是否存储OpenID端点,OP本地标识符和领域? [英] Store OpenID endpoint, OP-Local Identifier and realm?
问题描述
我将要创建一个数据库表来存储OpenID登录名.我认为除了声明的标识符"之外,我还将包括以下三列:
I'm about to create a datatbase table to store OpenID logins. I think I will include these three columns, in addition to the Claimed Identifier:
- The OpenID endpoint
- The OP-Local Identifier
- The realm
- The OpenID version (1 or 2)
您存储这些字段吗?
出于以下原因,您认为存储这些字段是否合理?
Do you think it's reasonable to store these fields?, for the following reasons:
-
OpenID端点:因此,您知道哪个OpenID提供者对用户进行了身份验证.也许将来您会发现一个提供者不是那么值得信赖,然后,我想知道 someuser.example.com 是否已被该提供者认证.
The OpenID endpoint: So you know which OpenID Provider authenticated the user. Perhaps in the future you'll find out that one provider is not so very trustworthy, and then I think it's good to know if someuser.example.com was authenticated by that provider.
OP本地标识符:我认为,即使她更改了用户提供的标识符,我也可以跟踪该用户. (例如,如果她的用户提供的标识符是example.com/username,但她将其更改为someelse.com/username,则我认为OP-Local标识符将保持不变(假设用户继续使用相同的OpenID Provider) .
The OP-Local Identifier: I think it allows me to keep track of the user, even if she changes her User-Supplied Identifier. (For example, if her User-Supplied Identifier is example.com/username, but she changes it to somewhereelse.com/username, then I think the OP-Local Identifier will remain unchanged (assuming the user continues using the same OpenID Provider).
领域:我正在构建一个多租户Web应用程序,并且如果我存储该领域,则更容易知道两个看似不同的OpenID标识符是否可以代表同一个人. ( Google使用定向身份:您的声明ID因领域而异.因此,同一用户可以有许多不同的声明ID.)
The realm: I'm building a multitenant webapp, and if I store the realm, it'll be easier to know if two seemingly different OpenID identifiers might represent the same person. (Google uses directed identities: your Claimed ID varies by realm. So the same user can have many different Claimed IDs.)
版本:如果将来出现某些安全问题,并带有一些OpenID版本,那么最好知道哪些用户可能受到影响.
The version: In case some security issue appears in the future, with some OpenID version, then it might be good to know which users might be affected.
领域和端点,用于收集统计信息.
The realm and endpoint, for statistics gathering purposes.
(您能想到我应该存储的其他一些与OpenID相关的值吗?例如,我想标识提供程序.为此,存储端点就足够了?我不需要存储提供程序的名称吗?)
(Can you think of some other OpenID related value I ought to store? For example, I want to identify provider. To do this, it suffice to store the endpoint? I don't need to store the provider's name?)
推荐答案
- OpenID端点:可信赖?提供者如何值得信赖(或不值得信赖)?它没有断言它不拥有的任何数据,因此它不可能说谎.无论它的行为是否符合您的预期,这都是另一回事.此外,由于某种原因,提供者可能为每个用户具有不同的终结点(例如,
/server-username). - OP本地标识符:您不应该(因为规范这样说),但是是的,在极少数情况下,它会成功.但是,更改您的提供者比更改您的身份更为常见.而且,如果您真的想更改身份,更改提供程序(或注册其他帐户)并不难.一种可能会有所帮助的情况是,用户将丢失托管声明的身份的域名.但是,提供商很可能会停止提供其服务,并且您还需要为此做准备(例如,通过为单个用户提供存储多个ID的方式,例如SO).而且,如果您对此有所准备,则可以通过另一种机制来解决这一问题.
- 境界:我不知道这对您有什么帮助.从Google,您将获得两个完全独立的标识符,并且不可能将它们关联起来,除非您需要一个电子邮件地址(然后为什么还要该领域?).
- 版本:不太可能,并且版本可能会随新请求而更改(因为提供程序可能会更新).但是,如果您真的想知道哪些用户可能会受到影响,并希望他们通过阅读您网站上的内容获得任何收益,那么可以,它很有用.
- The OpenID endpoint: Trustworthy? How is a provider trustworthy (or not)? It isn't asserting anything about the data it doesn't own, so it can't possibly lie. Whether it behaves as you expect it to is another thing whatsoever. Besides, a provider could, for some reason, have different endpoints for each user (for example,
/server-username). - The OP-Local Identifier: You shouldn't (because the specification says so), but yes, in a very small number of cases, it would be successful. However, it is much more often to change your provider than to change your identity. And if you really want to change your identity, changing the provider (or registering a different account) isn't that hard. One case where it would help would be when the user would lose the domain name that hosts the claimed identity. However, it is much more likely for the provider to stop offering it's services, and you also need to prepare for that (for example, by offering to store multiple IDs for a single user, like SO). And if you're prepared for it, the single case where it would help is covered by another mechanism.
- The realm: I don't see how would that help you. From Google, you get two completely separate identifiers, with no possibility to correlate them, unless you require an email address (and why would you need the realm, then?).
- The version: Unlikely, and the version may change with the new request (because a provider might update). Nevertheless, if you really want to know which of your users might be affected, and somehow expect them to gain anything by reading about that on your website, then yes, it could be useful.
您已经说过要标识提供者.但是,如上所述,如果提供商采取措施避免这种情况,则不可能这样做.例如,您可以存储它的域名,但这并不完美,因为同一域下可能还有其他提供商(例如,几个人在共享主机上托管自己的提供商).
You've said that you want to identify the provider. However, as I've mentioned above, it's not possible to do so if the provider takes steps to avoid that. You could, for example, store it's domain name, but that's not perfect, since there might be other providers under the same domain (for example, several people hosting their own providers on a shared hosting).
总而言之,出于上述原因,我认为存储这些内容不是一个好主意.
In summary, my opinion is that storing these is a bad idea, for reasons stated above.
这篇关于是否存储OpenID端点,OP本地标识符和领域?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
