如何安全地授权通过Facebook的JavaScript SDK用户 [英] How to securely authorize a user via Facebook's Javascript SDK

问题描述

我想让用户登录使用他们的Facebook ID，而无需重新加载页面我的网站。这就是为什么我使用的Facebook的Javascript SDK 。该方案描述了此SDK授权流程：

在该过程结束时，我知道，用户登录，我知道他们的Facebook ID。那么我可以注册他们通过这个ID我的数据库，并让他们用它来之后登录。

然而，这似乎非常不安全的。为了让我的服务器端脚本知道用户的ID，我已经通过AJAX来发送。不过，我不知道它是否是谁在试图登录的ID的所有者的方式。任何人都可以用一个ID（特别是一个得到其他用户的ID的保留）。

发送POST请求

我现在的想法是让用户通过JS SDK像往常一样登录，通过AJAX发送ID和访问令牌服务器，然后使用卷曲的PHP脚本，以确保用户在实际登录。

这是要走的路，还是我俯瞰更好的方法？

解决方案

1. 您不需要通过AJAX来推动用户的ID。你应该，在服务器端，使用的持有signed_request的fbsr_ {} APP_ID饼干。解析使用您的'秘密'通过FB app_secret颁发给获得USER_ID这signed_request。注意：一个成功的解析也表明，FB提供的Cookie数据不被篡改




2. 一旦你解析signed_request，你也应该得到'issued_at的时间。检查，这一次是最后的10分钟之内。通过这样做，你知道登录请求打你的服务器用户（与USER_ID）使用的客户端SDK。 （参见：<一href=\"http://developers.facebook.com/roadmap/completed-changes/\">http://developers.facebook.com/roadmap/completed-changes/)




3. 您应该立即更换该code为的access_token。如果失败（FB会给你类型OAuthException的错误消息），这意味着在Facebook的用户之间签订一个不自然的延迟，你得到的登录请求。

使用步骤＃2，您可以阻止使用旧fbsr_的cookie的攻击尝试。如果用户（从USER_ID）已经与您的帐户，那么你不妨停在这里和登录用户。然而，可能存在的情况，其中的app_secret可能会受到损害。为了照顾这种情况下，你应该按照步骤＃3，为code，为的access_token在交换可以在它的问题 10分钟内只发生一次和即可。如果用户不具有与您的网站的帐户，那么你无论如何需要步骤3中使用的access_token检索其他必要的用户数据，如姓名，电子邮件等从FB。

因此​​，别人窃取受害者的cookie，并试图攻击只在这10分钟的安全漏洞是可能的。如果你不满意这个安全漏洞，您应该迁移到服务器端身份验证。的决定取决于你存储用户信息的灵敏度。你不妥协任何东西转移到服务器端身份验证，可以同时继续使用客户端的方法其他的事情。

I want to let users log in on my website using their Facebook ID without reloading the page. This is why I use Facebook Javascript SDK. This scheme describes the authorization flow with this SDK:

At the end of the process I know that the user is logged in and I know their Facebook ID. I can then register them in my database via this ID, and let them use it to log in afterwards.

However, this seems terribly insecure. In order to let my server-side script know the user's ID, I have to send it via AJAX. However, I have no way of knowing whether it's the owner of the ID who's trying to log in. Anyone can send the POST request with an ID (especially of one gets hold of another user's ID).

My current idea is to let the user log in via JS SDK as usual, send the ID and Access Token via AJAX to the server and then use cURL in the PHP script to ensure the user is actually logged in.

Is this the way to go, or am I overlooking better alternatives?

解决方案

1. You don't need to push the user's ID via ajax. You should, on the server side, use the fbsr_{app_id} cookie which holds the signed_request. Parse this signed_request using your 'secret' app_secret issued by FB to get the 'user_id'. NOTE: a successful parse also shows that the cookie data provided by FB is not tampered with.

2. Once you parse the signed_request, you should also get the 'issued_at' time. Check that this time is within the last 10 mins. By doing this, you know that the login request hit your server as the user (with user_id) used client-side SDK. (Refer: http://developers.facebook.com/roadmap/completed-changes/)

3. You should immediately exchange this code for an access_token. If this fails (FB will give you an error message of type OAuthException), it means that there was an unnatural delay between user signing in to facebook and you getting the login request.

With step #2, you can thwart attempts of an attack using old fbsr_ cookie. If the user (from user_id) already has an account with you, then you may wish to stop here and login the user. However, there may be scenarios where your app_secret may be compromised. To take care of this case, you should follow step #3, as the exchange of code for access_token can happen only once and within 10 mins of it's issue. If the user doesn't have an account with your site, then you anyway need step #3 to use the access_token for retrieving other necessary user data, like name, email, etc from FB.

Therefore, someone else stealing the victim's cookie and trying to attack is possible only within this 10 min security gap. If you are unhappy with this security hole, you should migrate to server-side authentication. The decision depends on the sensitivity of the user information you store. And you don't compromise anything moving to server-side auth, you can simultaneously continue to use client-side methods for other things.

这篇关于如何安全地授权通过Facebook的JavaScript SDK用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！