个可供 MainApp 使用的 REST API.

Say an example of Facebook:
a) A MainApp that allows the user to have a wall, posts, etc.
b) A PhotoApp that stores photos, allows the user to see his photos, etc. This is a standalone app that will have a REST API that can be used by MainApp as well.

我曾考虑使用 OAuth 作为单点登录解决方案(如本教程中所示 http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/)每个应用都将通过 OAuth 获得授权，并根据 cookie 访问当前用户会话.

I was thinking of using OAuth as a Single Sign On solution (as in this tutorial http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/) where each app will be authorized via OAuth and will get access to the current user session based on the cookie.

第一个问题:这是一个可行的解决方案吗?

First question: Is this a viable solution?

第二个问题:我希望能够从 MainApp 服务器(不是从用户的浏览器).在这种情况下，身份验证将如何工作?

Second question: I want to be able to call the PhotoApp API from the MainApp server (not from the user's browser). How would authentication work in this situation?

第三个​​问题:如果说我有一个使用 node.js 的服务，这将如何工作?

Third question: How would this work if say I had a service that used node.js?

推荐答案

是的，使用 OAuth 的 SSO 是一种可行的解决方案，但它不是最简单的解决方案.在构建任何新事物时，OAuth 2.0 是最佳选择.OAuth 标准涵盖了很多方面.

Yes, SSO using OAuth is a viable solution, but it's not the simplest one. When building anything new, OAuth 2.0 is the way to go. The OAuth standards cover a lot of ground.

OAuth 的主要优势在于它允许用户授予 3rd 方应用访问其帐户的权限，而无需将其密码透露给 3rd 方.如果您没有认真地提供这种互操作性，那么 OAuth 可能有点过头了.

The primary advantage of OAuth is that it allows users to give 3rd party apps access to their account without disclosing their password to the 3rd party. If you are not seriously providing such interoperability, then OAuth is probably overkill.

考虑到复杂性，我提供了一对不同的解决方案:

Given the complexity, I offer a different pair of solutions:

单点登录

诀窍是在您域内的主机之间共享会话 ID cookie &使用共享会话存储(如 ActiveRecordStore 或基于缓存的存储.)

The trick is to share the session ID cookie between hosts within your domain & to use a shared session store (like ActiveRecordStore or a cache-based store.)

每个 Rails 应用程序都有一个用于签署 cookie 的秘密".在较新的 Rails 应用程序中，它位于 /config/initializers/secret_token.rb.在每个应用程序中设置相同的秘密令牌.

Every Rails app has a "secret" that is used to sign cookies. In newer Rails apps this is located in /config/initializers/secret_token.rb. Set the same secret token in each application.

然后，配置会话以允许来自所有子域的访问:

Then, configure the session to allow access from all subdomains:

AppName::Application.config.session_store :active_record_store, :key => '_app_name_session', :domain => :all

对于内部 API 调用

使用良好的共享密钥通过 HTTPS 连接进行身份验证.在授权"标头值中传递秘密.

Use a good shared secret to authenticate over HTTPS connections. Pass the secret in the "Authorization" header value.

您可以轻松地将共享密钥与其他架构(如 node.js)一起使用.请确保始终使用 HTTPS，否则共享机密可能会在网络上被嗅探.

You can use the shared secret easily with other architectures (like node.js). Just make sure you always use HTTPS, otherwise the shared secret could be sniffed on the network.

这篇关于跨应用程序/服务器的 Rails 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！