GAE验证到第三方网站 [英] GAE authenticate to a 3rd party site

问题描述

我需要安全的身份验证第三方网站的SSL REST API调用。我有API调用的部分工作，但我要救我的App Engine数据存储在第三方证书，或者别的地方？我不知道IM应该如何做到这一点。

在SSL电话如下：

 凭证= base64.en codeString的（'％S：％s'的％（用户名，密码））[： -  1]
请求= urllib2.Request（accounts_url）
request.add_header（用户代理，USER_AGENT）
request.add_header（授权，基本％的％凭据）流= urllib2.urlopen（要求）
响应= stream.read（）
stream.close（）
 

这意味着我的应用程序遗憾的是需要知道的明文密码。它没有意义的，我为AES进行加密（不是哈希 - 可逆的），因为解密密钥需要由我的应用程序也是如此，如果我的应用程序被攻破了存储明文加入没有真正的安全性被称为

解决方案

我觉得这里最安全的策略是踢给客户端。使用GAE作为否则这将是来自客户端的跨域请求代理。我假设第三方主机具有某种令牌或会话cookie，你可以拦截回来的路上。

保存明文密码是可怕的。

I need to authenticate securely to a third party site for a SSL REST api call. I have the API call part working but I want to save the third party credentials in my app engine datastore, or maybe somewhere else? I have no idea how im supposed to do this.

The SSL call looks like:

credentials = base64.encodestring('%s:%s' % (username, password))[:-1]
request     = urllib2.Request(accounts_url)
request.add_header("User-Agent", user_agent)
request.add_header("Authorization", "Basic %s" % credentials)

stream   = urllib2.urlopen(request)
response = stream.read()
stream.close()

which means my app unfortunately needs to know the plaintext password. It doesn't make sense to me to AES encrypt it (not a hash--reversible) because the decryption key would need to be known by my app also so if my app is compromised no real security over storing plaintext was added.

解决方案

I think the most secure strategy here is to punt to the client. Use GAE to serve as a proxy for what would otherwise be a cross domain request from the client. I'm assuming the third party host has some sort of token or session cookie that you could intercept on the way back.

Storing plain text passwords is scary.

这篇关于GAE验证到第三方网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！