网站上的链接可以使用令牌登录到应用程序或回退到网站 [英] Links on web site that can login into app with a token or fall back to web site

问题描述

有人要求向我们的一个网站添加链接，该链接可以在iOS或Android上打开我们的移动应用程序，并通过传入身份验证令牌来登录到该应用程序.需要它来回退到关联的网站.

There is a request to add a link to one of our websites that can open our mobile app on iOS or Android, and login to the app based by passing an authentication token in. If the apps do not exist on either platform I need it to fall back to the associated website.

根据我对通用链接或深层链接的了解，它们的预期目的是将您带到应用程序中的特定页面，而不传递参数.自定义URL方案似乎更合适，但也不能以相同的方式得到支持，因此退回网络是有问题的.

From what I understand about universal links or deep linking, their intended purpose is to take you to a specific page within an app, not pass along parameters. Custom URL schemes seem to fit better, but also aren't supported the same way and falling back to the web is problematic.

如果有人曾经设置过这样的东西并且有资源，我可以看一下，将不胜感激.

If anyone has ever setup something like this and has resources I can look at it would be appreciated.

谢谢.

推荐答案

可以构建像这样的深层链接身份验证系统，但需要注意以下几点:

It is possible to build a deep linked authentication system like this, with a few important caveats:

1. 用于打开您的应用程序的链接必须保持私有状态.此时，它实际上是密码，因此有权访问链接URL的任何人都可以使用它登录.您可以通过使用在指定时间后过期的链接来减轻这种风险.
2. 应该对链接本身的内容进行编码，这样，如果在传输过程中窥探到数据，您就不会无意间泄露机密信息.例如，您应该通过令牌而不是纯文本密码.
3. 您需要确定，打开该应用程序的用户与单击该链接的用户相同.如果单击链接时已经安装了应用程序，这很容易，但是如果您要进行延迟的深层链接"(这意味着即使应用程序尚未安装，您也希望行为能够正常进行)，那么您需要谨慎不匹配的情况.

1. The link that is used to open your app needs to be kept private. It is essentially a password at this point, so anyone with access to the URL of the link can use it to log in. You can mitigate this risk by using a link that expires after a specified length of time.
2. The contents of the link itself should be encoded so that if the data is snooped in transit, you don't inadvertently reveal something confidential. For example, you should pass through a token rather than the plain text password.
3. You need to be certain that the user who opens the app is the same one who clicked the link. This is easy if the app is already installed when the link is clicked, but if you want to do 'deferred deep linking' (meaning you want the behavior to work even if the app isn't already installed) then you need to be cautious of mismatches.

URI方案和通用链接不支持传递参数，但是它们可用于构建这样的系统(例如，Slack在其著名的魔术链接"移动登录过程中使用URI方案链接).但是，它们仅在已安装该应用程序的情况下起作用.两者都不允许您在安装过程中保留上下文，这限制了它们的用途.

URI schemes and Universal Links don't support passing parameters, but they can be used to build a system like this (Slack uses URI scheme links for their famous 'magic link' mobile sign in process, for example). However, they only work if the app is already installed. Neither one will allow you to preserve context across install, which limits their usefulness.

Branch.io (完整披露:我在Branch团队中)链接可用于增强体验像这样.与URI方案和通用链接不同，我们 do 允许您在每个链接中传递真实的key:value参数对，并且到目前为止，我们拥有最好的

Branch.io (full disclosure: I'm on the Branch team) links can be used to power an experience like this. Unlike URI schemes and Universal Links, we do allow you pass real key:value parameter pairs with each link, and we have by far the best matching accuracy in the field. I would do the following:

1. 使用Branch在您的网站上生成链接.在链接中包含唯一标记作为参数.您可以为此使用分支 web SDK (甚至作为内置的 sendSMS()函数)，或直接转到 API .
2. 将该唯一令牌存储在您自己的后端.
3. 打开应用程序后，您将获得作为链接数据的参数.检查Branch的

1. Generate a link on your website using Branch. Include a unique token in the link as a parameter. You can use the Branch web SDK for this (it even as a built-in sendSMS() function), or go straight to the API.
2. Store that unique token on your own backend.
3. When the app opens, you'll get the parameter back as link data. Check for Branch's +match_guaranteed parameter to make sure you have the correct user (see the blog post above for more info on how this is verified).
4. If +match_guaranteed comes back true, verify the returned token against the value stored on your backend and log the user in. If false, or the token doesn't validate, handle the error (likely by asking the user to log in manually).

要确保此安全性，请将令牌与过期时间戳记(可能为5-10分钟)一起存储在后端，并且如果链接陈旧，则不允许自动身份验证.这样可以防止在以后的某个位置找到URL并重新使用它，并且还可以确保如果以后有人检索链接的内容，也不会发生任何不良情况.

To make this extra secure, store the token in your backend with an expiration timestamp (perhaps 5-10 minutes) and don't permit the automatic authentication if the link is stale. This will prevent a URL from being found somewhere later on and reused, and will also make sure nothing bad happens if someone later retrieves the contents of the link.

这篇关于网站上的链接可以使用令牌登录到应用程序或回退到网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！