如何进行安全注册使用多个OAUTH商在App Engine用户？ [英] How to securely register users on App Engine using multiple OAUTH providers?

问题描述

我想讨论一个常见的​​场景：某个应用程序想要使用多个OAUTH供应商，如Facebook，Google+或Twitter对用户进行授权。

I would like to discuss a common scenario: An app wants to authorize users using multiple OAUTH providers, such as Facebook, Google+ or Twitter.

从本质上讲这个问题已在两年前在这里问<一个href=\"http://stackoverflow.com/questions/13928082/mobile-api-authentication-using-existing-web-app-with-multiple-oauth-providers\">Mobile API认证使用现有的Web应用程序使用多个供应商的OAuth 并保持答复，所以我会进一步阐述了一下。 （我将使用Facebook作为的oauth2提供一个例子，所以这不会成为过于笼统。）

Essentially this question has been asked two years ago here Mobile API Authentication Using Existing Web App with Multiple OAuth Providers and stays unanswered, so I will elaborate a bit further. (I will use Facebook as an example for the OAUTH2 provider, so this does not become too generic.)

从本质上讲，用户注册是这样工作的：OAUTH /的oauth2提供商通常提供其中无论从通过的AccountManager移动设备或登录对话框上的供应商处获得一个（主要是短命）令牌的工作流，如登录与Facebook按钮。然后令牌通过调用REST端点（无论是在人体或作为附加头，从来没有在URL）运到App Engine。

Essentially, user registration works like this: OAUTH/OAUTH2 providers typically provide a workflow where a (mostly short-lived) token is obtained from a provider either via the AccountManager on the mobile device or a login dialog such as the "Login with Facebook" button. The token is then shipped to App Engine by calling a REST endpoint (either in the body or as an additional header, never in the URL).

该供应商的的AppId和AppSecret（这里：Facebook的）都是在App Engine Store和App引擎将这些令牌，然后船回给Facebook以换取（长寿）标记

The provider's AppId and AppSecret (here: Facebook) are store on App Engine and App Engine adds these to the token, then ships it back to Facebook in exchange for a (long-lived) token.

在这一点上两者，客户端应用程序和App Engine应用程序有把握用户已经$ P $被Facebook pviously认证。另外，如果端点验证用于验证呼叫，应用程序引擎可能有用户的谷歌凭证和/或应用程序的客户端ID，和谷歌保证该请求已经从正确的客户端应用程序的。

At this point both, client app and App Engine app have certainty that the user has been previously authenticated by Facebook. Also, if Endpoints Authentication is used to authenticate the call, App Engine probably has the Google credentials of the user and/or the ClientId of the app, and Google guarantees that the request has been made from the correct client app.

在这一点上，我们可以尝试找出我们的数据存储用户，让注册失败（或默默登录用户），如果它已经存在，或以其他方式创造纪录。

At this point, we can try to find the user in our datastore and let registration fail (or silently sign in the user) if it already exists, or otherwise create a record.

直到我在这里pretty肯定我在正确的轨道上。现在问题来了：

Until here I am pretty sure I'm on the right track. Now comes the problem:

让我们来看看数据存储这一点。假设我们有两个实体：

Let's look at the datastore for this. Let's assume we have two entities:

1. User实体，其中在我们自己的系统中每个用户一个唯一的用户ID下注册。


2. 帐户实体，其中每个账号注册并在用户ID字段指向用户的实体。

在关系数据库术语，我们会说我们有一个1：n用法用户和帐户之间的关系。

In relational database terms, we would say we have a 1:n relationship between User and Account.

有关在我们的系统中的每个用户，我们保持用户记录。在上面的例子中，我们可能有两个帐户：Facebook和谷歌，这都指向用户和这里独特的Facebook或谷歌帐号/电邮作为账户标识符

For each User in our system, we keep a User record. In above example, we may have two accounts: Facebook and Google, which both point to the user and where the unique Facebook or Google id/email is used as account identifier.

技术上讲，它现在是可能的应用程序使用Facebook或谷歌帐户上的后续请求。但是，我们将不得不存储和查找第三方令牌上的每个请求，因为我们不能解密它自己。我们可以要求供应商要做到这一点，但是这没有多大意义无论是。此外，我们将不得不提供者的帐户ID转换为对每个请求自己的用户ID。

Technically it would now be possible that the app uses the Facebook or Google account on subsequent requests. But we would have to store and look up the 3rd-party token on each request because we cannot decrypt it ourselves. We could ask the provider to do this, but that wouldn't make much sense either. Plus we would have to translate the provider's Account id to our own User id on each request.

要解决这个问题，我想最有可能要么创建我们自己的令牌或建立我们创造我们自己的系统签署了令牌，其中唯一的用户ID被用作标识自己的OAUTH供应商，并且仅在使用该令牌后续的请求。

To solve this problem I would most probably either create our own token or set up our own OAUTH provider which creates a token signed by our own system, and where the unique User id is used as identifier, and only use that token during subsequent requests.

• 这是一个好方法？使用任何一个不同的更好的工作流程？是否有人看到安全漏洞与这个设计？

本质上，它的工作原理围绕谷歌的终端系统，但谷歌只能对自己的系统进行身份验证，所以如果我们想要提供的登录使用进一步的提供商，我们需要解决这个问题，但如果有人知道一个工作流程，我们可以并存，但我们有我们能/应该只在授权头和REST原则添加单个令牌不鼓励我们使用自定义页眉运送更多标记的问题。

Essentially it works around Google's endpoints system, but Google can only authenticate against their own systems, so if we want to offer sign-in using further providers, we will need to work around this, except if anybody knows a workflow where we can keep both, but then we have the problem that we can/should only add a single token in the "Authorization" header and REST principles discourage us to use custom headers to ship more tokens.

推荐答案

当你的应用程序验证用户，存储一个对象，其中包含已用于访问应用程序，以及任选一个OAuth提供者的会话，令牌用于后续请求。

When your app authenticates a user, store an object in a session which contains an oauth provider that has been used to access the app and, optionally, a token to be used for subsequent requests.

现在您可以检查此对象在每次调用服务器。如果对象不是present - 一个用户没有通过验证，重定向到登录页面。如果对象是present，拿令牌并使用它。

Now you can check for this object in every call to the server. If the object is not present - a user is not authenticated, redirect to the login page. If an object is present, take a token and use it.

我使用多个身份验证选项，不仅OAuth的类似的方法。但我并不需要存储的令牌的用户验证通过后 - 我的应用程序内用不到它。

I use a similar approach for multiple authentication options, not only oauth. Except I don't need to store a token after a user is authenticated - I have no use for it within the app.

这篇关于如何进行安全注册使用多个OAUTH商在App Engine用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！